GH-100 GitHub Administration Questions and Answers

A user’s repository access and team memberships are scoped to each organization, so admins must configure permissions separately per org.

When an organization enforces SAML SSO, each member must authorize their personal access tokens or SSH keys for that org, requiring separate approval for each SAML ‑ enabled organization

Roles and permission levels (owner, member, billing manager, repository roles, etc.) are assigned on a per ‑ organization basis, so a user often has different permissions in different organizations.

Team maintainers can manage nested sub ‑ teams - requesting to add or change parent/child teams within the organization’s hierarchy.

Team maintainers have permission to add and remove members from their team, controlling day ‑ to ‑ day team membership.

Use the Repository Settings → Manage Access page to view all users and teams with access and their assigned permission levels.

In the organization’s runner group settings, switch the access from “All repositories” to “Selected repositories” and then explicitly choose which repos may use those runners.

Revoke and/or rotate the exposed credentials immediately so they can no longer be used - this is the critical first step before you undertake any history ‑ rewriting or cleanup.

GitHub App Installation Access Tokens are privileged to the exact permissions you grant the App - down to individual repositories - and rotate automatically, making them the recommended choice for CI/CD automation workflows that demand least ‑ privilege, fine ‑ grained access.

Dependabot will automatically open a pull request that updates the direct dependency to a version which, in turn, resolves (or removes) the vulnerable transitive dependency—ensuring the fix is applied via your declared dependencies.

GitHub Apps issue short ‑ lived installation tokens that you scope to only the permissions and repositories your automation needs, reducing blast radius and automatically rotating credentials.

GitHub Marketplace Apps come with built ‑ in integrations to external services - so you can plug in things like CI servers, code-quality scanners, or deployment tools without writing and maintaining custom connectors.

Business ‑ impact security issues (for example, a critical vulnerability affecting your organization) are classified as High ‑ priority tickets and are covered under your Premium Support SLA.

Outages on GitHub.com that disrupt core Git or web application functionality trigger Urgent ‑ priority responses under Premium Support’s SLA.

By using enterprise ‑ level teams with inherited enterprise policies, you can group members across all your organizations and enforce the same security settings globally - ensuring every team abides by the enterprise’s mandatory policies.

GitHub security advisories let maintainers privately disclose, discuss fixes, and then publish vulnerabilities in a controlled manner within the repository.

Delete branch operations aren’t tracked as Git-activity events; the Git activity audit log only records Git events such as clone, fetch (pull), and push.

The Dependency Graph continuously analyzes your repository’s manifest and lock files to build an inventory of direct and transitive dependencies and flags any that match entries in the GitHub Advisory Database, surfacing known vulnerabilities.

Enterprise policies let you define and enforce mandatory settings across all member organizations - organization ‑ level policies then operate within the options that the enterprise policy exposes.

GitHub Apps authenticate as themselves with fine ‑ grained, installation ‑ scoped permissions and short ‑ lived tokens - rather than inheriting a user’s broad OAuth scopes - minimizing blast radius and aligning with least ‑ privilege principles.