6 - Implement guardrails and accountability (GH-600)

Risk-based autonomy model. Low. Medium. High. Critical.

Which command is used to pass data as an output from a specific step within a GitHub Actions job?. echo "key=value" >> "$GITHUB_OUTPUT". set-output name=key::value. export key=value. echo "key=value" >> "$GITHUB_ENV".

When sharing data across different jobs in a workflow, where must the output first be defined to be accessible by a dependent job?. Directly in the 'steps' of the dependent job. In the 'env' context at the workflow level. In the 'jobs.<job_id>.needs' configuration. In the 'outputs' section of the job that produced the data.

Which GitHub context should be used for centrally managed configuration values that are designed to be reused across different workflows?. vars.*. github.*. env.*. secrets.*.

What is the primary purpose of 'defensive gating' using a job-level 'if' condition in a workflow triggered by multiple events?. To bypass the need for environment approvals in manual runs. To automatically merge branches that pass all status checks. To hide the workflow logs from users who do not have write access. To ensure PR-specific actions only execute when the run is actually tied to a pull request event.

In the context of workflow reliability, why should downstream jobs treat information from upstream jobs as an 'explicit output' rather than 'just logs'?. Logs are automatically deleted after a workflow completes, making them inaccessible. Outputs are encrypted by default, whereas logs are always plain text. Explicit outputs create a workflow contract that is structured and reliable for automated consumption. GitHub Actions limits the number of characters that can be printed to logs.

Environment variables (env) should be used as the primary mechanism for passing structured data between different jobs in a workflow. True. False.

Which key in a job definition triggers a pause in execution until a authorized reviewer grants permission?. needs. if. on. environment.

In the context of agent execution, what serves as the primary mechanism for architectural control in GitHub?. Local repository merges. Commit messages. Pull requests. Direct branch commits.

What is the standard file path used to define a pull request template for consistent plan reporting?. config/pr_template.txt. templates/pull_request.md. .github/workflows/pr_style.md. .github/pull_request_template.md.

In the provided PR template example, which section is specifically intended for providing workflow runs or scan results?. Review checklist. Plan. Success criteria. Evidence.

What logic does the 'Plan Gate' GitHub Action use to validate that a PR includes a structured plan?. It verifies the existence of the pull_request_template.md file. It checks if the PR description matches a specific regex pattern. It confirms that a human has commented on the PR. It scans the code for security vulnerabilities.

How can a repository administrator ensure that the 'Plan Gate' check is mandatory for all merges?. By including it in the PR template markdown. By adding it to the CODEOWNERS file. By using repository rulesets or branch protection rules. By setting the workflow to run on 'push' events.

According to the source material, what is the consequence of an agent bypassing required checks or reviews?. The agent operates with higher efficiency. The PR will be automatically deleted. The architecture loses its primary safety mechanisms. GitHub will automatically disable the repository.

A pull request template can be used to require a 'Rollback / escalation plan' from an agent. True. False.

Which GitHub feature can require explicit approval before workflows are allowed to run on agent-generated changes?. Environment gates/GitHub settings. The Plan Gate script. The Success Criteria section. CODEOWNERS.