The correct option is Publish organization-wide reusable workflows and starter templates that include approved security controls and checks.

This approach centralizes the definition of secure pipeline logic so every repository can invoke the same vetted jobs and steps. Reusable workflows let you update one place and have changes propagate across all adopters which reduces drift and keeps controls consistent. Starter templates seed new repositories with the approved checks so teams begin compliant and stay aligned as they build.

It also makes enforcement practical because you can require teams to call the centrally maintained workflow and you can pair this with organization policies and repository rules to limit unapproved actions and to require pinned action versions. This reduces risk while preserving developer productivity.

Migrate pipelines to Cloud Build to gain centralized policy governance is not the most effective choice because it replaces GitHub Actions rather than standardizing it. This would introduce migration effort and tool fragmentation and it would not address how to keep existing workflow files consistent inside GitHub.

Configure organization environment variables to impose policy restrictions on every repository is incorrect because variables carry data and do not enforce behavior or security controls. They cannot mandate steps or checks which is what the compliance office needs.

Require code reviews with CODEOWNERS for any changes to workflow files in every repository improves oversight but it only gates changes to individual repositories and it does not provide a shared implementation of required controls. Reviews can still approve divergent logic which fails to ensure consistency across 28 repositories.

Full AWS Practitioner Certification Question