GH-200 — GitHub Actions Quick Review
Quick Review for GitHub Actions (GH-200): workflows, events, jobs, runners, security, reusable workflows, artifacts, caches, and common exam traps.
Quick Review Focus
This independent Quick Review is for candidates preparing for GitHub’s GitHub Actions (GH-200) exam. Use it to refresh the highest-yield concepts before moving into topic drills, mock exams, original practice questions, and detailed explanations.
The exam mindset is practical: know how a workflow is triggered, how jobs and steps execute, how data moves between jobs, how permissions and secrets are controlled, and which GitHub Actions feature solves a specific automation problem.
Core Mental Model
GitHub Actions automation usually follows this path:
- An event occurs, such as
push,pull_request,workflow_dispatch, orschedule. - GitHub finds a matching workflow file in
.github/workflows/. - The workflow creates one or more jobs.
- Each job runs on a runner.
- Each job executes steps, which either run shell commands with
runor invoke actions withuses. - Logs, outputs, artifacts, caches, checks, deployments, and summaries are produced.
| Layer | What it does | High-yield exam cue | Common mistake |
|---|---|---|---|
| Workflow | YAML automation definition | Stored in .github/workflows/*.yml or .yaml | Expecting a workflow outside that directory to run |
| Event | Starts a workflow | on: push, on: pull_request, on: workflow_dispatch | Confusing event filters with job if conditions |
| Job | Unit of execution | Has runs-on, steps, optional needs | Assuming jobs run sequentially by default |
| Runner | Machine that executes a job | GitHub-hosted or self-hosted | Assuming files persist across jobs |
| Step | Individual command or action | Uses run or uses | Trying to use both run and uses in one step |
| Action | Reusable automation unit | JavaScript, Docker, or composite action | Confusing an action with a reusable workflow |
| Context | Runtime data | github, env, secrets, matrix, needs | Using the wrong context for the execution phase |
| Token/permissions | Access control | GITHUB_TOKEN, permissions, OIDC | Leaving broad write permissions enabled |
Workflow File Anatomy
A workflow is a YAML file placed under .github/workflows/. It normally includes an event trigger and at least one job.
| Key | Scope | Purpose |
|---|---|---|
name | Workflow | Display name for the workflow |
run-name | Workflow run | Dynamic display name for a specific run |
on | Workflow | Defines triggering events |
permissions | Workflow or job | Sets GITHUB_TOKEN permissions |
env | Workflow, job, or step | Defines environment variables |
defaults | Workflow or job | Sets defaults such as shell or working directory |
concurrency | Workflow or job | Controls overlapping runs or jobs |
jobs | Workflow | Defines one or more jobs |
runs-on | Job | Chooses the runner |
needs | Job | Creates job dependencies |
if | Job or step | Conditionally runs a job or step |
strategy.matrix | Job | Expands a job across combinations |
steps | Job | Defines the commands/actions in a job |
uses | Step or reusable workflow job | Invokes an action or reusable workflow |
run | Step | Runs shell commands |
with | Step or reusable workflow call | Supplies inputs |
secrets | Reusable workflow call | Passes secrets to a reusable workflow |
environment | Job | Associates job with a deployment environment |
outputs | Job or step/action | Exposes values for later use |
Workflow Structure Traps
| Trap | Correct understanding |
|---|---|
| Jobs run in the order listed | Jobs run in parallel unless linked with needs |
A step can have both run and uses | A normal step uses one or the other |
uses always means “action” | At step level it invokes an action; at job level it can call a reusable workflow |
Job-level if works exactly like step-level if | Job-level if is evaluated before matrix expansion |
| All workflow data is available everywhere | Context availability depends on workflow phase and scope |
| Environment variables set in one job are available in another | Jobs are isolated; use outputs or artifacts |
Events and Triggers
The on key defines when a workflow runs. Be comfortable with simple triggers, filtered triggers, manual triggers, reusable workflow triggers, and security-sensitive pull request triggers.
| Event | Use when | Key review points |
|---|---|---|
push | Code is pushed to branches or tags | Can filter by branches, tags, and paths |
pull_request | Validate PR changes safely | Fork PRs usually have restricted token/secrets access |
pull_request_target | Run in base repository context | Security-sensitive; do not run untrusted head code with secrets/write token |
workflow_dispatch | Manual run | Supports typed inputs; workflow file must be available for dispatch |
workflow_call | Reusable workflow | Called from another workflow at the job level |
schedule | Cron-based automation | Uses UTC cron; runs from the default branch context |
repository_dispatch | External/custom trigger | Usually sent through the API |
workflow_run | React to another workflow | Useful but can create privilege-escalation risk if artifacts/input are untrusted |
release | Release lifecycle automation | Use activity types to limit when it runs |
issues, pull_request_review, label | Repository collaboration automation | Understand the event payload and permissions needed |
Trigger Filters
| Filter | Applies to | Notes |
|---|---|---|
branches | Branch names | For pull_request, usually filters target/base branches |
branches-ignore | Branch names | Cannot be combined with branches for the same event |
tags | Tag names | Used with push tag events |
tags-ignore | Tag names | Cannot be combined with tags for the same event |
paths | Changed file paths | If branch and path filters both exist, both must match |
paths-ignore | Changed file paths | Cannot be combined with paths for the same event |
types | Event activity types | Example: PR opened, synchronized, closed |
High-yield filter rules:
- If both branch filters and path filters are configured, the workflow runs only when both conditions match.
- Negative patterns using
!are order-sensitive. - You cannot use
branchesandbranches-ignoretogether for the same event. - You cannot use
pathsandpaths-ignoretogether for the same event. - Path filters are not evaluated for tag pushes.
- Workflows skipped by branch, path, or commit-message filters can leave required checks pending, which may block merging if that check is required.
- Events created by the default
GITHUB_TOKENgenerally do not trigger new workflow runs, which helps prevent accidental recursion. Use a suitable GitHub App token or personal access token only when workflow chaining is intentionally required.
Pull Request Trigger Decision Point
| Scenario | Safer choice | Why |
|---|---|---|
| Build and test untrusted PR code | pull_request | Runs with restricted access for forked PRs |
| Label/comment on a PR using base repo permissions | pull_request_target | Runs in base context, but avoid executing untrusted code |
| Need secrets for deployment | Avoid fork PR execution; use protected branches/environments | Secrets should not be exposed to untrusted code |
| Need to inspect PR metadata only | pull_request_target may fit | Metadata automation is different from checking out and running PR code |
The key exam trap: pull_request_target is powerful but dangerous. It runs in the context of the base repository. If you check out and execute code from an untrusted fork in that context, secrets or write permissions may be exposed.
Jobs, Steps, and Control Flow
Jobs
A job is the main execution unit in a workflow. Each job gets a runner and runs its steps in order.
| Feature | Use for | Exam cue |
|---|---|---|
runs-on | Select runner | Required for normal jobs |
needs | Order jobs | Without needs, jobs run in parallel |
if | Conditional job execution | Job skipped if condition is false |
strategy.matrix | Run variants | OS/language/version combinations |
continue-on-error | Allow failure without failing workflow/job | Often used for experimental matrix entries |
timeout-minutes | Stop long-running jobs | Avoids stuck jobs consuming time |
concurrency | Prevent overlapping work | Useful for deployments and branch-specific runs |
environment | Deployment environment | Can add protection rules and environment-scoped secrets |
permissions | Token scope | Prefer least privilege at workflow or job level |
Steps
Steps run sequentially inside a job.
| Step type | Syntax cue | Use for |
|---|---|---|
| Shell command | run | Build, test, script, CLI command |
| Action | uses | Reusable task such as checkout, setup, upload artifact |
| Conditional step | if | Run only under specific status/event/context conditions |
| Identified step | id | Required if later steps read that step’s outputs |
| Input-driven step | with | Pass inputs to an action |
| Environment step | env | Pass environment variables to the command/action |
Status Functions
| Function | Meaning | Common use |
|---|---|---|
success() | Previous steps/jobs succeeded | Default behavior for most steps |
failure() | A previous step/job failed | Upload logs after failure |
cancelled() | Workflow was cancelled | Skip cleanup that should not run after cancellation |
always() | Run regardless of previous result | Cleanup, diagnostics, summaries |
!cancelled() | Run unless cancelled | Often safer than unconditional always() for long operations |
Common control-flow traps:
- A dependent job is skipped if a required job is skipped or fails, unless the condition explicitly handles it.
- Step-level
ifconditions are evaluated at runtime inside the job. - Job-level
ifconditions are evaluated before matrix expansion. continue-on-errorchanges failure behavior but does not mean the command succeeded.- Use
needs.<job_id>.resultwhen downstream jobs must react to upstream success, failure, cancellation, or skip states.
Matrix Strategy
A matrix expands one job definition into multiple job runs.
| Matrix feature | Purpose |
|---|---|
matrix | Defines combinations such as OS and language version |
include | Adds or modifies matrix combinations |
exclude | Removes combinations |
fail-fast | Cancels in-progress matrix jobs when one fails |
max-parallel | Limits simultaneous matrix jobs |
continue-on-error | Can allow experimental combinations to fail |
High-yield matrix rules:
- Matrix jobs are separate job runs.
- Matrix variables are accessed with the
matrixcontext. - Use
includefor special combinations or extra variables. - Use
excludeto remove invalid combinations. - Use
fail-fast: falsewhen you want all matrix combinations to finish even if one fails. - Use
max-parallelwhen runner capacity, rate limits, or deployment constraints matter. - Dynamic matrices often use a previous job output plus
fromJSON.
Runners
A runner is the machine that executes a job.
| Runner type | Best for | Key considerations |
|---|---|---|
| GitHub-hosted runner | Common CI/CD tasks | Fresh environment per job; choose OS with runs-on |
| Larger GitHub-hosted runner | More CPU/RAM or specialized capacity | Useful for heavier workloads |
| Self-hosted runner | Custom tools, private network, specialized hardware | You manage security, updates, cleanup, and availability |
| Runner group | Access control for self-hosted runners | Helps restrict which repos can use which runners |
Runner Selection
runs-on pattern | Meaning |
|---|---|
| Single label | Match a runner image or label, such as Linux, Windows, or macOS runner labels |
| Multiple labels | Runner must match all listed labels |
| Self-hosted labels | Include self-hosted plus OS/architecture/custom labels |
| Runner group | Restrict selection to a configured group |
Runner traps:
- Each normal job runs on its own runner instance. Do not assume job filesystem state carries over.
- GitHub-hosted runners are ephemeral; self-hosted runners may persist files unless cleaned.
- Shell defaults differ by operating system.
- Container jobs and service containers are primarily Linux-runner features.
- Self-hosted runners in public repositories require special caution because untrusted code may execute on your infrastructure.
- If a self-hosted runner is offline, jobs can remain queued.
Actions, Composite Actions, and Reusable Workflows
Actions
An action is a reusable unit invoked from a step with uses.
| Action type | Runs as | Good for |
|---|---|---|
| JavaScript action | Node-based action | Fast startup, API integrations |
| Docker action | Containerized action | Consistent runtime dependencies |
| Composite action | Collection of steps | Reusing shell/action steps across workflows |
| Local action | Action in the same repository | Repo-specific automation |
| Marketplace/third-party action | External action reference | Common tasks; review and pin carefully |
Security review for actions:
- Prefer trusted actions and review what they do.
- Pin actions to a full commit SHA when security and reproducibility matter most.
- Pinning to a major version tag is common but less strict than SHA pinning.
- Avoid using unreviewed actions with secrets or write permissions.
- Use organization or enterprise policies where available to restrict allowed actions.
Composite Action vs Reusable Workflow
| Feature | Composite action | Reusable workflow |
|---|---|---|
| Invoked from | A step using uses | A job using jobs.<job_id>.uses |
| Defines jobs | No | Yes |
| Chooses runner | No, uses caller job runner | Yes, inside called workflow |
| Good for | Repeated step logic | Standardized CI/CD workflows |
| Inputs | Supported | Supported through workflow_call |
| Secrets | Uses caller context carefully | Passed explicitly or inherited where supported |
| Outputs | Supported | Supported |
| Can contain multiple jobs | No | Yes |
Decision rule:
- Use a composite action when you want to reuse a set of steps inside a job.
- Use a reusable workflow when you want to reuse an entire job or multi-job process.
- Use a workflow template when you want a starter workflow pattern for repositories, not runtime reuse.
Contexts, Variables, and Expressions
Contexts expose workflow data. The correct context depends on where the expression is evaluated.
| Context | Contains | Common use |
|---|---|---|
github | Event, repository, actor, ref, run metadata | Branch/event decisions |
env | Environment variables defined in workflow/job/step | Shell configuration |
vars | Configuration variables | Non-secret configuration |
secrets | Encrypted secrets | Tokens, passwords, credentials |
inputs | Manual or reusable workflow inputs | workflow_dispatch, workflow_call |
matrix | Matrix values | OS/version-specific logic |
needs | Upstream job results and outputs | Downstream job decisions |
steps | Step outputs and outcomes | Use output from earlier step in same job |
runner | Runner OS/temp/tool information | OS-specific behavior |
strategy | Matrix strategy metadata | Matrix-related conditions |
job | Current job information | Job services/container information |
Variables and Secrets
| Mechanism | Use for | Security level | Notes |
|---|---|---|---|
env | Runtime environment values | Not inherently secret | Scope can be workflow, job, or step |
vars | Plain configuration | Not secret | Organization, repository, or environment-level configuration |
secrets | Sensitive values | Encrypted and masked | Not available in many untrusted fork scenarios |
GITHUB_TOKEN | GitHub API access for the workflow | Scoped by permissions | Prefer least privilege |
| OIDC token | Federated cloud auth | Short-lived | Requires id-token: write and external trust config |
Environment variable precedence generally becomes more specific as scope narrows: step-level env overrides job-level env, which overrides workflow-level env.
Workflow Command Files
| File/environment variable | Purpose | Exam trap |
|---|---|---|
GITHUB_ENV | Set environment variables for later steps in the same job | Does not affect the current step |
GITHUB_OUTPUT | Set outputs for the current step | Step needs an id for later reference |
GITHUB_PATH | Add directories to PATH for later steps | Job-scoped, not workflow-global |
GITHUB_STEP_SUMMARY | Add Markdown summary for the job | Useful for reports and diagnostics |
GITHUB_STATE | Share state within an action’s lifecycle | Mainly relevant to action authoring |
Expression Traps
| Trap | Correct approach |
|---|---|
| Treating all values as strongly typed | Use fromJSON when booleans/numbers matter |
Assuming secrets can be used directly in all if expressions | Use safe patterns; secrets are restricted in conditionals |
| Dumping entire contexts into logs | Avoid exposing sensitive metadata; masking is not a full security design |
| Forgetting expression delimiters | Use ${{ }} where expression evaluation is required |
| Using untrusted input directly in shell scripts | Pass values through environment variables and quote carefully |
| Assuming outputs are typed | Outputs are strings unless parsed/converted |
Using hashFiles without matching files | Empty hash results can cause unexpected cache keys |
Useful expression functions to recognize:
| Function | Common use |
|---|---|
contains | Check list/string membership |
startsWith | Branch or tag prefix logic |
endsWith | File or ref suffix checks |
format | Build strings |
join | Combine array values |
toJSON | Debug or serialize context data |
fromJSON | Parse JSON into structured data |
hashFiles | Build cache keys from lockfiles |
Permissions, Tokens, and Security
Security is a major decision area for GitHub Actions. Know how to reduce privileges and prevent untrusted code from reaching secrets.
GITHUB_TOKEN
GitHub automatically creates a GITHUB_TOKEN for workflow runs. Its access is controlled with the permissions key.
| Permissions practice | Why it matters |
|---|---|
Set permissions at workflow or job level | Avoid unnecessary default access |
| Grant only required scopes | Least privilege reduces blast radius |
| Use job-level permissions for sensitive jobs | Different jobs may need different access |
Use contents: read for checkout-only jobs | Many CI jobs do not need write access |
Use id-token: write only for OIDC jobs | Needed to request an OIDC token |
| Avoid broad write permissions on untrusted triggers | PR workflows are a common attack surface |
Important nuance: when you explicitly configure permissions, unspecified permissions are generally not granted, aside from required metadata access. This is a common exam-style trap.
OIDC
OpenID Connect allows workflows to request short-lived tokens from a cloud provider or external system without storing long-lived cloud credentials as GitHub secrets.
| OIDC requirement | Meaning |
|---|---|
permissions: id-token: write | Allows workflow to request an OIDC token |
| External trust policy | Cloud/provider must trust the GitHub identity claims |
| Short-lived credential exchange | OIDC token is exchanged for provider credentials |
| Claim restrictions | Limit by repository, branch, environment, workflow, or other claims where appropriate |
OIDC trap: granting id-token: write does not automatically grant cloud access. The external provider must be configured to trust the workflow identity.
Secrets
| Secret behavior | Review point |
|---|---|
| Encrypted at rest | Used for sensitive values |
| Masked in logs | Exact secret values are masked, but do not rely on logs as a security boundary |
| Scoped | Organization, repository, and environment scopes exist |
| Restricted for fork PRs | Do not expect secrets in untrusted fork workflows |
| Not plain configuration | Use vars for non-sensitive config |
| Can be environment-specific | Deployment environments can have separate secrets |
Common secret mistakes:
- Printing secrets or derived credentials.
- Passing secrets to untrusted third-party actions.
- Using secrets in workflows triggered by untrusted code.
- Confusing
varsandsecrets. - Assuming masking prevents all forms of leakage.
- Forgetting that generated sensitive values may need explicit masking with
add-mask.
Artifacts, Caches, Outputs, and Data Passing
Different data-sharing mechanisms solve different problems.
| Need | Best tool | Why |
|---|---|---|
| Pass a small value between steps in one job | Step output | Simple and direct |
| Pass a small value between jobs | Job output plus needs | Designed for job dependencies |
| Pass files between jobs in a workflow | Artifact | Download in another job |
| Preserve dependencies between workflow runs | Cache | Speeds repeated installs/builds |
| Publish human-readable run results | Step summary | Appears in workflow UI |
| Persist deployment package for release | Artifact or release asset | Cache is not a release mechanism |
Outputs
| Output type | How it is used |
|---|---|
| Step output | Written to GITHUB_OUTPUT; referenced through steps.<id>.outputs.<name> |
| Job output | Maps step outputs to jobs.<job_id>.outputs; consumed through needs.<job_id>.outputs.<name> |
| Reusable workflow output | Exposed by the called workflow and consumed by the caller |
Output traps:
- A step must have an
idif later steps need its outputs. - Job outputs are only available to jobs that declare
needs. - Outputs are strings unless converted.
- Outputs are not a safe place for secrets unless the flow is carefully controlled.
Artifacts vs Cache
| Feature | Artifact | Cache |
|---|---|---|
| Primary purpose | Store workflow files/results | Reuse dependencies/build data |
| Typical examples | Test reports, build packages, coverage files | Package manager directories, tool caches |
| Shared across jobs | Yes, by upload/download | Not the main purpose |
| Shared across workflow runs | Artifacts can be retained; caches are restored by key | Yes, if key/scope matches |
| Determinism | Good for exact files from a run | Cache hit is helpful but not guaranteed |
| Security caution | Do not blindly trust artifacts from untrusted workflows | Do not cache secrets or sensitive files |
Cache key best practices:
- Include operating system or platform.
- Include dependency lockfile hash with
hashFiles. - Use restore keys for fallback matches.
- Do not depend on cache for correctness.
- Do not put credentials, tokens, or secrets in cached paths.
Concurrency
Concurrency prevents overlapping workflow runs or jobs from interfering with each other.
| Use case | Concurrency pattern |
|---|---|
| Cancel older CI runs on same branch | Group by workflow and ref; enable cancel-in-progress |
| Prevent simultaneous production deployments | Use a stable production deployment group |
| Serialize environment-specific deployments | Group by environment name |
| Avoid duplicate scheduled work | Use one group for the scheduled process |
Review points:
concurrencycan be set at workflow or job level.- A concurrency group allows at most one running and one pending run/job in that group.
cancel-in-progress: truecancels the currently running item in the group.- Group names are case-insensitive.
- Ordering of queued items is not guaranteed.
Environments and Deployments
GitHub Actions environments help control deployment jobs.
| Environment feature | Use |
|---|---|
| Environment name | Associates a job with a deployment target |
| Environment secrets | Secrets scoped to that environment |
| Environment variables | Non-secret configuration scoped to that environment |
| Protection rules | Add controls before a deployment job proceeds |
| Deployment history | Track deployment activity |
Deployment review rules:
- Use environments for deployment gates and environment-specific secrets.
- Use concurrency to prevent overlapping deployments.
- Build once, then deploy the same artifact through later stages when possible.
- Keep CI validation separate from privileged deployment jobs.
- Avoid exposing production secrets to PR validation workflows.
- Use least-privilege permissions for each deployment job.
Reusable Workflow Calling Patterns
Reusable workflows are triggered by workflow_call and called from another workflow at the job level.
| Caller need | Pattern |
|---|---|
| Pass simple values | Define inputs in called workflow; use with in caller |
| Pass secrets explicitly | Define secrets in called workflow; pass with secrets in caller |
| Pass available secrets broadly | Use secrets: inherit only when appropriate and supported |
| Return values | Define outputs in called workflow |
| Version reusable workflow | Reference a branch, tag, or SHA |
| Apply matrix to reusable workflow | Use strategy.matrix on the calling job |
Reusable workflow traps:
- A reusable workflow is called as a job, not as a step.
- The called workflow must define
on: workflow_call. - The caller does not define the internal steps of the called workflow.
- Permissions and secrets should be explicitly considered across the call boundary.
- Pinning reusable workflows by SHA improves reproducibility and security.
Self-Hosted Runner Security
Self-hosted runners are powerful because they can access internal tools and networks, but that also increases risk.
| Risk | Mitigation |
|---|---|
| Untrusted PR code runs on internal machine | Avoid self-hosted runners for untrusted public PRs |
| Files persist between jobs | Clean workspace and use ephemeral runners where possible |
| Runner has broad network access | Segment network access |
| Tooling becomes outdated | Patch runner host and runner application |
| Secrets remain in logs/files/processes | Minimize secrets, clean aggressively, use least privilege |
| Any repo can target runner | Use runner groups and labels carefully |
Exam decision rule: if a scenario involves private infrastructure, custom hardware, or special internal dependencies, a self-hosted runner may be the answer. If the scenario involves untrusted public contributions, self-hosted runners are often the risk to avoid.
Debugging and Observability
| Tool/feature | Use |
|---|---|
| Workflow run logs | Step-by-step execution details |
| Annotations | Warnings/errors surfaced in the UI |
| Step summaries | Markdown reports for a job |
| Re-run jobs/workflows | Retry transient failures |
| Debug logging | More detailed runner and step logs |
toJSON | Inspect context data carefully |
| GitHub CLI | Inspect and trigger workflow runs from the command line |
| Artifacts | Preserve logs, reports, screenshots, build outputs |
Debug logging review:
ACTIONS_STEP_DEBUGenables detailed step debug logging.ACTIONS_RUNNER_DEBUGenables additional runner diagnostic logging.- Use debug logging carefully because logs may contain sensitive operational details.
Common failure patterns:
| Symptom | Likely cause |
|---|---|
| Workflow does not run | Wrong event, filter mismatch, workflow file location issue |
| Required check stays pending | Workflow skipped by branch/path/commit-message filter |
| Job queued forever | No matching runner or self-hosted runner unavailable |
| Step cannot access repo | Missing checkout or insufficient contents permission |
| API call gets 403 | GITHUB_TOKEN permissions too restrictive |
| Secret is empty | Secret not available for trigger/scope/environment |
| Output is blank | Missing step id, wrong output name, or wrong context |
| Cache never hits | Key changes too often or path/key mismatch |
| Matrix creates too many jobs | Matrix combinations not limited with exclude or include |
| Deployment overlaps | Missing concurrency or environment controls |
YAML and Syntax Gotchas
GitHub Actions workflows are YAML, so small syntax mistakes can change meaning.
| Gotcha | Review point |
|---|---|
| Indentation | YAML structure is indentation-sensitive |
| Special characters | Quote patterns beginning with characters like *, !, or [ |
| Multi-event syntax | If one event has configuration, use mapping syntax consistently |
| Glob patterns | Negative patterns are order-sensitive |
| Strings vs booleans | Use expression conversion when type matters |
| Shell quoting | Treat untrusted input carefully |
| Step IDs | Required for referencing step outputs |
| Context spelling | Context and property names must be exact |
| File paths | Linux, Windows, and macOS path syntax differs |
High-Yield Decision Rules
Use these as quick “if the question says X, think Y” rules.
| Scenario | Likely answer |
|---|---|
| Run workflow manually | workflow_dispatch |
| Reuse an entire workflow | workflow_call reusable workflow |
| Reuse repeated steps inside a job | Composite action |
| Pass files between jobs | Upload/download artifact |
| Reuse dependencies across runs | Cache |
| Sequence jobs | needs |
| Run jobs on several OS/language versions | Matrix strategy |
| Limit overlapping deployments | concurrency |
| Require approval or protected deployment controls | Environment |
| Reduce token access | permissions |
| Authenticate to cloud without long-lived secret | OIDC |
| Safely validate fork PR code | pull_request with restricted permissions |
| Automate PR labels/comments from base context | Carefully designed pull_request_target |
| Run cleanup after failure | Status functions such as always() or failure() |
| Set environment variable for later steps | Write to GITHUB_ENV |
| Set step output | Write to GITHUB_OUTPUT |
| Get upstream job output | Use needs.<job_id>.outputs |
| Inspect event payload | Use github.event or event payload file |
| Use internal network/hardware | Self-hosted runner |
| Avoid running untrusted code on infrastructure | Prefer GitHub-hosted or restricted patterns |
Common Candidate Mistakes
Confusing Reuse Mechanisms
| Candidate mistake | Correct distinction |
|---|---|
| “Reusable workflow” called from a step | Reusable workflows are called at job level |
| “Composite action” defines runners/jobs | Composite actions run within the caller’s job |
| “Workflow template” runs dynamically | Templates help create workflow files; they are not runtime calls |
Misusing Security Features
| Candidate mistake | Correct distinction |
|---|---|
| OIDC replaces all permissions | OIDC needs id-token: write and external trust |
| Secrets are safe in any workflow | Secrets must be protected from untrusted code |
| Masking equals full protection | Masking helps logs but is not a complete security boundary |
pull_request_target is just a stronger pull_request | It changes trust context and can be dangerous |
Broad GITHUB_TOKEN permissions are harmless | Use least privilege |
Misunderstanding Data Flow
| Candidate mistake | Correct distinction |
|---|---|
| Cache is for passing build artifacts | Artifacts are for exact files/results |
| Environment variables cross jobs | Jobs are isolated |
Step output is available without id | The step needs an id |
| Job output is available everywhere | Downstream job must use needs |
$GITHUB_ENV affects current shell line | It affects later steps |
Quick Concept Check
| Prompt | Expected answer |
|---|---|
| Where must workflow files live? | .github/workflows/ |
| What makes jobs run sequentially? | needs |
| What selects the runner? | runs-on |
| What runs a shell command? | run |
| What invokes an action? | Step-level uses |
| What invokes a reusable workflow? | Job-level uses |
| What trigger enables manual runs? | workflow_dispatch |
| What trigger enables reusable workflows? | workflow_call |
| What is used for cloud federation? | OIDC with id-token: write |
What controls GITHUB_TOKEN scopes? | permissions |
| What is best for dependency reuse? | Cache |
| What is best for test reports/build files? | Artifact |
| What context reads matrix values? | matrix |
| What context reads upstream outputs? | needs |
| What context reads encrypted secrets? | secrets |
| What feature prevents overlapping deploys? | concurrency |
| What feature can require deployment approval? | Environment |
| What should be avoided with untrusted fork code? | Secrets, write tokens, unsafe pull_request_target patterns |
Practice Connection
After this Quick Review, use IT Mastery practice to test whether you can choose the right GitHub Actions feature under exam-style pressure. A strong GH-200 study sequence is:
- Start with topic drills on workflow syntax, triggers, jobs, steps, and runners.
- Add security drills on
GITHUB_TOKEN, permissions, secrets, OIDC, and pull request threat models. - Practice data-flow questions covering outputs, artifacts, caches, matrix jobs, and reusable workflows.
- Use mock exams to build speed and identify weak areas.
- Review detailed explanations for every missed or guessed question, especially when two choices seem plausible.
Next step: move into a GH-200 question bank with original practice questions, topic drills, mock exams, and detailed explanations so you can apply these rules in realistic scenarios.
Continue in IT Mastery
Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official GitHub questions, copied live-exam content, or exam dumps.