Microsoft DevOps Engineer Expert AZ-400 Practice Question
You are designing a GitHub Actions workflow for a private organization-owned repository. The workflow must
push code changes back to its own repository branches, and
call the GitHub REST API to open an issue in another private repository within the same organization. You must follow least-privilege principles and avoid storing long-lived credentials in the workflow file. Which authentication approach should you implement?
Add an SSH deploy key to the repository and configure the workflow to use the key for both Git operations and REST API calls.
Create a fine-grained personal access token scoped to the organization and store it as an encrypted repository secret.
Register an organization-wide GitHub App with the required minimal permissions and authenticate the workflow by requesting its short-lived installation access token at run time.
Use the automatically generated ${{ secrets.GITHUB_TOKEN }} with its default permissions.
A GitHub App that is installed at the organization level can be granted only the repository permissions the workflow needs and issues a short-lived (1-hour) installation access token at run time. The token allows the workflow to interact with any repositories where the app is installed, satisfying the requirement to create an issue in a second repository while still enabling pushes to the current repository. The automatically generated GITHUB_TOKEN is short-lived but is restricted to the single repository that contains the workflow, so it cannot access the second repository. A fine-grained personal access token can be scoped narrowly, but it is still a user-bound secret that lives for up to one year and must be stored as a secret, which violates the "avoid long-lived credentials" constraint. An SSH deploy key is limited to Git operations on the single repository to which it is added and cannot authenticate REST API calls across multiple repositories.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a GitHub App and how does it differ from a Personal Access Token?
Open an interactive chat with Bash
How does a GitHub App issue short-lived tokens and why is this beneficial?
Open an interactive chat with Bash
Why is the automatically generated `${{ secrets.GITHUB_TOKEN }}` insufficient for this scenario?
Open an interactive chat with Bash
What are the benefits of using a GitHub App for authentication compared to other methods?
Open an interactive chat with Bash
How does the short-lived token issued by a GitHub App enhance security?
Open an interactive chat with Bash
Why is the automatically generated GITHUB_TOKEN unsuitable for multiple repository access?
Open an interactive chat with Bash
Microsoft DevOps Engineer Expert AZ-400
Develop a security and compliance plan
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .