A platform team wants every repository in an organisation to run the same security-scanning logic, with a single central definition that all repositories call rather than copy, so that fixing a bug in one place immediately updates all consumers. Which GitHub Actions component should the team author to govern this shared logic centrally?
- AA starter workflow published from the organisation .github repository, because selecting it seeds each repository with the scanning logic so every team runs an identical copy of the security checks.
- BA composite action stored in a shared action repository, because bundling the scanning steps into one action lets every workflow reference the same security logic from a single source of truth.
- CA reusable workflow called through the uses key at job level, because consumers reference the central definition by path and a fix made there takes effect for every repository that calls it. Correct
- DA workflow template uploaded through the organisation settings page, because the organisation then pushes the security-scanning definition to every repository automatically without each team referencing it.
Why A is wrong: Tempting because starter workflows standardise how new repositories begin, but selecting one copies the file into the repository, so a later central fix does not propagate to the copies already created.
Why B is wrong: Tempting because a composite action does centralise a sequence of steps, but it slots inside a job's steps rather than defining whole jobs, so it cannot govern an end-to-end shared workflow on its own.
Why C is correct: A reusable workflow lives in one repository and is referenced through uses at job level, so consumers run the central definition itself and any fix there immediately reaches every repository that calls it.
Why D is wrong: Tempting because organisation settings hold many shared resources, but templates are not uploaded there and GitHub does not auto-push a definition into every repository; sharing is done through repositories and the uses key.