GitHub Administration Advanced Practice Exam: Hard Questions 2025

Your company uses GitHub Enterprise Cloud with Enterprise Managed Users (EMU). You must allow a vendor to contribute to a subset of repositories for 60 days. The vendor cannot be onboarded into your IdP, and security requires enforcing SSO and centralized identity. What should you do?

You administer a GitHub Enterprise with multiple organizations. Developers report intermittent inability to access resources after successful SSO in the browser, but Git operations from the CLI fail with 403 errors until they "re-authorize". You need to reduce helpdesk tickets while keeping strong access controls. What is the best administrative approach?

An enterprise has a "platform" org and 12 product orgs. The security team mandates that only approved GitHub Apps may be installed across the enterprise, and any non-approved app installation must be prevented. At the same time, product org admins still need autonomy to install approved apps without enterprise admin involvement. What should you configure?

A critical repository uses CODEOWNERS, branch protection requiring 2 reviewers, and required status checks. A senior engineer is still able to merge directly to the default branch without reviews or checks. You must identify the most likely cause and fix it with minimal disruption. What should you do?

You need to migrate 200 repositories into a new organization while preserving: (1) issue/PR history, (2) commit SHAs, (3) existing open PRs, and (4) minimal downtime. The security team also requires that repository-level secrets do not move automatically and must be re-created with approval. What is the best approach?

A monorepo has strict protections on the default branch. Teams need to allow an automation account to merge dependency update PRs after checks pass, without granting broad write/admin permissions. The solution must be auditable and follow least privilege. What should you implement?

A security incident reveals that a leaked token was used to access private repositories. You must (1) quickly reduce blast radius, (2) prevent recurrence, and (3) improve detection. The enterprise uses GitHub Enterprise Cloud. Which combined control set is most appropriate?

Your organization must meet a policy: 'No code can be merged unless the changes have passed code scanning and secret scanning, and the results are visible to auditors.' Some repositories are public, some private. Teams also use third-party CI for builds. What is the most robust way to enforce this across repositories?

A regulated team must ensure that only approved reusable GitHub Actions workflows are used, and that actions cannot be pulled from arbitrary public repositories. They also need to allow a small set of vetted marketplace actions. What enterprise/organization configuration best meets this requirement?

You run GitHub Actions for an enterprise with both GitHub-hosted and self-hosted runners. A workflow triggered by pull_request from forks needs to run integration tests that require access to an internal database reachable only from the self-hosted network. Security prohibits exposing internal resources to untrusted code. What design best balances security and developer productivity?