Microsoft DevOps Engineer Expert AZ-400 Practice Question

Your organization runs an on-premises build system that must periodically clone a set of private GitHub repositories and pull container images from your private GitHub Container Registry (GHCR). Security policy requires the following:

Credentials must rotate automatically with a maximum lifetime of 60 minutes.
Access must be restricted to read-only operations on the specified repositories and packages.
No long-lived personal credentials may be stored on the build server.

Which authentication method best meets these requirements?

Add an SSH deploy key to each repository and use it for both Git operations and GHCR pulls.
Use the repository's default GITHUB_TOKEN secret inside the build process.
Generate a fine-grained personal access token with repo and packages read scopes and store it as an environment variable on the server.
Create a GitHub App with read-only contents and packages permissions, and have the build server request an installation access token at job start.

Report Issue

Answer Description

An installation access token generated from a GitHub App is short-lived (one hour by default), can be scoped to specific repositories, and its permissions (for example, contents:read and packages:read) are defined centrally in the App configuration. The token is generated programmatically when the build begins, so no long-lived secrets are stored on the server.

The default GITHUB_TOKEN only exists inside GitHub Actions runners and therefore cannot be used by an external build server. A fine-grained personal access token is long-lived and must be rotated manually, violating policy. A deploy key provides read-only Git access but cannot authenticate to GHCR and is also an SSH key that does not rotate automatically.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.