🔒 Secrets & Security - GH-ACTIONS Practice Questions

Manage secrets, environment protection, OIDC, permissions, and security best practices for GitHub Actions.

3Questions Available
1Exam Domains

Practice Security Questions Now

Start a timed practice session focusing on Secrets & Security topics from the GH-ACTIONS question bank.

Start GH-ACTIONS Practice Quiz →

GH-ACTIONS Security Question Bank (3 Questions)

Browse all 3 practice questions covering Secrets & Security for the GH-ACTIONS certification exam. Each question includes the full answer and a detailed explanation to help you understand the concepts.

  1. Question 1Author and Manage Workflows

    What is the GITHUB_TOKEN in GitHub Actions?

    AA personal access token that must be created manually before each run
    BAn automatically generated token with scoped permissions for the workflow run
    CAn organization secret shared across all repositories
    DA deploy key for pushing to the repository
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    GITHUB_TOKEN is automatically created at the start of every workflow run. It has permissions scoped to the repository and expires when the run finishes.

  2. Question 2Manage Actions and Workflows

    How do you manage workflow permissions and security?

    ADefault admin permissions
    BConfigure GITHUB_TOKEN permissions (read/write per scope), use environment protection rules, pin actions to SHA, limit workflow trigger access, and audit with security log
    CNo security controls
    DOnly secret management
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Security: minimize GITHUB_TOKEN permissions (permissions: key in workflow), pin actions to full SHA (@abc123), use Dependabot for action updates, environment protection rules, restrict fork PR workflows, required reviews for workflow changes, and audit log monitoring.

  3. Question 3Author and Maintain Workflows

    What are workflow permissions and the GITHUB_TOKEN?

    AAn admin token
    BGITHUB_TOKEN: automatically generated per-workflow-run token with configurable permissions (read/write for contents, issues, PRs, packages, etc.) scoped to the repository
    CA personal token
    DA deployment key
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    GITHUB_TOKEN: auto-generated, scoped to repo, expires after job. Permissions: configurable in workflow YAML (permissions: key) or org default settings. Levels: read-all, write-all, or per-scope (contents: read, issues: write, pull-requests: write). Best practice: least privilege (permissions: contents: read). Cannot: trigger other workflows, access other repos (use PAT for that).

Key Security Concepts for GH-ACTIONS

secretsoidcpermissionssecuritytokenenvironment protection

GH-ACTIONS Security Exam Tips

Secrets & Security questions in GH-ACTIONS are typically scenario-based. Focus on service-level decision making aligned to official exam objectives. Priority concepts: secrets, oidc, permissions, security, token, environment protection.

What GH-ACTIONS Expects

  • Anchor your answer in select the most practical, secure, and scalable answer for the stated scenario.
  • Security scenarios for GH-ACTIONS are frequently mapped to Domain 4 (20%), so read the objective carefully before picking controls or architecture.
  • Expect multi-service scenarios where Security interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated service question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Intermediate) and managed-service best practices.

High-Value Security Concepts

  • Know the core Security building blocks cold: secrets, oidc, permissions, security.
  • Review the edge-case features and limits for token, environment protection; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Security pairs with CI/CD, Workflow Syntax in real deployment patterns.
  • For GH-ACTIONS, explain why the chosen Security design meets reliability, security, and cost expectations better than the alternatives.

Common GH-ACTIONS Traps

  • Watch for answers that partially solve the requirement but miss operational constraints.
  • Questions in Manage GitHub Actions Features often include distractors that look correct for Security but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Security implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Manage GitHub Actions Features (20%) outcomes for GH-ACTIONS?
  • Can you explain security and access boundaries for Security without relying on default-open assumptions?
  • Can you describe how Security integrates with CI/CD and Workflow Syntax during failure, scaling, and monitoring events?

Exam Domains Covering Security

Domain 4Manage GitHub Actions Features20%

Related Resources

🎯 Free GH-ACTIONS Mock Exam📝 CI/CD Questions📝 Workflow Syntax Questions

More GH-ACTIONS Study Resources

← GH-ACTIONS Study Hub30-Day Study PlanFull Practice Exam