The correct option is Grant workflows in selected private repositories permission to use an action stored in a separate private repository within the organization. This allows teams to reuse the action across multiple private repositories while keeping the code private and under centralized control.

This approach uses GitHubs built in support for private actions that can be shared to specific repositories in the same organization. You store the action in one private repository and then explicitly allow selected repositories to reference it with the normal uses syntax. Governance remains centralized because updates and reviews happen in a single place and access is restricted to only those repositories you approve.

Convert the action to a container image and push it to Artifact Registry, then reference the image directly from workflows is not the best solution because direct docker image references in the uses field are designed for publicly accessible images and do not provide an easy or supported way to authenticate to a private Google Artifact Registry. It also removes the benefits of action metadata and versioning that GitHub provides and it complicates security and maintenance.

Host the action in a public repository and enforce branch protection and required reviews to control changes violates the stated security policy that forbids publishing the action. Making the repository public would expose the action code to everyone which conflicts with the requirement to keep it private.

Copy the action code into each repository and include it directly in the workflow definitions creates duplication and maintenance risk because every fix must be propagated to many places and repositories can drift out of sync. It is harder to govern and audit changes compared to a single shared private source.

Full AWS Practitioner Certification Question