A team wants a manual evidence workflow for reviewing Copilot-created pull requests. The workflow must run only when a reviewer starts it, record the triggering user, pull request number, and commit SHA, and upload the evidence as an artifact without granting write access. Which option completes the workflow?
name: collect-agent-review-evidence
on:
(Missing value 1):
inputs:
pr_number:
description: Pull request number under review
required: true
type: string
permissions:
contents: (Missing value 2)
actions: read
jobs:
evidence:
runs-on: ubuntu-latest
steps:
- name: Build trace file
run: |
mkdir -p evidence
{
echo "reviewer=${{ github.actor }}"
echo "pr_number=${{ inputs.pr_number }}"
echo "workflow_run=${{ github.run_id }}"
echo "sha=${{ github.sha }}"
} > evidence/agent-review.txt
- name: Upload trace artifact
uses: (Missing value 3)
with:
name: agent-review-evidence
path: evidence/agent-review.txtChoose an answer
Tap an option to check your answer.
Correct answer: Missing value 1 = workflow_dispatch Missing value 2 = read Missing value 3 = actions/upload-artifact@v4.
Why this is the answer
The correct option enables a manual, on-demand workflow that records specific details and uploads them as an artifact with appropriate permissions. Missing value 1: workflowdispatch is correct because the requirement states the workflow must run "only when a reviewer starts it," which is precisely what workflowdispatch allows by providing a manual trigger with input parameters. pullrequest triggers on PR events, push on code pushes, and workflowcall is for reusable workflows, not direct manual triggering. Missing value 2: read for contents permission is correct. The workflow only needs to read repository content (like github.sha) and upload an artifact; it does not modify the repository itself. write permission would be overly permissive and violate the principle of least privilege. Missing value 3: actions/upload-artifact@v4 is correct because the requirement is to "upload the evidence as an artifact." This action is specifically designed for that purpose. actions/cache@v4 is for caching dependencies, github/codeql-action/upload-sarif@v3 is for uploading SARIF files, and actions/download-artifact@v4 is for downloading, not uploading.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed