Questions for the GH-100 were updated on : Nov 24 ,2025
Which product's usage is not included in GitHub Enterprise Cloud's monthly metered billing report?
C
Explanation:
GitHub Discussions engagement isn’t a metered product and doesn’t appear in the “Product billing”
list, so its usage isn’t included in the monthly metered billing report.
You need GitHub to automatically notify a third-party service any time a new repository is created.
You want to avoid writing custom code. The vendor has told you that they have a tool in the GitHub
Marketplace. Which type of tool do you need?
A
Explanation:
You need a GitHub App. Marketplace integrations that listen for events like repository.created and
send notifications are delivered as GitHub Apps, since they can subscribe to organization-level
webhooks without you writing custom code.
Which factor affects GitHub Actions pricing for GitHub-hosted runners on GitHub Enterprise Cloud?
D
B. Number of contributors to the repository Explanation:Incorrect. Contributor count does not
impact billing for Actions
C. Total number of repositories using Actions
D. Operating system used in the runner environment
Answer: D
Explanation:
GitHub Actions billing for GitHub-hosted runners is based on the number of minutes consumed and
the operating system of the runner - Linux, Windows, and macOS each have different per-minute
rates.
You are using GitHub-hosted runners and need to securely deploy to an internal system. The security
team requires that these runners use IP address ranges that would not be shared with other
companies. Which of the following approaches would meet their requirements?
D
Explanation:
GitHub’s larger runners let you reserve dedicated static IP addresses for your workflows - so you can
allow-list those IPs in your firewall and be sure they aren’t shared with any other tenant.
What needs to be done to ensure that only specific repositories can access the runners in an
organization runner group?
C
Explanation:
In the organization’s runner group settings, switch the access from “All repositories” to “Selected
repositories” and then explicitly choose which repos may use those runners.
You want to ensure a secret is automatically available to only workflows in internal and private
repositories in the organization. Where do you configure the required access policy?
D
Explanation:
You set the access policy on the Organization Secret itself - configuring its visibility so it’s scoped
automatically to only internal and private repositories.
What is the effect of enforcing a policy that restricts GitHub Actions to only those created by the
enterprise?
C
Explanation:
When you enforce the “Allow enterprise actions and reusable workflows” policy, GitHub will block all
workflows from using actions or reusable workflows that aren’t defined in a repository within your
enterprise - so only actions created inside your enterprise are allowed.
Which feature is unique to self-hosted runners?
A
Explanation:
Self-hosted runners support custom pre- and post-job scripts via runner hooks, letting you run
arbitrary scripts before a job starts and after it finishes - capabilities not available on GitHub-hosted
runners.
An organization wants to share a single API key required for their Actions workflows. They need to
restrict its use to only a subset of repositories. Where should they configure the secrets to minimize
maintenance?
C
Explanation:
By defining the API key as an organization secret, you centralize management and can grant access
only to the subset of repositories you choose - eliminating per-repo duplication while enforcing the
desired scope.
Which of the following are valid ways to pass data to a reusable workflow in a separate repository?
B, C
Explanation:
You declare named inputs in the reusable workflow’s on.workflow_call block and then pass values
from the caller using the with keyword, allowing the called workflow to consume those parameters.
You define required secrets in the caller repository and supply them to the reusable workflow via
the secrets keyword in the workflow-call step, ensuring sensitive values are securely passed.
Which of the following accurately contrasts a GitHub App and a GitHub Action?
D
Explanation:
GitHub Actions workflows are defined and triggered within a single repository’s context, whereas
GitHub Apps are installed at the organization or user level and can subscribe to events across
multiple repositories.
Which of the following GitHub token types supports fine-grained repository permissions AND is
recommended for CI/CD automation?
B
Explanation:
GitHub App Installation Access Tokens are privileged to the exact permissions you grant the App -
down to individual repositories - and rotate automatically, making them the recommended choice
for CI/CD automation workflows that demand least-privilege, fine-grained access.
How does Dependabot determine which security update PRs to open?
B
Explanation:
Dependabot relies on your repository’s enabled Dependency Graph and Dependabot Alerts to
identify vulnerable dependencies; it then automatically opens pull requests to update to the patched
versions that resolve those alerts.
What is the first step when sensitive data is accidentally pushed to a public GitHub repository?
A
Explanation:
Revoke and/or rotate the exposed credentials immediately so they can no longer be used - this is the
critical first step before you undertake any history-rewriting or cleanup.
What additional capability does secret scanning offer for private repositories on GitHub Enterprise
Cloud?
A
Explanation:
Secret scanning in private repositories on GitHub Enterprise Cloud lets you define and use custom
regular-expression patterns - so you can detect internal or proprietary secret formats beyond the
default partner-provided types.