Exam AZ-400 topic 4 question 60 discussion

Answer is correct. https://docs.github.com/en/actions/security-guides/encrypted-secrets "To use secrets that are larger than 48 KB, you can use a workaround to store encrypted secrets in your repository and save the decryption passphrase as a secret on GitHub." Because it requires less administrative privilege it's at repository level

Gemini, chatgpt and copilot all selected B. Option C involves encrypting the secret value manually and storing both the encrypted value and the decryption key in the repository-level GitHub secrets. While this approach can work, it introduces additional complexity and administrative effort

C. Encrypt the secret value and store the value in the repository. Store the decryption key in the repository-level GitHub secrets. M

C. Encrypt the secret value and store the value in the repository. Store the decryption key in the repository-level GitHub secrets. M

As the secret size is greater than 48 kb.

I choose B because Repository-level GitHub secrets are encrypted and stored in the repository settings, and can be accessed by GitHub Actions scripts by name, much like environment variables. Repository-level GitHub secrets are accessible only to the workflow that runs on the same repository, and cannot be accessed by other workflows or users. Repository-level GitHub secrets are easy to create and manage from the repository settings panel, and do not require any additional encryption or decryption steps. Repository-level GitHub secrets are more secure and convenient than storing the secret value or the decryption key in the repository, which could expose them to unauthorized access or leakage. Repository-level GitHub secrets are more granular and specific than organization-level GitHub secrets, which apply to all repositories inside the organization and may not be suitable for every workflow.

C is the answer. https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository

The best solution to store and encrypt the secret is to encrypt the secret value and store the value in the repository. Store the decryption key in the repository-level GitHub secrets. This solution minimizes administrative effort because it only requires you to create one secret in the repository. The secret value is encrypted and stored in the repository, so it is not accessible to anyone who does not have access to the repository. The decryption key is stored in the repository-level GitHub secrets, so it is only accessible to the workflow.

According to IA: B. Store the secret in the repository-level GitHub secrets. This option allows you to store sensitive information, such as access tokens, in your repository. The secrets that you create are available to use in GitHub Actions workflows and are encrypted before they reach GitHub and remain encrypted until you use them in a workflow1. This option also minimizes administrative effort because you do not need to encrypt or decrypt the secret value yourself or manage the decryption key.

C. Secret is larger than 48 KB so a workaround needs to be done as per https://docs.github.com/en/actions/security-guides/encrypted-secrets#storing-large-secrets

GPT: For an exam question, the best answer would be the one that most accurately and comprehensively addresses the requirements stated in the question. In this case, the question specifically states that the secret value must be encrypted, so the recommended solution should include encryption. Based on that, option C would be the most appropriate answer for an exam question. However, it's important to note that in real-world scenarios, the best solution may depend on various factors such as the organization's security policies, infrastructure, and workflows.

Storing the secret in the repository-level GitHub secrets ensures that the secret is encrypted and accessible only to the GitHub Actions running in the same repository. This method also minimizes administrative effort, as secrets can be added and managed directly in the repository settings. Storing secrets at the repository level provides better access control and ensures that only workflows within the same repository can access those secrets.

https://docs.github.com/en/actions/security-guides/encrypted-secrets

The answer is "C. Encrypt the secret value and store the value in the repository. Store the decryption key in the repository-level GitHub secrets." The question mentions that the secret has to be available olny for this workflow. Putting the secret on the organiztional level would expose it for all other repos (and possibly workflows).

"For secrets stored at the organization-level, you can use access policies to control which repositories can use organization secrets." "For secrets stored at the environment level, you can enable required reviewers to control access to the secrets. A workflow job cannot access environment secrets until approval is granted by required approvers." So the organization level has less effort. The question is about effort, not privilege.