The correct option is Enable enterprise Copilot policy enforcement and disallow suggestions from public code then grant seats only to selected teams.

This approach uses enterprise level Copilot policy controls to centrally enforce security requirements across all organizations and repositories under the enterprise. You can block suggestions that match public code to satisfy the requirement that code suggestions must not be sourced from public repositories. You can also control access by assigning Copilot seats only to selected teams so only designated groups can use the service.

Manage Copilot settings at the organization and apply repository rules to each project is incorrect because Copilot policy is not managed through repository rules and repository level configuration cannot reliably enforce the public code restriction or access control requirement across the enterprise.

Create a GitHub Actions workflow that enforces Copilot configuration on every repository is incorrect because GitHub Actions cannot change Copilot enterprise or organization policy settings and workflows do not govern Copilot seat assignment or public code suggestion controls.

Use Google Cloud Organization Policy to restrict public code and apply IAM roles to teams is incorrect because external cloud organization policies do not control GitHub Copilot behavior and IAM roles in Google Cloud cannot manage Copilot seats or suggestion policies within GitHub.

Full AWS Practitioner Certification Question