This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
What is the best way to allow a terminal agent to perform a low-risk, read-only task like summarizing recent commits without granting broad capabilities?
Allow all tools so the agent never prompts for approval
Scope tool access to only what is required for read-only Git inspection
Grant write access by default and rely on audits afterward
Deny all shell access and require manual copy/paste of commit history
Which GitHub-native control is most effective for requiring explicit approval before production workflows access production secrets?
A PR template that asks for review
A repository README policy statement
A protected environment with required reviewers
A label applied by the agent
What is the recommended least-privilege pattern for GITHUB_TOKEN permissions in agent-driven workflows?
Set write permissions globally so any job can push if needed
Default to read-only and elevate permissions only for the job that performs write operations
Disable permissions entirely and store a PAT in the repository
Grant all permissions during business hours only
Which configuration helps prevent overlapping production deployments and cancels in-progress deployments when a newer run starts?
Using larger runners
Adding more approvals
Concurrency with a shared group and cancel-in-progress
Disabling workflow_dispatch
What is the best GitHub-native mechanism to route required review for sensitive paths like .github/workflows/ and infra/?
Asking reviewers in chat
CODEOWNERS (with required reviews policy)
Adding labels and milestones
Squashing commits before merge
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?