2/8/2023 GitHub Administration

Question 1

What are best practices for the team-level organization (3)

Answer 1

Nested teams to reflect your group or companys hierarchy (Can nest teams)

Create teams based on interest or specific technology to help streamline review process “Steel-thread”

Enable team sync between identity provider and Github

Question 2

What permissions does an Admin or Team Maintainer have? (5 total)
*hint “Team lvl”

Answer 2

Create, Modify, Delete a team

Add or remove outside collaborators

Allow/disable team discussions

Change visibility of team within org

Manage automatic code review assignments for pull requests

Question 3

What permissions does an Admin at the Organization level have? (6 total)

Answer 3

Invite users to join org

Organize users into a team and grant “Team Maintainer” permissions

Add/remove outside collaborators

Set up security within org

set up billing or assign billing manager

Apply org wide changes

Question 4

Explain each level of github hierarchy and purpose (Team, Org, Enterprise)

Answer 4

Team - Creating teams in your organization

Organization - Shared spaces enabling users to collaborate across many projects at once

Enterprise - Allows owners to centrally manage policy for multiple organizations

Question 5

How many action minutes and storage can be stored for GitHub (Free, Pro/Team, Enterprise)

Answer 5

Free: 2k minutes per month (private & public) w/ 500MB of storage
Team/Pro: 3k minutes per month w/ 2GB of storage
Enterprise: 50k minutes per month w/ 50GB of storage

Question 6

What features do you get with Github Enterprise? (7 total)

Answer 6

Access Control for GH pages

Centralized Billing

99.9 SLA uptime

Security, compliance, and deployment controls

SSO

GH Connect

Option to purchase GHAS

Question 7

What are the runner costs for Windows, Linux, and Mac OS’s?

Answer 7

• Linux is 1 for 1 (1min using a runner costs 1min on your acct)
• Windows is 2 for 1 (1min using a runner costs 2mins on your acct)
• macOS is 10 for 1

*By default you cant spend over your minutes unless you increase your spending limit then you will be charged for what you use

Question 8

How do you calculate storage usage?

Answer 8

Storage Amount * # of days * hours per day / [total hours per month]

*Repeat this formula for various storage amounts throughout the month

Question 9

What is the “SECURITY.md” file used for?

Answer 9

For contributors to report or address security issues/bugs located in the root repo
(Way to responsibly disclose concerns)

Question 10

What are security Advisories?

Answer 10

Allow for repo maintainers to privately discuss and fix a security vulnerabilities within a project.

Question 11

What is the purpose of the “.gitignore” file?

Answer 11

Preventive control to decrease the likelihood of committing sensitive information
“A file that tells Git to ignore paths and patterns when aggregating files for a commit”

NOTE:
*Only as strong as settings are written (files can slip through)
*Assume any data committed has been compromised

Question 12

What is a CodeOwner and what is the purpose of a CodeOwner file?

Answer 12

Assigns teams or individuals as code owners.

Owners are pull-request reviewers

*Files can be created in root, docs, or .github folder

Question 13

What are common community health files found at an organizational level? (6 total)

Answer 13

Code of Conduct (md file)
Contributing (md file)
Funding (yml file)
config (yml file)
Security (md file)
support (md file)

Question 14

What is branch protection? (1)
What are rules put in place with branch protection? (4)

Answer 14

Enforce certain workflows for one or more branches
- Review Approvals
- Status checks
- Build complete
- Linter “typos and conformation”

Question 15

What are key security settings available to administrators? (6 Total)

Answer 15

Access restrictions
Security Documentation
Advisories
Dependabot Alerts
Security Updates
Github Dependency Graph

Question 16

What is the purpose of a pre-commit hook?

Answer 16

Automated check prior to committing that looks for sensitive information stored within code

Question 17

What are two tools to scrub your repo if sensitive information has been committed to your repo?

Answer 17

BFG Repo-Cleaner
- East and efficient (set of default actions) however limited in its capabilities / less
ability to customize
git filter-repo
- syntax is complex and strong risk of creating unforeseen problems in a repos
integrity (especially in windows env)

*Once sensitive information is removed you must force push your changes to GitHub “git push –force”

*May need to contact GitHub support for further assistance.

Question 18

What are two ways to log information? (Compliance, Internal Purposes)

Answer 18

GraphQL API

Question 19

What information should be included in a security advisory (4)

Answer 19

Product and versions affected
Severity
Types of security weaknesses addressed by the project owner actions
Impact, status of patches, and workarounds

Question 20

What two pieces of information are included in your orgs log?

Answer 20

User that performed the action

Data and time of the action

Question 21

What SSO providers does GitHub currently support? (6)

Answer 21

ADFS
Azure AD
Okta
OneLogin
PingOne
Shibboleth

*You need to enforce this via org setting
*Github will remove any user of the org that has not authenticated successfully with SAML IdP

Question 22

What kinds (types) of 2FA does GitHub support (3)

Answer 22

Security Keys
TOTP
SMS

*You can review for user compliance and revoke access who are not compliant

Question 23

What does SCIM stand for?
What does SCIM do?

Answer 23

Systems Cross-domain Identity Management - add, manage, or remove org members access within GitHub

Question 24

What are SCIM usage limitations when using Team Sync and what happens when you exceed this?

Answer 24

Unexpected performance and sync failures

Max for # of members in a GitHub Team: 5k
Max for # of members in a GitHub Organization: 10k
Max for # of teams in a GitHub Organization: 1500

Question 25

What IdPs does Team sync work with? (2)
Can you disable Team Sync?

Answer 25

Azure AD
Okta

Yes - you can disable Team Sync

Question 26

What permission is required to enable Team Sync within Azure AD? (3)

Answer 26

Read all users’ full profiles,
Sign in and Read User Profile
Read Directory Data

Question 27

What IdP are compatible with GH SCIM API for orgs? (3)

Answer 27

Azure AD
Okta
OneLogin

Question 28

What are key takeaways to EMU (Enterprise Managed Users)? (4 total)

Answer 28

Onboarding New Employees
Offboarding Employees
Reduce Accidental IP Leakage
Consultant Administration (temp access based on IdP provider)

Question 29

What is GitHub Connect?

Answer 29

Shares data between GitHub Enterprise Server and GitHub Enterprise Cloud

Question 30

What are they key takeaways from GH AE? (4)

Answer 30

GHAE “GitHub AE”
- Isolated env, Self-Managed, private
- Hosted in Azure
- Supports FedRamp (ATO), ISO27001, SOC 1, SOC 2 Type II, SOC 3
- GH Support helps with issues

Question 31

Who owns the users within GitHub.com (Users or Enterprise)?

Answer 31

Users

Question 32

What are the best practices for managing a GitHub Enterprise? (Organization Level) (2)

Answer 32

Organizations
- Have as few orgs as possible
- Have multiple Owners

Teams:
- Focus on Top Level Corp Divisions

Question 33

What are ways to organizae your Team structure?

Answer 33

Based on:
- Interest (Teams based on Tech)
- Organizational Unit ( Replicate your org structure)
- Product Teams (Keep Product Centric)

Question 34

For authentication using GitHub Apps a user or org can own how many applications? With how many requests?

Answer 34

100 GitHub Apps
Up to15k requests (enterprise)

Question 35

For authentication using OAuth a user or org can own up to how many applications? With how many requests?

Answer 35

100 oAuth Apps
- up to 5k in requests

Question 36

When should PAT tokens be primarly used?

Answer 36

For personal use only
- Never use them for global setup of services on the company

Question 37

How long do logs last in retention by default?

Answer 37

90 days

Question 38

What are action best practices? (6)

Answer 38

• Limit token permission
• Use GH token when possible
• run only trusted actions
• protect secrets with environments
• create starter workflows
• create meaningful readme files

Question 39

What are the key takeaways of GHES? (4)

Answer 39

GHES “GitHub Enterprise Server”
- On Prem, Self Managed, private infra
- Supports GH Connect
- Supports GHAS
- Ran on Hypervisor

Question 40

What are the key takeaways of GHEC? (4)

Answer 40

GHEC “GitHub Enterprise Cloud”
- Good for Public, Open source collaboration
- SaaS, easy and fast
- minimal configuration (private yet on the internet)
- Accounts belong to user except for EMU (Enterprise Managed User)