GH-900 — GitHub Foundations (GH-900) Exam Blueprint
Independent exam blueprint for GitHub Foundations (GH-900) exam readiness, covering GitHub workflows, collaboration, security, automation, and admin basics.
How to Use This Exam Blueprint
Use this checklist as a practical readiness map for the GitHub GitHub Foundations (GH-900) exam. It is not a replacement for hands-on practice. Treat each section as a set of skills you should be able to explain, recognize in scenarios, and apply in a basic GitHub workflow.
Because exact exam weights are not provided here, the areas below are organized as readiness areas, not weighted domains. For final review, focus on whether you can answer: “Which GitHub feature, workflow, permission, or setting fits this situation?”
Readiness areas at a glance
| Readiness area | What to review | You are ready when you can… |
|---|---|---|
| Git and GitHub fundamentals | Git vs. GitHub, repositories, commits, branches, remotes, clones, forks | Explain what is local, what is hosted on GitHub, and how changes move between them |
| Repository structure and navigation | README, branches, commits, files, history, releases, tags, repository settings | Navigate a repository and identify where common collaboration artifacts live |
| GitHub Flow | Branch, commit, push, pull request, review, merge, deploy | Describe the standard collaboration path from idea to merged change |
| Issues and discussions | Issues, labels, assignees, milestones, templates, discussions | Choose the right collaboration tool for bug reports, ideas, Q&A, and planning |
| Pull requests and code review | PR description, diff, review comments, approvals, checks, merge options | Interpret PR status and know what must happen before merging |
| Project management | GitHub Projects, boards/tables, fields, automation, milestones | Track work using issues and project views without confusing planning tools |
| Markdown and documentation | GitHub-flavored Markdown, README, CONTRIBUTING, CODE_OF_CONDUCT, SECURITY | Read and create basic project documentation artifacts |
| Security and identity | Authentication, 2FA, SSH keys, personal access tokens, secrets, Dependabot, code scanning concepts | Recognize secure access patterns and common repository security features |
| Permissions and administration | Personal accounts, organizations, teams, roles, repository visibility, branch protection concepts | Identify who can do what and how access should be managed |
| GitHub Actions basics | Workflows, events, jobs, steps, runners, actions, secrets, artifacts | Explain what triggers automation and where workflow logic is defined |
| Developer productivity tools | Codespaces, GitHub CLI, web editor, GitHub Desktop, Copilot concepts | Match tools to productivity scenarios without overcomplicating workflows |
| Open source and community | Forks, contributions, licenses, community health files, maintainers | Describe a typical external contribution workflow |
| Integrations and ecosystem | Marketplace, webhooks, REST API, GraphQL API, Packages | Recognize how GitHub connects to external tools and automation |
| Troubleshooting basics | Merge conflicts, failed checks, permission errors, authentication issues | Identify likely causes and next steps from common symptoms |
Core GitHub concepts checklist
Git vs. GitHub
Make sure you can clearly separate the version control system from the hosting and collaboration platform.
| Concept | Know the difference |
|---|---|
| Git | Distributed version control system used locally and remotely |
| GitHub | Cloud platform for hosting Git repositories and collaboration |
| Repository | Project storage location containing files and Git history |
| Commit | Snapshot of changes with metadata and a unique identifier |
| Branch | Independent line of development |
| Remote | A hosted copy or linked repository location, often named origin |
| Clone | Local copy of a remote repository |
| Fork | Personal or organization-owned copy of another repository |
| Pull request | Proposal to merge changes from one branch into another |
| Issue | Work item, bug report, request, or discussion starting point |
Ready check:
- I can explain why Git can be used without GitHub.
- I can explain why GitHub repositories still use Git history.
- I can describe the difference between cloning and forking.
- I can identify when a branch is enough and when a fork is more appropriate.
- I can explain what happens when a commit is pushed to GitHub.
Repository basics
| Repository feature | What to understand |
|---|---|
| README | Main project landing documentation |
.gitignore | Tells Git which local files should not be tracked |
| License file | Communicates reuse permissions and restrictions |
| Branches | Used for parallel development and review workflows |
| Tags | Named references commonly used for versions |
| Releases | GitHub objects that package versioned software or notes |
| Repository settings | Visibility, collaborators, branch rules, features, integrations |
| Insights | Activity, contributors, traffic, dependency and community information depending on repository configuration |
Can you do this?
- Identify the default branch of a repository.
- Find commit history for a file.
- Compare two branches or commits conceptually.
- Explain why a README matters to a public or internal project.
- Recognize when a repository should include contribution or security guidance.
- Explain the difference between a tag and a release at a high level.
Git command and workflow recognition
The GH-900 exam is not a deep Git administration exam, but you should recognize common commands and know what they mean in a GitHub workflow.
Common command readiness
| Command | What it does | Common exam cue |
|---|---|---|
git clone | Copies a remote repository locally | “Start working on an existing GitHub repository” |
git status | Shows working tree and staging state | “Check what changed before committing” |
git branch | Lists or creates branches | “See available development lines” |
git switch / git checkout | Changes branches | “Move to a feature branch” |
git add | Stages changes | “Prepare files for a commit” |
git commit | Records staged changes | “Create a snapshot with a message” |
git push | Sends commits to a remote | “Publish local commits to GitHub” |
git pull | Fetches and integrates remote changes | “Update local branch from GitHub” |
git fetch | Downloads remote changes without integrating | “See remote updates before merging” |
git merge | Combines branch histories | “Bring feature work into another branch” |
git log | Views commit history | “Investigate previous changes” |
git diff | Shows file differences | “Review unstaged or branch changes” |
git remote -v | Shows remote URLs | “Confirm where push/pull goes” |
Basic workflow you should recognize:
git clone https://github.com/example/project.git
cd project
git switch -c feature/update-docs
git status
git add README.md
git commit -m "Update documentation"
git push origin feature/update-docs
Ready check:
- I know which commands affect only my local repository.
- I know which commands communicate with GitHub.
- I can explain why changes are staged before committing.
- I can explain why a branch is created before starting work.
- I can recognize that pushing a branch often precedes opening a pull request.
GitHub Flow readiness
GitHub Flow is a common collaboration model built around short-lived branches and pull requests.
flowchart LR
A[Create or choose an issue] --> B[Create a branch]
B --> C[Make commits]
C --> D[Push branch to GitHub]
D --> E[Open pull request]
E --> F[Review and discuss]
F --> G[Checks pass]
G --> H[Merge]
H --> I[Delete branch when appropriate]
GitHub Flow checklist
- I can explain why work should be done on a branch instead of directly on the default branch.
- I can describe how commits become part of a pull request.
- I can identify who reviews a pull request and where comments appear.
- I can explain the role of automated checks in a pull request.
- I can describe what “merge” means in the context of a pull request.
- I can recognize when a pull request should not be merged yet.
- I can explain how branch protection or repository rules can enforce review and quality gates conceptually.
Pull request readiness table
| Pull request element | What to know |
|---|---|
| Title and description | Communicate purpose, context, and testing notes |
| Changed files | Shows the diff being proposed |
| Review comments | Feedback on lines or the overall PR |
| Requested reviewers | People or teams asked to review |
| Assignees | People responsible for the work |
| Labels | Categorize type, priority, area, or status |
| Linked issues | Connect PRs to tracked work |
| Checks | Automation results such as tests, builds, or scans |
| Merge options | Different ways to integrate changes, depending on repository settings |
Scenario cues:
| If the scenario says… | Think about… |
|---|---|
| “A teammate wants feedback before merging” | Pull request review |
| “A change should not merge until tests pass” | Required checks / branch protection concepts |
| “A PR fixes a tracked bug” | Link the PR to the issue |
| “A reviewer left comments on specific lines” | PR review comments |
| “Two branches changed the same lines” | Merge conflict |
| “Only approved code should enter the default branch” | Review requirements and branch rules |
Issues, discussions, and planning
Issue management checklist
- I can describe what an issue is used for.
- I can distinguish issues from pull requests.
- I can use labels to categorize work.
- I can use assignees to indicate ownership.
- I can use milestones to group work toward a target.
- I can explain how issue templates improve consistency.
- I can recognize when an issue should be closed, linked, transferred, or converted into actionable work.
| Feature | Best used for |
|---|---|
| Issue | Bug, task, feature request, tracked work item |
| Discussion | Open-ended Q&A, idea sharing, community conversation |
| Pull request | Proposed code, documentation, or configuration change |
| Label | Classification such as bug, enhancement, documentation, priority |
| Milestone | Group of issues/PRs toward a release or goal |
| Project | Planning and tracking across issues and pull requests |
GitHub Projects readiness
GitHub Projects can organize issues and pull requests into views for planning and tracking.
Can you do this?
- Explain why a project is useful when issues alone are not enough.
- Recognize table, board, and roadmap-style planning concepts.
- Understand that project fields can track status, priority, iteration, owner, or custom metadata.
- Distinguish a project view from the underlying issue or pull request.
- Understand that automation can help move or update items based on workflow events.
Scenario cues:
| Need | Likely GitHub feature |
|---|---|
| Track bugs and feature requests | Issues |
| Ask the community a broad question | Discussions |
| Group work for a release | Milestone |
| Visualize status across many issues | GitHub Projects |
| Propose a code change | Pull request |
| Standardize bug reports | Issue template |
Markdown and documentation artifacts
GitHub uses Markdown heavily in repositories, issues, pull requests, discussions, and documentation.
Markdown skills to verify
- Headings using
#,##, and### - Bulleted and numbered lists
- Links and images
- Code blocks and inline code
- Tables
- Task lists with checkboxes
- Mentions of users or teams
- References to issues or pull requests
- Basic formatting such as bold and italic text
Example recognition:
## Setup
1. Clone the repository.
2. Install dependencies.
3. Run the tests.
- [ ] Update README
- [ ] Open pull request
- [ ] Request review
Repository documentation files
| File | Purpose |
|---|---|
README.md | Project overview, usage, setup, and entry point |
CONTRIBUTING.md | How contributors should participate |
CODE_OF_CONDUCT.md | Community behavior expectations |
SECURITY.md | How to report vulnerabilities |
LICENSE | Legal terms for reuse |
.gitignore | Files and folders Git should not track |
| Issue templates | Standardize incoming issue details |
| Pull request template | Standardize PR descriptions and review context |
Ready check:
- I can identify which documentation file solves a given collaboration problem.
- I understand why public repositories often need clear community guidance.
- I can read a Markdown checklist and know how it appears on GitHub.
- I can explain why secrets, generated files, and local environment files are often excluded with
.gitignore.
Identity, access, and permissions
Authentication and access concepts
| Concept | What to understand |
|---|---|
| Username/password | Basic account sign-in concept, strengthened with additional protections |
| Two-factor authentication | Adds a second verification factor to account access |
| SSH key | Used to authenticate Git operations over SSH |
| Personal access token | Token-based authentication for tools, scripts, or Git operations |
| Fine-scoped access | Principle of granting only the access needed |
| Secret | Sensitive value used by automation and integrations |
| Organization | Shared administrative space for teams and repositories |
| Team | Group used to manage access and collaboration |
| Repository visibility | Controls whether a repository is public, private, or otherwise restricted based on available options |
Can you do this?
- Explain why 2FA reduces account takeover risk.
- Recognize when an SSH key is used for Git authentication.
- Recognize when a token may be needed instead of a password.
- Explain why tokens should be limited, rotated, and protected.
- Identify that secrets should not be committed to a repository.
- Explain why team-based access is easier to manage than user-by-user access.
- Distinguish repository-level access from organization-level administration.
Permissions and administration scenario checks
| Scenario | Best answer direction |
|---|---|
| A contractor needs temporary access to one repository | Grant limited repository access; avoid broad organization privileges |
| A team owns multiple related repositories | Use teams or group-based permissions |
| Sensitive production code should not be public | Review repository visibility and access controls |
| Contributors should not push directly to the default branch | Use branch rules or pull request review requirements conceptually |
| A user leaves the organization | Remove or update account access and tokens where applicable |
| Automation needs a secret value | Store it as a GitHub secret, not in code |
| Reviewers must approve changes before merge | Configure review requirements conceptually |
Repository security readiness
The exam may test basic awareness of GitHub security features and secure collaboration practices. Focus on what each feature is for, not deep configuration details.
| Security area | What to know |
|---|---|
| Dependabot concepts | Helps identify dependency updates and vulnerabilities |
| Secret scanning concepts | Helps detect committed secrets or credentials |
| Code scanning concepts | Helps identify potential vulnerabilities in code |
| Security advisories | Coordinate vulnerability information and remediation |
| Branch protection / repository rules | Help enforce review, checks, and safe merging |
| Least privilege | Give users and tools only the access required |
| Audit and activity visibility | Helps administrators investigate changes and access |
| Signed commits concept | Provides stronger assurance about commit origin when used |
Can you do this?
- Identify why committing credentials is dangerous.
- Explain why dependency updates matter for security.
- Recognize that security alerts need triage, not just acknowledgment.
- Explain why automated checks can block risky changes before merge.
- Distinguish code review from automated security scanning.
- Recognize that repository visibility is not the same as secure code.
- Explain why secrets should be stored in protected configuration areas for automation.
Common traps:
| Trap | Correct understanding |
|---|---|
| “Private repository means no security review is needed” | Private code still needs dependency, secret, and access controls |
| “A token is safe if it is in a private repo” | Tokens should not be committed anywhere |
| “Anyone who can read code should be able to administer the repository” | Administration should be limited |
| “Security tools fix every issue automatically” | Tools detect and assist; humans still review and remediate |
| “A passing build means the code is secure” | Build success and security assurance are different |
GitHub Actions basics
GitHub Actions provides automation for workflows such as CI, testing, publishing, issue triage, and deployment support.
Actions concepts checklist
- I can explain what a workflow is.
- I know workflows are defined with YAML files in a repository.
- I can explain that events trigger workflows.
- I can identify jobs and steps in a workflow.
- I can explain that actions are reusable units of workflow logic.
- I know runners execute workflow jobs.
- I understand secrets can be used by workflows without hardcoding sensitive values.
- I can distinguish workflow artifacts from source files.
- I can recognize a failed workflow check on a pull request.
Example workflow recognition:
name: Basic CI
on:
pull_request:
push:
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run tests
run: echo "Run project tests here"
You do not need to memorize every YAML option for a foundations-level checklist, but you should be able to identify the major parts:
| YAML part | Meaning |
|---|---|
name | Workflow display name |
on | Events that trigger the workflow |
jobs | Work units that run in the workflow |
runs-on | Runner environment selected for a job |
steps | Ordered commands or actions |
uses | Calls a reusable action |
run | Runs a shell command |
| Secrets reference | Uses stored sensitive values instead of hardcoded credentials |
Scenario cues:
| Scenario | GitHub Actions concept |
|---|---|
| Run tests when a PR is opened | Workflow triggered by pull request |
| Build when code is pushed | Workflow triggered by push |
| Prevent merge when tests fail | Required checks / branch rule concept |
| Use a cloud credential in automation | Repository or organization secret |
| Save build output | Artifact |
| Reuse standard setup logic | Marketplace or reusable action |
Developer productivity tools
Tool selection checklist
| Tool or feature | What it helps with |
|---|---|
| GitHub web interface | Browse code, review PRs, manage issues, edit simple files |
| GitHub Desktop | GUI-based Git and GitHub workflow |
| GitHub CLI | Command-line GitHub operations such as PRs and issues |
| Codespaces | Cloud-based development environment tied to a repository |
| Web editor | Quick in-browser file edits |
| GitHub Copilot concepts | AI-assisted coding and productivity support |
| GitHub Marketplace | Find actions, apps, and integrations |
| GitHub Pages | Publish static site content from a repository, when configured |
Can you do this?
- Choose GitHub Desktop for a user who prefers a graphical Git workflow.
- Choose GitHub CLI for terminal-based GitHub operations.
- Recognize Codespaces as a ready-to-use development environment scenario.
- Recognize the web editor as useful for small edits.
- Explain that Copilot can suggest code but does not replace review, testing, or security validation.
- Identify GitHub Marketplace as a source of apps and reusable actions.
Open source and community collaboration
Contribution workflow readiness
A common open source contribution flow looks like this:
- Find a repository and read its README and contribution guidance.
- Fork the repository if direct branch access is not available.
- Clone your fork.
- Create a branch.
- Make commits.
- Push to your fork.
- Open a pull request to the original repository.
- Respond to review feedback.
- Maintainers decide whether and how to merge.
Can you do this?
- Explain why external contributors often fork repositories.
- Identify the upstream repository versus the contributor’s fork.
- Explain how maintainers review and discuss proposed changes.
- Recognize why a code of conduct matters in community projects.
- Recognize why a license matters before reuse.
- Explain how issue templates and contribution guides reduce maintainer burden.
| Community artifact | Exam-ready meaning |
|---|---|
| License | Defines allowed use, modification, and distribution |
| Code of conduct | Sets behavior expectations |
| Contributing guide | Explains how to submit useful contributions |
| Security policy | Explains how to report vulnerabilities responsibly |
| README | Helps users and contributors understand the project |
| Discussions | Supports community conversation outside specific tracked issues |
Integrations, APIs, and ecosystem concepts
You should know that GitHub is extensible and can connect to other tools.
| Integration concept | What to understand |
|---|---|
| GitHub Apps | Integrations with controlled permissions |
| OAuth Apps | Apps that act with user authorization concepts |
| Webhooks | Event notifications sent to external systems |
| REST API | Programmatic access to GitHub resources |
| GraphQL API | Query-based programmatic access to GitHub data |
| GitHub CLI | Command-line interface for GitHub tasks |
| GitHub Packages | Package hosting associated with GitHub workflows |
| Marketplace | Discover apps and actions |
Scenario cues:
| Need | Likely concept |
|---|---|
| Notify an external service when a PR opens | Webhook |
| Script repository management | API or GitHub CLI |
| Install a reusable CI step | Marketplace action |
| Publish packages near source code | GitHub Packages |
| Connect a third-party planning or security tool | GitHub App or integration |
| Query specific repository metadata programmatically | REST or GraphQL API |
Troubleshooting and decision-point checks
Common symptoms and likely causes
| Symptom | Likely area to check |
|---|---|
| Push is rejected | Permissions, branch protection, authentication, remote branch state |
| Pull request cannot merge | Failed checks, required review, merge conflict, branch rule |
| Workflow did not run | Trigger event, workflow file location, YAML syntax, repository settings |
| Secret appears in repository history | Secret exposure; rotate secret and remove/mitigate exposure |
| User cannot access repository | Organization membership, team membership, repository permission, SSO/access policy concepts |
| Local branch is behind remote | Fetch or pull remote changes |
| Merge conflict appears | Same lines or files changed in competing branches |
| Issue lacks enough detail | Use templates or ask for reproduction/context |
| Reviewer cannot approve | Permission or reviewer assignment issue |
| Automation cannot access credential | Secret configuration or permission scope |
Decision prompts
Ask yourself these questions during scenario practice:
- Is the problem about source control, collaboration, automation, security, or administration?
- Is the actor a repository contributor, maintainer, organization owner, reviewer, or external user?
- Does the scenario require a Git feature or a GitHub platform feature?
- Is the change local only, or has it been pushed to GitHub?
- Should the person create a branch, fork the repository, or request access?
- Should the work be tracked as an issue, discussion, project item, or pull request?
- Is the goal to prevent a risky change, detect a problem, or respond after exposure?
- Does the scenario require human review, automated checks, or both?
- Is a secret, token, or key being handled safely?
- Is the proposed permission broader than necessary?
High-value “Can you do this?” checklist
Use this as a final readiness drill.
Fundamentals
- Define Git.
- Define GitHub.
- Explain repository, branch, commit, clone, fork, and remote.
- Describe how local changes become visible on GitHub.
- Explain why version history is useful.
- Identify the purpose of the default branch.
Collaboration
- Open a pull request conceptually from a feature branch.
- Explain what reviewers do in a pull request.
- Identify where automated checks appear.
- Explain when a merge conflict must be resolved.
- Link a pull request to an issue conceptually.
- Choose issues, discussions, projects, or milestones for a scenario.
Security and permissions
- Explain least privilege.
- Identify why 2FA is important.
- Explain the purpose of SSH keys and tokens.
- Recognize why secrets should not be committed.
- Match Dependabot, secret scanning, and code scanning concepts to scenarios.
- Explain how teams help manage access.
- Recognize when branch protection or repository rules are appropriate.
Automation
- Identify the parts of a GitHub Actions workflow.
- Explain what triggers a workflow.
- Distinguish jobs from steps.
- Explain what a runner does.
- Recognize when to use secrets in workflows.
- Interpret a failed check as a merge readiness signal.
Documentation and community
- Identify the purpose of README, LICENSE, CONTRIBUTING, SECURITY, and CODE_OF_CONDUCT files.
- Read and write basic Markdown.
- Explain a fork-based contribution workflow.
- Recognize the role of maintainers in open source.
- Explain why issue and PR templates improve collaboration.
Tools and ecosystem
- Choose between GitHub web UI, GitHub Desktop, GitHub CLI, and Codespaces.
- Explain GitHub Marketplace at a high level.
- Recognize webhooks and APIs as integration mechanisms.
- Explain GitHub Pages and Packages at a basic use-case level.
- Describe Copilot as an assistant that still requires review and validation.
Common weak areas and traps
| Weak area | What to fix before exam day |
|---|---|
| Confusing Git with GitHub | Practice explaining local version control versus hosted collaboration |
| Confusing fork with branch | Fork copies a repository; branch is a line of development within a repository |
| Thinking a PR is only for code | PRs can change documentation, configuration, workflows, and other files |
| Treating issues as the same as discussions | Issues track actionable work; discussions support broader conversation |
| Ignoring permissions in scenarios | Always identify who needs access and how much access is appropriate |
| Assuming private means secure | Security practices still apply to private repositories |
| Hardcoding secrets in workflows | Use GitHub secrets and appropriate access controls |
| Not reading PR status | Reviews, checks, conflicts, and rules all affect merge readiness |
| Overlooking repository documentation | README and community files are often the answer to collaboration problems |
| Thinking automation replaces review | CI and scans support review; they do not remove accountability |
| Forgetting external contributors may fork | Fork-based flow is common when direct write access is unavailable |
| Mixing up labels and milestones | Labels categorize; milestones group work toward a target |
| Confusing GitHub Projects with repositories | Projects track work; repositories store code and history |
Scenario practice matrix
Use this matrix to test whether you can choose the best GitHub feature quickly.
| Scenario | Best-fit concept |
|---|---|
| A team wants every change reviewed before it reaches the default branch | Pull requests plus branch protection or repository rules conceptually |
| A contributor outside the organization wants to propose a fix | Fork, branch, commit, pull request |
| A maintainer wants consistent bug reports | Issue template |
| A project lead wants to track work across many issues | GitHub Projects |
| A team wants tests to run on every pull request | GitHub Actions workflow |
| A build must not merge if tests fail | Required checks conceptually |
| A password was accidentally committed | Secret exposure response; rotate secret and address repository history |
| A dependency has a known vulnerability | Dependabot/security alert concepts |
| A user needs access to several repositories | Team-based access |
| A developer wants a cloud-hosted dev environment | Codespaces |
| A user wants command-line PR management | GitHub CLI |
| A site should be published from repository content | GitHub Pages |
| A package should be hosted alongside the project workflow | GitHub Packages |
| An external system needs notification when issues open | Webhook |
| A script needs to query repository data | GitHub API |
| Community members need a place for Q&A | Discussions |
| Contributors need rules for behavior | Code of conduct |
| Security researchers need reporting instructions | Security policy |
Final-week checklist
Seven to five days out
- Review all core terms: repository, branch, commit, pull request, issue, fork, clone, remote.
- Walk through a complete GitHub Flow scenario without notes.
- Review the difference between issues, discussions, projects, and milestones.
- Review common Git commands and what each command changes.
- Review basic repository documentation files and their purposes.
Four to two days out
- Practice permission and access scenarios.
- Review secure handling of tokens, SSH keys, and secrets.
- Review GitHub Actions vocabulary: workflow, event, job, step, runner, secret, artifact.
- Review pull request states: review needed, checks failed, conflict, ready to merge.
- Review open source contribution flow using forks and pull requests.
Final day
- Re-read the common traps table.
- Drill scenario cues instead of memorizing isolated definitions.
- Confirm you can explain each major GitHub feature in one or two sentences.
- Practice choosing the simplest correct GitHub feature for a scenario.
- Avoid cramming product limits, dates, or pricing details unless they appear in your official study materials.
Practical next step
Use this checklist to mark weak areas, then practice with scenario-based questions that force you to choose between similar GitHub features: branch vs. fork, issue vs. discussion, project vs. milestone, token vs. SSH key, and review requirement vs. automated check. Focus on explaining why the selected GitHub feature is the best fit for the situation.