50 GitHub Administration Practice Questions: Question Bank 2025

Your organization wants to ensure all repositories can only be created as private by default, while still allowing administrators to change visibility when needed. Where should you configure this setting?

You need to grant a contractor access to only one repository in your GitHub organization for two weeks. What is the most appropriate approach?

An enterprise policy requires multi-factor authentication (MFA) for all organization members. Which action best enforces this requirement?

A team wants to ensure every pull request requires at least one approval before merging into the main branch. What feature should you configure?

Your enterprise uses GitHub Enterprise Cloud. You want to ensure that Actions workflows can only run using approved actions from GitHub Marketplace and actions within your organization. Which configuration best meets this requirement?

You are investigating a potential data exposure. You need to determine whether a former employee cloned a private repository before they were removed from the organization. Which GitHub feature is most relevant?

You want to enforce that all repositories in an organization include a SECURITY.md file and a pull request template. What is the recommended approach?

A workflow in a repository fails with an error indicating it cannot access organization secrets. The workflow runs on pull_request events from forks. What is the most likely cause?

Your enterprise requires that only managed corporate identities can authenticate to GitHub, and access must be removed automatically when an employee leaves. What is the best design?

A security team needs to allow Dependabot to open pull requests only if the updated dependency passes required status checks, and to prevent merging if checks fail. Which configuration best achieves this?

Your organization wants to ensure that only approved OAuth and GitHub Apps can access organization resources. What should an organization owner configure?

A new repository is created in an organization. You want all members of the "Developers" team to automatically have read access without manually adding the team each time. What is the best approach?

An administrator wants to prevent accidental deletion of important branches in multiple repositories. Which GitHub feature should they use?

Your enterprise requires that access to all organizations uses a centralized identity provider and that organization membership is automatically managed based on IdP group membership. What should you implement?

A repository requires that pull requests cannot be merged unless a CI workflow succeeds. The workflow runs but the branch protection status check shows as "Expected" and never becomes successful, blocking merges. What is the most likely cause?

You need to enforce consistent security controls across dozens of repositories, including requiring signed commits on the default branch and preventing force pushes. Which approach best scales across repositories?

Your enterprise wants to limit which Actions can run in organization repositories to reduce supply-chain risk. You want to allow only Actions created by GitHub and those published from repositories within your organization. What should you configure?

A team complains that they can view an internal repository but cannot push changes, even though they believe they were granted write access. As an admin, what is the best first troubleshooting step?

A regulated enterprise must retain an immutable record of administrative and security-relevant events (for example, org setting changes, repository visibility changes, and SSO-related events) for audit. What is the best architecture on GitHub Enterprise Cloud?

You manage multiple organizations under one enterprise. A subset of organizations must follow stricter policies: only enterprise-managed users may join, and membership must be controlled exclusively through the IdP (no direct invites). Which enterprise-level design best meets this requirement?

Your organization wants every new repository to include a CODEOWNERS file, a security policy, and standard issue templates. You want this to happen automatically when developers create repos without requiring manual copying. What is the best solution?

An organization owner wants to quickly determine whether any members are required to use two-factor authentication (2FA) and to identify members who are not compliant. Where should the owner check?

A team lead needs to grant a contractor access to only one repository for two weeks. The contractor must be able to create branches and open pull requests but must not manage repo settings. Which role is most appropriate?

Your enterprise uses GitHub Enterprise Cloud with an enterprise account. You need to ensure SAML single sign-on (SSO) is enforced across all organizations, and members must authenticate through your identity provider. Where should you configure this enforcement?

A repository requires that all changes to the default branch be reviewed and that merges are only allowed when required status checks pass. A maintainer reports they can still merge without checks when using the web UI. What is the most likely misconfiguration?

You need to provide auditors evidence of repository permission changes and security-related events across an organization, including who changed settings and when. What should you use?

A platform team wants to standardize CI across many repositories. They created a reusable workflow in a central repository and want other repos to call it. However, calls to the reusable workflow fail with a permissions-related error. Which setting is most likely required to allow this pattern?

You want to prevent Actions workflows from using untrusted third-party actions while still allowing actions from your enterprise and GitHub Marketplace verified creators. Which approach best meets this requirement?

Your enterprise requires that all code changes to critical repositories be approved by the Security team when changes affect specific paths (for example, '/infra/**'). You need an approach that is enforceable through pull requests and scales across repositories. What should you implement?

A company wants to allow internal developers to create repositories, but only within a controlled set of organizations and with standardized visibility rules. As the enterprise admin, you need centralized governance. What is the best design?

An organization wants to reduce the risk of accidental pushes to the default branch in many repositories. They want a lightweight baseline that can be applied consistently without restricting feature branches. What should you configure?

You need to ensure that only approved GitHub Apps can be installed across your GitHub Enterprise organization. Which setting best meets this requirement?

A developer reports they cannot see a repository that should be accessible to everyone in the enterprise. The repo is in an organization under your enterprise account. What is the MOST likely cause?

Your compliance team asks for a simple way to ensure sensitive tokens are not accidentally committed to repositories. Which GitHub feature is designed to detect leaked secrets in code?

You need to grant a group of engineers read access to all repositories in an organization and write access to only two repositories. What is the recommended approach to simplify ongoing administration?

A repository requires that changes to certain files (for example, security policies) must always be reviewed by the security team before merging. What should you implement?

You are troubleshooting a GitHub Actions workflow that fails with a permissions error when attempting to create a release. The workflow uses the automatically provided GITHUB_TOKEN. What is the most likely fix?

Your enterprise wants to ensure repository maintainers cannot disable required security settings (such as secret scanning or code scanning) once enabled. What is the best approach?

A regulated enterprise must ensure that every authentication to GitHub is tied to the company identity provider and that access is removed immediately when an employee leaves. They use GitHub Enterprise Cloud. Which architecture best meets this requirement?

A company wants to standardize repository creation so that every new repository includes required settings (branch protection baseline, issue templates, and a default workflow). They also want teams to start from approved code patterns. What is the best solution?

Your organization wants all new repositories to follow the same baseline settings: private by default, issues enabled, and a required CODEOWNERS file. What is the most appropriate GitHub feature to standardize this for new repositories?

A developer reports they cannot push to a protected branch even though they are an organization owner. The branch protection rule requires pull requests and does not allow bypass for administrators. What should you do to allow the owner to push directly only when necessary?

You need to ensure that all activity in the organization can be investigated later, including repository access changes and administrative actions. Which logging capability should you rely on as the primary source for organization-level events?

Your enterprise uses multiple organizations and wants to restrict which third-party GitHub Apps can be installed. You want security to centrally approve apps and block all others across the enterprise. What should you configure?

You are migrating to GitHub Enterprise and want to ensure employees authenticate using your identity provider and that access is revoked when they leave the company. What is the best approach?

A repository requires review from the security team for any change under the /workflows directory and any modification to reusable workflow files. What is the most appropriate control to implement?

Your organization wants to ensure all workflow runs use only approved GitHub Actions to reduce supply chain risk. Which configuration best meets this requirement?

A team complains that their workflow cannot publish a release because the provided token lacks the required permissions. You want to follow least privilege and avoid granting broad permissions to all workflows. What should you do?

You need to prevent secrets from being exfiltrated by untrusted workflow modifications in pull requests, while still allowing contributors to run CI checks on PRs. Which approach is most secure?

A regulated enterprise must enforce consistent rules across hundreds of repositories: require pull requests, block force pushes, require code scanning to pass, and apply the same rules to all default branches. You also need the ability to target subsets of repositories. What is the best solution?