Review GitHub Actions (GH-200) workflow authoring, runners, permissions, troubleshooting, reusable actions, and secure automation before practicing in IT Mastery.
Use this cheat sheet to review the GitHub Actions decisions that show up repeatedly in GH-200 practice: trigger scope, job boundaries, runner selection, permissions, artifacts, caching, reusable workflows, and secure deployment controls.
Use this with practice. Review the workflow checklist, then take the free GH-200 diagnostic or open the full GitHub Actions route in IT Mastery.
| Field | Detail |
|---|---|
| Vendor | GitHub |
| Credential name | GitHub Actions |
| Exam code | GH-200 |
| Level shown by Microsoft Learn | Intermediate |
| Exam time shown by Microsoft Learn | 100 minutes |
| IT Mastery status | Live GH-200 practice available |
| Area | What to know | Common trap |
|---|---|---|
| Author workflows | Events, jobs, steps, runners, matrices, environments, expressions, and reusable workflows | Editing step commands before confirming the event and job boundary |
| Consume and troubleshoot workflows | Logs, exit codes, artifacts, caching, reruns, concurrency, and dependency failures | Fixing the wrong line because the first failing command was not identified |
| Author and maintain actions | Composite, JavaScript, and Docker actions; inputs, outputs, versioning, and release tags | Breaking a public action output by changing an internal step ID |
| Enterprise management | Runner groups, policies, organization settings, billing signals, and governance | Treating enterprise policy as a repository-only setting |
| Secure and optimize automation | Secrets, permissions, OIDC, least privilege, cache safety, and reliable deploy controls | Granting broad token permissions when one job needs one scope |
| Distinction | How to decide |
|---|---|
| Workflow vs job vs step | Workflows respond to events; jobs define runner execution units; steps run actions or shell commands. |
| GitHub-hosted vs self-hosted runner | GitHub-hosted runners reduce maintenance; self-hosted runners fit custom tools, private networking, or specialized hardware. |
| Secret vs variable | Secrets protect sensitive values; variables store nonsecret configuration. |
| Artifact vs cache | Artifacts move build output between jobs or retain results; caches speed repeated dependency restore. |
| Reusable workflow vs composite action | Reusable workflows share job-level automation; composite actions package repeated step logic. |
GITHUB_TOKEN vs OIDC | GITHUB_TOKEN authorizes GitHub API actions; OIDC enables short-lived cloud credentials without stored cloud secrets. |
| Environment protection vs branch protection | Environments gate deployments and secrets; branch protection controls merge rules on branches. |
on first: event, branch filters, path filters, and event payload determine the workflow context.permissions before assuming the token can write comments, packages, checks, or security events.needs when one job depends on outputs, artifacts, or completion of another job.Take the free GH-200 diagnostic and tag misses by trigger, job boundary, runner, permission, troubleshooting, or action packaging. Then drill the matching topic page before returning to mixed timed practice.
For YAML exhibits, read from top to bottom:
on:
pull_request:
permissions:
contents: read
jobs:
test:
runs-on: ubuntu-latest
The event, token permissions, and runner context usually explain the answer before the shell command does.