GH-100 GitHub Administration Questions and Answers

Fine‑grained personal access tokens let you scope permissions down to individual repositories, whereas classic PATs grant access across every repo the user can reach.

Revoke and/or rotate the exposed credentials immediately so they can no longer be used - this is the critical first step before you undertake any history‑rewriting or cleanup.

CodeQL differs from traditional static analysis tools by ingesting your code into a queryable database and letting you write QL queries - its own database‑style language - to express semantic checks and find patterns across the codebase.

By defining the API key as an organization secret, you centralize management and can grant access only to the subset of repositories you choose - eliminating per‑repo duplication while enforcing the desired scope.

When you enforce the “Allow enterprise actions and reusable workflows” policy, GitHub will block all workflows from using actions or reusable workflows that aren’t defined in a repository within your enterprise - so only actions created inside your enterprise are allowed.

Self‑hosted runners support custom pre‑and post‑job scripts via runner hooks, letting you run arbitrary scripts before a job starts and after it finishes - capabilities not available on GitHub‑hosted runners.

Enterprise Managed User accounts are provisioned and authenticated exclusively through your identity provider (for example, Azure AD), so the IdP handles their creation, attribute updates, and deprovisioning.

Managed user accounts cannot create public content or interact with repositories outside your enterprise; they’re confined to private and internal repos within the enterprise.

EMU accounts are owned and controlled by the enterprise (via the IdP) and cannot be converted into or unlinked as personal accounts outside that enterprise.

Billing for GitHub Enterprise Cloud under metered (usage‑based) billing is calculated by the total number of Enterprise Managed Users (and other license‑consuming accounts) in your enterprise - each EMU consumes a seat and contributes to the monthly bill.

GitHub Apps authenticate with short‑lived installation tokens scoped to fine‑grained permissions and, when owned by a GitHub Enterprise Cloud organization, enjoy a higher rate limit (15,000 requests/hour) compared to a machine account’s personal access token.

GitHub Marketplace Apps come with built‑in integrations to external services - so you can plug in things like CI servers, code-quality scanners, or deployment tools without writing and maintaining custom connectors.

You declare named inputs in the reusable workflow’s on.workflow_call block and then pass values from the caller using the with keyword, allowing the called workflow to consume those parameters.

You define required secrets in the caller repository and supply them to the reusable workflow via the secrets keyword in the workflow-call step, ensuring sensitive values are securely passed.

You must have administrator‑level SSH access to the GitHub Enterprise Server appliance so you can run the ghe-support-bundle command over SSH and capture the bundle locally.

Each API call authenticated with a token generates its own audit-log event, so you’ll see a distinct entry for every action performed across different resources, each annotated with the token’s hashed ID, actor, and source IP.

GitHub App Installation Access Tokens are privileged to the exact permissions you grant the App - down to individual repositories - and rotate automatically, making them the recommended choice for CI/CD automation workflows that demand least‑privilege, fine‑grained access.

Delete branch operations aren’t tracked as Git-activity events; the Git activity audit log only records Git events such as clone, fetch (pull), and push.