A team uses Copilot to generate remediation pull requests. Automated tests can run without approval, but deploying the Copilot-generated change to production must wait for an authorized reviewer because the job can access production secrets. Which option completes the workflow?
name: copilot-pr-release
on:
pull_request:
branches:
- main
permissions:
contents: read
pull-requests: read
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm ci
- run: npm test
deploy-production:
needs: validate
runs-on: ubuntu-latest
(Missing value 1): production
steps:
- uses: actions/checkout@v4
- name: Deploy service
env:
DEPLOY_TOKEN: (Missing value 2)
(Missing value 3): ./scripts/deploy-prod.shChoose an answer
Tap an option to check your answer.
Correct answer: Missing value 1 = environment Missing value 2 = ${{ secrets.DEPLOY_TOKEN }} Missing value 3 = run.
Why this is the answer
The correct option uses environment: production to enforce the required manual approval for deploying to production. GitHub Actions environments allow defining rules like required reviewers and secret access. secrets.DEPLOYTOKEN correctly accesses a repository secret, which is the secure way to handle sensitive information like deployment tokens. run: ./scripts/deploy-prod.sh executes the deployment script. Incorrect options: vars.DEPLOYTOKEN is for configuration variables, not sensitive secrets. uses is for invoking actions, not running shell scripts. concurrency manages job execution limits, not environment protection. permissions defines access for the workflow itself, not for environment-specific rules or secret access.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed