What is a pull request review workflow, and what gates would you require?
CI/CD & GitOps · Intermediate level
Answer
A pull request review workflow is the controlled path for changing shared code. I require automated tests, security scans, required reviewers, CODEOWNERS for sensitive areas, conversation resolution, branch protection, and clear approval before merging to main.
Technical explanation
A gate should be placed after objective validation, not used as a substitute for testing.
Approval metadata should be retained with the pipeline run, change request, and deployment audit trail.
Branch protection is effective only when admins cannot bypass it casually and required checks are stable.
CODEOWNERS review works best with clear ownership boundaries and small, maintainable path patterns.
GitHub delivery controls combine repository settings, branch protection, required status checks, environments, CODEOWNERS, and workflow permissions.
Use least-privilege permissions for the GITHUB_TOKEN and prefer OIDC federation over long-lived cloud access keys.
Hands-on example
1. Implement the control for: What is a pull request review workflow, and what gates would you require in a GitHub repository that contains a simple service and .github/workflows/ci.yml.
2. Create a workflow with on: [pull_request], jobs: build, test, scan; set permissions: contents: read by default and grant write only to jobs that truly need it.
3. Add branch protection on main requiring the CI workflow, at least one approval, CODEOWNERS review for protected paths, conversation resolution, and no direct pushes.
4. Use environments for staging/prod with required reviewers and environment secrets; prefer OIDC cloud login over storing AWS/Azure/GCP access keys.
5. Validate by opening a PR that fails one required check and confirm GitHub blocks merge until the check passes and required reviewers approve.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More CI/CD & GitOps interview questions
- What is CI/CD, and what is the difference between continuous delivery and continuous deployment?
- What are the goals of a CI pipeline beyond just running tests?
- What is Jenkins, and what is the difference between a controller and an agent?
- What is the difference between a freestyle job and a pipeline job in Jenkins?
- What is the difference between a declarative and a scripted Jenkins pipeline?
- What is a Jenkinsfile, and why keep your pipeline as code in the repo?
- Explain the structure of a declarative pipeline (agent, stages, steps, post).
- What is the post section used for, and what are its conditions (success, failure, always)?