A team wants a deployment workflow that builds an agent-generated change with read-only repository access, then pauses before production deployment so an approved reviewer can inspect the output. The production environment has required reviewers configured.
name: guarded-production-deploy
on:
pull_request:
branches:
- main
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm ci
- run: npm test
deploy:
needs: build
runs-on: ubuntu-latest
environment: production
permissions:
contents: read
deployments: write
steps:
- run: ./scripts/deploy.sh
Evaluate the following statements.
1. The build job uses a least-privilege repository access model for checkout and tests.
2. The deploy job can access production environment secrets before required reviewer approval.
3. The deploy job scopes elevated deployment permission to the job that needs it.Choose an answer
Tap an option to check your answer.
Correct answer: 1=Yes 2=No 3=Yes.
Why this is the answer
Statement 1 is Yes. The build job explicitly sets permissions: contents: read, adhering to the principle of least privilege by only requesting the necessary read access for checkout and running tests. Statement 2 is No. The deploy job targets the production environment, which has required reviewers configured. GitHub Actions environments with required reviewers will pause the workflow and prevent access to environment secrets until an approved reviewer grants permission, ensuring secrets are not exposed prematurely. Statement 3 is Yes. The deploy job explicitly defines permissions: deployments: write, scoping this elevated permission only to the job that requires it for deployment, rather than granting it globally to the entire workflow. This is a best practice for security.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed