An organization allows Copilot cloud agent to create draft pull requests for normal application changes. Security policy requires code scanning to run on pull requests to main, and the same required check must run for merge queue entries. The workflow should not grant write access unless it is required. Which option completes the workflow?
name: agent-security-gate
on:
(Missing value 1):
branches:
- main
(Missing value 2):
permissions:
contents: read
(Missing value 3): write
jobs:
codeql:
name: codeql
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v4
with:
languages: javascript-typescript
- uses: github/codeql-action/analyze@v4Choose an answer
Tap an option to check your answer.
Correct answer: Missing value 1 = pull_request Missing value 2 = merge_group Missing value 3 = security-events.
Why this is the answer
The correct answer ensures the workflow triggers appropriately and has the necessary permissions. pullrequest for Missing value 1 triggers the workflow on pull request activity, which is essential for scanning changes before they merge to main. mergegroup for Missing value 2 triggers the workflow when a pull request enters a merge queue, satisfying the requirement for scanning merge queue entries. security-events: write for Missing value 3 grants the minimum necessary permission for CodeQL to upload its scan results to GitHub Security tab, adhering to the principle of least privilege. Incorrect options: push for Missing value 1 would trigger after the merge, not on the pull request, missing the pre-merge scanning requirement. workflowdispatch is manual and doesn't automate the required checks. pull-requests: write is not a valid permission scope. pullrequesttarget for Missing value 1 runs in the context of the base repository, which is not needed here and can be a security risk if not carefully configured. schedule is for time-based triggers, not PRs or merge queues. contents: write is too broad and not specific to security events. workflowdispatch for Missing value 1 is manual. checks: write is not the correct scope for CodeQL results.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed