GitHub Foundations Study Guide
GitHub Foundations validates entry-level knowledge of the GitHub platform: Git fundamentals, repositories, collaboration through issues and pull requests, GitHub Actions basics, and the wider GitHub ecosystem including security and account management. It is designed for developers, project managers, students, and anyone new to GitHub who wants to demonstrate baseline proficiency. The exam has roughly 75 questions, a 90-minute time limit, and is scored on a 100-1000 scale with 700 to pass.
Domain 1: Introduction to GitHub
- Git is a distributed version control system (DVCS): every clone is a full copy of the repository including its entire commit history, so work can continue offline.
- A commit is an immutable snapshot of staged changes, identified by a unique 40-character SHA-1 hash, and carries an author, committer, message, and timestamp.
- A repository is the version-controlled container for a project's files, complete change history, branches, issues, pull requests, and settings.
- Common Git workflow commands: git add stages changes, git commit records staged changes locally, git push uploads local commits to a remote, git clone copies a remote repo (with history) locally.
- git fetch downloads remote changes without merging them; git pull does a fetch AND merge into your current branch (pull = fetch + merge).
- Branches create independent, parallel lines of development; create and switch with git switch -c <branch> (or the older git checkout -b <branch>).
- A .gitignore file tells Git which files and paths to leave untracked, such as build artifacts, dependencies (node_modules), local config, and secrets.
- Starring a repository bookmarks it and signals appreciation but does NOT create a copy; forking creates your own copy you can change and propose back via pull request.
- GitHub is built on Git but adds collaboration features: a web UI, issues, pull requests, Actions, project boards, and access control.
- An organization is a shared account that lets teams own repositories together and manage members and permissions centrally.
- Two-factor authentication (2FA) adds a second verification step beyond a password and is now required for accounts that contribute code on GitHub.
- GitHub Free includes unlimited public and private repositories, with a limited monthly allotment of included GitHub Actions minutes and Packages storage.
- You can interact with GitHub via the web UI, the standard git CLI, and the GitHub CLI (gh) for issues, PRs, and repos from the terminal.
- GitHub Flavored Markdown is used in issues, PRs, and READMEs; links use the [text](https://example.com) syntax and task lists use - [ ] checkbox items.
Domain 2: Working with Repositories
- A pull request proposes changes from a source branch into a target branch (often main) and provides a place for discussion, review, and automated checks before merging.
- Issues track tasks, bugs, feature requests, and discussions; they can be assigned, labeled, grouped into milestones, and linked to pull requests.
- A fork is a personal copy of someone else's repository where you make changes independently and propose them back to the upstream via a pull request.
- A merge conflict occurs when different branches change the same lines and Git cannot auto-merge; it must be resolved manually before the merge completes.
- The main (default) branch is the primary, usually stable line of a project's code; branch protection rules can guard it.
- Branch protection rules can require pull request reviews, require status checks (CI) to pass, and prevent direct pushes before changes reach a protected branch.
- A CODEOWNERS file maps file paths to owners so the right reviewers are automatically requested when matching files change in a PR.
- Git LFS (Large File Storage) tracks large binaries by reference instead of committing them directly into history, keeping the repository small.
- Merge strategies: a standard merge keeps all commits, squash merge combines a PR into a single commit on main, and rebase merge replays commits without a merge commit.
- The Files changed tab on a pull request shows the diff and is where reviewers leave inline comments on specific lines.
- A shallow clone with git clone --depth 1 fetches only the latest commit (not full history), useful for faster CI checkouts.
- Branching models: trunk-based development uses short-lived feature branches with frequent merges to main; Git Flow uses long-lived develop, release, and hotfix branches.
- Use path filters in CI so only the components affected by a change are built, and maintain a thorough .gitignore so build artifacts are never committed.
- Code review exists to improve quality and catch issues through peer feedback before code is merged; keeping PRs small makes reviews faster and defects easier to spot.
Domain 3: Collaboration Features
- GitHub Actions is a CI/CD and automation platform that runs workflows in response to repository events such as push and pull_request, on a schedule, or via manual dispatch.
- Actions (the reusable units inside workflows) come in three types: JavaScript actions, Docker container actions, and composite actions; the Marketplace offers thousands of prebuilt ones.
- A README on the repository's main page documents the project's purpose, setup, and usage; it is the first thing visitors see.
- GitHub Pages hosts static websites directly from a repository (for example from the main branch, a /docs folder, or a gh-pages branch).
- GitHub Codespaces provides cloud-hosted development environments accessible in the browser or VS Code, with the repository pre-cloned and tooling preconfigured.
- GitHub Packages hosts and shares packages (npm, Maven, NuGet, RubyGems, Docker, etc.) alongside source code with the same permissions model.
- Linking a closing keyword like 'Closes #123', 'Fixes #123', or 'Resolves #123' in a PR description automatically closes that issue when the PR merges.
- Issue and pull request templates live in the .github directory; issue forms (YAML) can require structured fields so reports include needed information up front.
- Reviewers can comment, approve, or request changes on a pull request; required reviews via branch protection block merging until approval is given.
- Milestones group related issues and pull requests toward a shared goal or deadline and track completion progress.
- Teams within an organization let you grant repository permissions to groups of people at once instead of managing access per user.
- Reusable workflows let you define a workflow once in a central repository and call it from many repositories with the 'uses' keyword (workflow_call).
- Dependabot can open grouped dependency-update PRs and alert on vulnerable dependencies, reducing the noise of many separate update pull requests.
- Required status checks let you enforce that linters, formatters, and tests pass before a pull request can merge, keeping quality and style consistent automatically.
Domain 4: Modern Development
- GitHub Actions secrets are encrypted at rest, decrypted only in runner memory during execution, automatically masked from logs, and referenced as secrets.NAME; they can be set at repo, environment, or organization level.
- GitHub Advanced Security features include code scanning (SAST, often via CodeQL), secret scanning, and dependency review to find vulnerabilities before merge.
- Apply least privilege when granting access: give collaborators only the role they need (read, triage, write, maintain, or admin).
- Workflows are defined as YAML files in the .github/workflows/ directory; each specifies triggers (on), jobs, and steps.
- The GITHUB_TOKEN is an automatically created, short-lived token whose scope can be narrowed with the permissions key in a workflow for least-privilege automation.
- Environment protection rules can require manual approval or wait timers before a job deploys to a sensitive environment such as production.
- Speed up and reduce cost of workflows by caching dependencies with actions/cache, and skip unneeded runs using paths/paths-ignore filters on triggers.
- A matrix strategy runs a job across multiple OS or language-version combinations; use matrix include/exclude to limit it to the combinations you actually support.
- Self-hosted runners reuse your own hardware to avoid per-minute charges, but you become responsible for provisioning, securing, and maintaining the runner infrastructure.
- GitHub-hosted runners are free for public repositories; private repositories consume included minutes (with a multiplier for non-Linux runners) then billed usage.
- Control Actions and Packages cost by setting a spending limit in the account's billing settings; usage is billed monthly on the account's billing cycle.
- Reduce artifact and package storage costs by setting a short retention-days on upload-artifact steps and deleting old, unused package versions.
- Dependabot version updates keep dependencies current automatically, and Dependabot security updates raise PRs to patch known vulnerabilities.
- GitHub security best practices include enabling 2FA, rotating and scoping tokens, never hardcoding secrets, and ensuring changes to important branches are reviewed and tested before merging.
GitHub Foundations exam tips
- Know the precise difference between similar Git commands: fetch vs pull (pull adds the merge), merge vs rebase, and clone vs fork vs star; these distinctions are frequently tested.
- Memorize where configuration files live: workflows in .github/workflows/, plus CODEOWNERS, issue/PR templates, and dependabot.yml in the .github directory.
- Match the GitHub feature to the scenario: Pages for static sites, Codespaces for cloud dev environments, Packages for artifacts, Actions for automation, Projects/Milestones for planning.
- Watch for cost and billing questions: included free minutes, the spending limit in billing settings, monthly billing cycle, self-hosted runner trade-offs, and free runners for public repos.
- Read scenario questions carefully and pick the least-privilege, most-secure option (encrypted secrets, scoped GITHUB_TOKEN, branch protection with required reviews and status checks).
Study guide FAQ
How is the GitHub Foundations exam structured and scored?
It is a multiple-choice exam of roughly 75 questions with a 90-minute time limit, delivered online with a proctor. It is scored on a scaled range (about 100-1000) and you need 700 to pass. There is no required prerequisite exam.
What is the difference between forking and cloning a repository?
Forking creates a server-side copy of a repository under your own GitHub account so you can change it independently and propose changes back via pull request. Cloning copies a repository (with its history) to your local machine to work on it. You typically fork on GitHub, then clone your fork locally.
Do I need to be an expert at GitHub Actions to pass?
No. Foundations tests basics: what Actions is, that workflows are YAML files in .github/workflows/, common triggers (push, pull_request, manual, scheduled), and concepts like secrets, runners, caching, and reusable workflows. Deep authoring of complex pipelines is covered by GitHub Actions certification instead.
How much real hands-on experience do I need before taking it?
GitHub recommends a few months of general familiarity with GitHub. Being comfortable creating repositories, branching, opening issues and pull requests, doing reviews, and setting up a simple workflow is enough; you do not need professional CI/CD or administration experience.