Medium GH-100 practice questions
Applied — put a concept to work in a realistic situation. 71 medium questions available — no sign-up, always free.
An enterprise administrator reviews the monthly Actions metered usage report and notices a sharp cost increase driven by one organization's CI workflows. Investigation shows these workflows run on GitHub-hosted 16-core larger runners, but the jobs are lightweight lint and unit-test steps that complete in under three minutes and never approach CPU or memory limits. The team originally chose larger runners hoping to speed up builds. What is the most appropriate optimization the administrator should recommend to reduce cost without harming these workflows?
You are the enterprise administrator for a GitHub Enterprise Cloud account with 12 organizations. Finance has asked you to produce an internal chargeback showing how many GitHub Actions minutes each individual organization consumed last month, broken down by the runner operating system (Linux, Windows, macOS) so they can apply the correct per-minute multipliers. Which approach gives you the most accurate, granular data to satisfy this request?
An enterprise owner notices that a compromised third-party action in one repository was able to push commits and create releases using the automatically generated GITHUB_TOKEN. They want to reduce the blast radius of the default token across all organizations without breaking existing workflows that explicitly request the permissions they need. Which enterprise-level setting should they configure?
An enterprise administrator receives complaints that a custom internal integration, which uses a GitHub App to bulk-create issues across hundreds of repositories, intermittently fails with HTTP 403 responses containing a 'You have exceeded a secondary rate limit' message. The primary hourly rate limit budget for the installation token is far from exhausted. The administrator is asked to recommend the most effective way to reduce these failures without requesting a special limit increase from GitHub. What should the administrator recommend?
An enterprise admin is investigating why a scheduled internal reporting tool that pulls repository metadata via the GitHub REST API intermittently fails with HTTP 403 responses during peak hours. The tool authenticates as a GitHub App installation. Support asks the admin to first determine whether the failures are caused by exhausting the app's hourly request budget before escalating. Which response header should the admin instruct the team to inspect to confirm this is a primary rate limit exhaustion?
A security incident report indicates that a repository's default branch protection was disabled sometime between 14:00 and 15:00 UTC on a specific day. As the enterprise owner, you need to programmatically retrieve only the audit log events that occurred within that one-hour window to identify who made the change, without pulling the entire log history. Which approach lets you scope the query most precisely?
Your compliance team requires that all enterprise audit log events on GitHub Enterprise Cloud be retained for seven years in a tamper-resistant store that your SIEM can query, well beyond GitHub's default retention window. The team also wants near-real-time delivery so security analysts can alert on suspicious events. As the enterprise owner, what is the most appropriate way to meet these requirements?
An enterprise administrator runs a fleet of self-hosted runners on a Kubernetes cluster to handle bursty CI demand. They notice that after a job completes, leftover files, cached credentials, and tool installations from previous jobs sometimes leak into subsequent jobs on the same runner, causing intermittent build failures and a potential security concern. They want to auto-scale runners with the actions-runner-controller (ARC) so each runner processes exactly one job and is then destroyed. Which runner configuration best meets this requirement?
A GitHub Enterprise Cloud administrator notices the monthly invoice has grown significantly beyond the predictable per-seat license cost. Investigation shows heavy usage of GitHub Actions minutes for private repositories and large amounts of GitHub Packages storage. The finance team wants to understand which parts of the bill are fixed versus variable so they can forecast future costs. How should the administrator explain the billing structure for these consumption-based services?
You administer a GitHub Enterprise Cloud organization. A development team needs CodeQL code scanning enabled on a JavaScript repository. They want the fastest possible way to get scanning running, but a separate legacy C/C++ repository requires a custom build command and a specific compiler toolchain before CodeQL can analyze it. Which configuration approach correctly satisfies both repositories?
A team of contractors needs to triage issues and pull requests in a private repository, plus manage repository labels and milestones. Company policy requires least-privilege access, and the contractors must NOT be able to push code, merge pull requests, or change repository settings. The organization owner wants a reusable role that can be applied across several repositories. What is the best way to grant this access?
You are the GitHub Enterprise administrator for an organization that has grown to 200 developers across 15 teams. Leadership wants to standardize the developer workflow so that all production code changes are peer-reviewed by domain owners before merging, while allowing individual teams flexibility on their feature-branch naming. Which approach best establishes an enforceable, consistent review standard across all repositories?
A security engineer enables Dependabot alerts on a repository, but no alerts appear even though the team knows a direct dependency in their Python project has a published CVE. The repository contains a requirements.txt file, and the dependency graph feature shows as enabled in the repository's Settings. What is the most likely reason Dependabot is not generating an alert?
You administer a GitHub Enterprise Cloud organization with hundreds of repositories. The security team complains that Dependabot alerts are overwhelming: developers are inundated with low-severity notifications and are ignoring the truly critical ones. Leadership wants a way to focus response effort on the highest-risk vulnerabilities across the organization without disabling Dependabot alerts entirely. Which approach best meets this requirement?
A platform team maintains a Node.js monorepo where Dependabot version updates are already enabled. Every week the team receives dozens of separate pull requests — one for each npm dependency that has a new release — which overwhelms reviewers and slows the merge queue. The team wants to keep receiving updates but consolidate related dependency bumps into a smaller number of pull requests per ecosystem. Which configuration change in dependabot.yml best achieves this?
A platform team at a fintech company wants Dependabot to automatically open pull requests for known security vulnerabilities in their npm dependencies as soon as advisories are published, but they explicitly do NOT want routine PRs opened just because a newer non-vulnerable version of a package is released. The repository already has the dependency graph enabled. Which configuration achieves exactly this behavior?
An enterprise administrator is establishing standard developer workflows across all organizations. Team leads want to guarantee that any change touching files in the `/infrastructure` directory is automatically reviewed by the platform engineering team before merge, without relying on developers to remember to add reviewers manually. Which approach should the administrator recommend to enforce this as a repeatable standard?
Your company uses a GitHub Enterprise Cloud account with Enterprise Managed Users (EMU) integrated with Azure AD (Entra ID) via SAML SSO and SCIM provisioning. An employee leaves the company, and the HR team removes them from the corporate identity provider. As the enterprise administrator, what happens to this user's GitHub account and access, and what is the correct expectation?
You administer an Enterprise Managed Users (EMU) instance for a financial services company. Compliance requires that every developer be protected by two-factor authentication. Your security team asks you to configure and enforce 2FA for all managed users directly in the GitHub enterprise settings. What should you tell them about implementing this requirement?
Contoso is adopting GitHub Enterprise Cloud and wants all developer identities to be fully controlled by their Azure AD tenant, so that accounts are automatically created and deprovisioned centrally and users cannot use these accounts for personal open-source contributions outside the company. The security team also requires that these accounts cannot exist or be used before the identity provider authenticates them. Which enterprise account type should Contoso choose to meet these requirements?
As an enterprise owner for a GitHub Enterprise Cloud organization with 30 orgs, leadership asks you to evaluate whether teams are actually adopting the security features you've paid to enable across the enterprise. You specifically want to see, at the enterprise level, how many repositories currently have code scanning, Dependabot, and secret scanning enabled versus disabled, so you can target the orgs that are lagging. Which built-in capability should you use to get this cross-org adoption view most efficiently?
You are the enterprise administrator for a GitHub Enterprise Cloud account with several organizations. Your security team asks you to identify every instance where a repository was changed from private to public across all organizations over the past 90 days, and they want this data pulled programmatically into their SIEM on a recurring schedule. Which approach best satisfies this requirement using native GitHub Enterprise capabilities?
Your company runs a GitHub Enterprise Cloud account with Enterprise Managed Users (EMU) enabled through Okta. A project lead asks you to add an external contractor's existing personal GitHub.com account as an outside collaborator on one private repository so the contractor can submit pull requests. What should you tell the project lead?
An enterprise administrator has created an organization-level ruleset targeting the default branch of all repositories in an organization. The ruleset requires pull requests with at least two approvals and blocks force pushes. A senior release engineer reports they need to occasionally push directly to the default branch during emergency hotfixes, but the platform team wants to preserve the two-approval requirement for everyone else and keep a record of who used the exception. What is the most appropriate way to accommodate this requirement?
As an enterprise owner, you enable a policy in the enterprise security settings that turns on secret scanning for all organizations and disables the ability for organization owners to change it. A few weeks later, an organization owner opens a support request claiming they cannot disable secret scanning for a repository containing intentionally committed test fixtures with fake credentials. What is the correct explanation and resolution?