Manage GitHub Actions
Drill 15 practice questions focused entirely on Manage GitHub Actions for the GitHub GH-100 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
An enterprise owner notices that a compromised third-party action in one repository was able to push commits and create releases using the automatically generated GITHUB_TOKEN. They want to reduce the blast radius of the default token across all organizations without breaking existing workflows that explicitly request the permissions they need. Which enterprise-level setting should they configure?
An enterprise administrator runs a fleet of self-hosted runners on a Kubernetes cluster to handle bursty CI demand. They notice that after a job completes, leftover files, cached credentials, and tool installations from previous jobs sometimes leak into subsequent jobs on the same runner, causing intermittent build failures and a potential security concern. They want to auto-scale runners with the actions-runner-controller (ARC) so each runner processes exactly one job and is then destroyed. Which runner configuration best meets this requirement?
Your enterprise runs security-sensitive CI/CD workflows on GitHub-hosted larger runners. The security team requires that all outbound traffic from these runners to your internal Azure resources travels over a private network without traversing the public internet, and that the runners receive IP addresses from your own Azure virtual network. As the enterprise administrator, what is the correct approach to meet this requirement?
As an organization owner, you want to restrict which GitHub Actions can run across all repositories in your organization. Company policy requires that only actions authored by GitHub, a small set of specified third-party actions (referenced by exact owner/repo), and any actions defined within your own organization's repositories be permitted. Which Actions policy configuration in the organization settings satisfies this requirement with the least ongoing maintenance?
You are the org owner for the 'payments' organization. A new organization-level Actions secret named STRIPE_API_KEY must be usable only by three specific repositories: 'checkout-service', 'billing-worker', and 'invoice-api'. No other current or future repositories in the org should have access to this secret. Which configuration should you apply when creating the organization secret?
An organization owner created an organization-level Actions secret named DEPLOY_TOKEN with its access policy set to 'Selected repositories', granting three repositories access. A new repository, 'payments-api', now needs to run a workflow that consumes DEPLOY_TOKEN, and the platform team wants to avoid duplicating the secret value in each repository. What is the most appropriate action to grant 'payments-api' access to the existing secret?
An enterprise owner wants every repository across all organizations to be able to call a centrally maintained reusable workflow stored in a private repository named 'org-shared/ci-templates'. However, the organization's Actions policy is currently set to 'Allow enterprise, and select non-enterprise, actions and reusable workflows', and repositories report that they cannot reference the reusable workflow. What is the correct action to enable this while keeping the restrictive policy in place?
Your enterprise wants to standardize a build-and-lint step used by dozens of repositories across several organizations. A platform team maintains the logic in a single private repository as a composite action. Consuming workflows reference it as 'my-org/ci-actions/build-lint@v2'. The platform team plans frequent bug fixes and occasional breaking changes, and wants consumers to automatically receive non-breaking fixes without editing their workflows, while being protected from breaking changes. Which release strategy for the central action best meets these requirements?
An enterprise owner wants a specific set of self-hosted runners with GPU capabilities to be available only to repositories in the 'ml-platform' and 'data-science' organizations, but not to any other org in the enterprise. The runners are already registered at the enterprise level. What is the correct way to enforce this restriction?
Your enterprise has a runner group named 'prod-deploy-runners' containing self-hosted runners with access to production deployment credentials. Currently the runner group is available to all repositories in the 'platform' organization. Security requires that only the 'billing-service' and 'payments-api' repositories be allowed to send jobs to these runners, and that no future repository automatically gains access. As the organization owner, what is the most appropriate configuration?
An enterprise administrator has registered a pool of self-hosted runners at the enterprise level and placed them in a runner group named 'shared-linux'. Several organizations need to use these runners, but the security team requires that only two specific organizations ('platform' and 'payments') can access them, while all other organizations must be denied. Which configuration correctly enforces this requirement?
Your enterprise on GitHub Enterprise Cloud has enabled an IP allow list at the enterprise level to restrict access to organization resources. After enabling it, your self-hosted runners hosted in a corporate data center suddenly fail to connect and jobs remain queued. The runners previously worked correctly. What is the most appropriate action to restore runner connectivity while keeping the IP allow list active?
An enterprise administrator notices that self-hosted runner jobs in a busy organization are completing far slower than expected during peak hours, even though jobs are not stuck in the queue. The team wants to determine whether the runner virtual machines are CPU- or memory-constrained during workflow execution so they can right-size the hosts. Which approach best provides the ongoing runner-level resource utilization data needed to make this decision?
An enterprise administrator notices that CI jobs in a busy organization are stuck in the 'Queued' state for 15-20 minutes before starting on self-hosted runners. The runner group has 4 registered self-hosted runners, all of which show as 'Idle' in the runner settings UI, yet jobs are not being picked up. Job labels in the workflow specify 'runs-on: [self-hosted, linux, gpu]'. What is the MOST likely cause of the queuing delay?
Your enterprise's security team mandates that all long-lived credentials be centralized in HashiCorp Vault rather than stored as GitHub Actions encrypted secrets. A platform team needs their Actions workflows to retrieve database credentials from Vault at runtime without storing any static Vault token in GitHub. Which approach best satisfies this requirement?
More GH-100 practice
Keep going with the other GitHub Enterprise Administrator (GH-100) domains, or take a full timed mock exam.
← Back to GH-100 overview