All posts
🏢 GitHub Administration Certification Guide (GH-100) - Enterprise Mastery
Aug 15, 2025
Introduction
Welcome to Part 2 of the GitHub Certification Journey! 🏢
After mastering GitHub Foundations (GH-900), you’re ready to tackle GitHub Administration - the comprehensive enterprise administration certification that validates your ability to manage, govern, and administer GitHub at organisational scale. The GH-100 GitHub Administration certification demonstrates your expertise in enterprise GitHub management, user governance, and organisational administration.
This comprehensive guide provides everything needed to pass the GH-100 exam and become a GitHub Enterprise administrator. Whether you’re an IT administrator, enterprise architect, or platform engineer responsible for GitHub governance, this preparation roadmap will take you from basic administrative knowledge to advanced enterprise GitHub management.
Certification Overview
About GH-100 GitHub Administration
- Certification Name: GitHub Administration
- Exam Code: GH-100
- Duration: 150 minutes
- Question Count: ~65 questions
- Passing Score: 700/1000 (approximately 70%)
- Cost: $99 USD
- Validity: 3 years from certification date
- Prerequisites: GitHub Foundations (GH-900) and enterprise administration experience recommended
Who Should Take This Exam
- Enterprise GitHub administrators
- IT administrators managing developer platforms
- Platform engineers implementing GitHub governance
- DevOps engineers responsible for GitHub enterprise features
- Security administrators implementing GitHub policies
- Technical leads managing GitHub at organisational scale
Exam Domains Breakdown
The GH-100 exam covers six main domains with specific weightings:
Domain 1: Support Enterprise Administration (20%)
Core Competencies:
- Managing GitHub Enterprise Server and GitHub Enterprise Cloud
- Understanding enterprise billing and licensing models
- Implementing enterprise-wide policies and configurations
- Managing enterprise accounts and organisations
- Troubleshooting enterprise-level issues
Key Skills:
- Enterprise account hierarchy management
- Billing administration and cost optimisation
- Enterprise policy implementation
- Multi-organisation governance
- Enterprise support and escalation procedures
Domain 2: Manage User Identities and Access (25%)
Core Competencies:
- Implementing SAML/SCIM authentication and provisioning
- Managing user lifecycle and access controls
- Configuring external identity providers
- Implementing role-based access control (RBAC)
- Managing team and organisation memberships
Key Skills:
- SAML SSO configuration and troubleshooting
- SCIM user provisioning automation
- Identity provider integration (Azure AD, Okta, etc.)
- User access reviews and compliance
- Team and permission management
Domain 3: Enable Secure Software Development (20%)
Core Competencies:
- Implementing organisation-wide security policies
- Managing GitHub Advanced Security features
- Configuring branch protection and repository policies
- Implementing compliance and audit requirements
- Managing security reporting and monitoring
Key Skills:
- Security policy enforcement across organisations
- Branch protection rule management
- Compliance framework implementation
- Security audit and reporting
- Vulnerability management processes
Domain 4: Facilitate Collaboration and Communication (15%)
Core Competencies:
- Managing GitHub communication features
- Implementing project management and collaboration tools
- Configuring notification and integration systems
- Managing GitHub Apps and marketplace applications
- Optimising developer workflow and experience
Key Skills:
- Project and issue management configuration
- Integration and webhook management
- GitHub Apps administration
- Developer experience optimisation
- Communication policy implementation
Domain 5: Manage GitHub Actions (15%)
Core Competencies:
- Administering GitHub Actions at enterprise scale
- Managing self-hosted runners and runner groups
- Implementing Actions policies and security controls
- Managing workflow permissions and secrets
- Monitoring Actions usage and costs
Key Skills:
- Enterprise Actions policy configuration
- Self-hosted runner administration
- Workflow security and compliance
- Usage monitoring and cost management
- Runner scaling and optimisation
Domain 6: Manage GitHub Packages (5%)
Core Competencies:
- Administering GitHub Packages across organisations
- Managing package visibility and access controls
- Implementing package security and compliance
- Managing package storage and billing
- Integrating with external package registries
Key Skills:
- Package registry administration
- Access control and visibility management
- Package security policy implementation
- Storage optimisation and cost management
- External registry integration
Complete Study Plan
Phase 1: Enterprise Foundation Building (Weeks 1-2)
Week 1: GitHub Enterprise Architecture
- Understand GitHub Enterprise Cloud vs Server
- Learn enterprise account and organisation hierarchy
- Explore billing models and cost optimisation
- Practice with enterprise-level configurations
Daily Tasks:
- Explore GitHub Enterprise features and architecture
- Understand billing and licensing models
- Practice with enterprise account management
- Review organisation and team structures
Hands-On Labs:
# GitHub CLI enterprise administration
gh api /enterprises/ENTERPRISE/settings \
--method PATCH \
--field default_repository_permission="read" \
--field members_can_create_repositories=false
# Organisation management
gh api /orgs/ORG/members \
--jq '.[] | {login: .login, role: .role, type: .type}'
Week 2: Identity and Access Management Foundation
- Understand SAML SSO configuration and management
- Learn SCIM provisioning and user lifecycle
- Practice with identity provider integrations
- Explore access control and permission models
Practice Projects:
- Set up SAML SSO with test identity provider
- Configure SCIM provisioning workflows
- Implement team-based access controls
- Create user access review processes
Phase 2: User and Identity Management (Weeks 3-4)
Week 3: SAML and SSO Implementation
- Configure SAML authentication for organisations
- Implement identity provider integrations
- Practice with SSO troubleshooting and diagnostics
- Learn about Just-in-Time (JIT) provisioning
SAML Configuration Labs:
<!-- SAML assertion example for GitHub -->
<saml2:Assertion>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
user@company.com
</saml2:NameID>
</saml2:Subject>
<saml2:AttributeStatement>
<saml2:Attribute Name="login">
<saml2:AttributeValue>user.name</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="email">
<saml2:AttributeValue>user@company.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="full_name">
<saml2:AttributeValue>User Full Name</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
Week 4: SCIM Provisioning and User Lifecycle
- Implement SCIM user provisioning
- Configure automated user lifecycle management
- Practice with user group synchronisation
- Learn about user access reviews and compliance
SCIM Implementation Example:
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "user.name",
"name": {
"givenName": "User",
"familyName": "Name"
},
"emails": [
{
"value": "user@company.com",
"type": "work",
"primary": true
}
],
"groups": [
{
"value": "developers",
"display": "Developers"
}
],
"active": true
}
Phase 3: Security and Governance (Weeks 5-6)
Week 5: Security Policy Implementation
- Configure organisation-wide security policies
- Implement branch protection and repository policies
- Set up compliance monitoring and reporting
- Practice with security policy enforcement
Enterprise Security Policy Configuration:
# Enterprise security policy template
enterprise_security_policy:
default_repository_settings:
private_vulnerability_reporting: enabled
dependency_graph: enabled
dependabot_alerts: enabled
dependabot_security_updates: enabled
secret_scanning: enabled
secret_scanning_push_protection: enabled
branch_protection_defaults:
required_status_checks:
strict: true
contexts: ["ci/build", "security/scan"]
enforce_admins: true
required_pull_request_reviews:
required_approving_review_count: 2
dismiss_stale_reviews: true
require_code_owner_reviews: true
restrictions:
users: []
teams: ["platform-team"]
Week 6: Compliance and Audit Management
- Implement compliance frameworks and controls
- Set up audit logging and monitoring
- Practice with compliance reporting
- Learn about regulatory requirements (SOC2, FedRAMP, etc.)
Audit and Compliance Monitoring:
# GitHub audit log analysis
import requests
import json
from datetime import datetime, timedelta
class GitHubAuditAnalyzer:
def __init__(self, enterprise, token):
self.enterprise = enterprise
self.headers = {
'Authorization': f'token {token}',
'Accept': 'application/vnd.github.v3+json'
}
def get_audit_events(self, phrase=None, include=None):
"""Retrieve enterprise audit events"""
url = f'https://api.github.com/enterprises/{self.enterprise}/audit-log'
params = {}
if phrase:
params['phrase'] = phrase
if include:
params['include'] = include
response = requests.get(url, headers=self.headers, params=params)
return response.json()
def analyze_admin_activities(self):
"""Analyze administrative activities"""
admin_events = self.get_audit_events(phrase='action:org')
activities = {}
for event in admin_events:
action = event.get('action', 'unknown')
if action not in activities:
activities[action] = 0
activities[action] += 1
return activities
Phase 4: Actions and Automation Administration (Weeks 7-8)
Week 7: GitHub Actions Enterprise Administration
- Configure GitHub Actions policies at enterprise level
- Implement self-hosted runner administration
- Set up runner groups and access controls
- Practice with Actions usage monitoring
Enterprise Actions Configuration:
# GitHub Actions enterprise policy
actions_policy:
enabled_organizations: "all"
allowed_actions: "selected"
allowed_actions_config:
github_owned_allowed: true
verified_allowed: true
patterns_allowed:
- "actions/*"
- "company-org/*"
default_workflow_permissions: "read"
can_approve_pull_request_reviews: false
runner_groups:
- name: "production-runners"
visibility: "selected"
organizations: ["prod-org"]
runners: ["runner-1", "runner-2"]
- name: "development-runners"
visibility: "all"
allow_public_repositories: false
Week 8: Package Management and Integration
- Administer GitHub Packages across organisations
- Configure package visibility and access controls
- Implement package security policies
- Practice with external registry integrations
Package Administration Scripts:
#!/bin/bash
# GitHub Packages administration
ORG="your-org"
TOKEN="your-token"
# List all packages in organisation
gh api "/orgs/$ORG/packages" \
--jq '.[] | {name: .name, visibility: .visibility, package_type: .package_type}'
# Configure package visibility
gh api "/orgs/$ORG/packages/npm/PACKAGE_NAME" \
--method PATCH \
--field visibility="private"
# Delete package version
gh api "/orgs/$ORG/packages/npm/PACKAGE_NAME/versions/VERSION_ID" \
--method DELETE
Hands-On Laboratory Exercises
Lab 1: Enterprise SAML SSO Implementation
Implement comprehensive SAML SSO across an enterprise GitHub organisation with automated provisioning.
Objectives:
- Configure SAML SSO with identity provider
- Implement user attribute mapping
- Set up automated user provisioning
- Test SSO functionality and troubleshooting
Implementation Steps:
- SAML Configuration:
<!-- SAML configuration for GitHub Enterprise -->
<EntityDescriptor entityID="https://github.com/orgs/YOUR_ORG">
<SPSSODescriptor>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://github.com/orgs/YOUR_ORG/saml/consume"
index="0" />
<AttributeConsumingService index="0">
<ServiceName xml:lang="en">GitHub</ServiceName>
<RequestedAttribute Name="login" isRequired="true" />
<RequestedAttribute Name="email" isRequired="true" />
<RequestedAttribute Name="full_name" isRequired="false" />
</AttributeConsumingService>
</SPSSODescriptor>
</EntityDescriptor>
- User Provisioning Automation:
# Automated user provisioning script
import requests
import json
class GitHubUserProvisioner:
def __init__(self, org, token):
self.org = org
self.headers = {
'Authorization': f'token {token}',
'Accept': 'application/vnd.github.v3+json'
}
def provision_user(self, username, email, teams=None):
"""Provision user and add to teams"""
# Invite user to organisation
invite_data = {
'email': email,
'role': 'direct_member'
}
if teams:
invite_data['team_ids'] = [self.get_team_id(team) for team in teams]
response = requests.post(
f'https://api.github.com/orgs/{self.org}/invitations',
headers=self.headers,
json=invite_data
)
return response.json()
def get_team_id(self, team_slug):
"""Get team ID by slug"""
response = requests.get(
f'https://api.github.com/orgs/{self.org}/teams/{team_slug}',
headers=self.headers
)
return response.json().get('id')
Lab 2: Comprehensive Security Policy Implementation
Create and implement organisation-wide security policies with automated enforcement.
Objectives:
- Design comprehensive security policy framework
- Implement automated policy enforcement
- Set up compliance monitoring and reporting
- Create security incident response procedures
Security Policy Framework:
# Comprehensive security policy configuration
security_framework:
repository_policies:
default_branch_protection:
required_status_checks:
strict: true
contexts:
- "continuous-integration"
- "security-scan"
- "dependency-check"
enforce_admins: true
required_pull_request_reviews:
required_approving_review_count: 2
dismiss_stale_reviews: true
require_code_owner_reviews: true
required_approving_review_count_for_admins: 1
restrictions:
users: []
teams: ["security-team", "platform-team"]
apps: []
allow_force_pushes: false
allow_deletions: false
security_features:
dependency_graph: "enabled"
dependabot_alerts: "enabled"
dependabot_security_updates: "enabled"
secret_scanning: "enabled"
secret_scanning_push_protection: "enabled"
private_vulnerability_reporting: "enabled"
access_controls:
default_repository_permission: "read"
members_can_create_repositories: false
members_can_create_internal_repositories: true
members_can_create_pages: false
members_can_fork_private_repositories: false
third_party_access:
saml_single_sign_on: "enabled"
two_factor_requirement: "enabled"
oauth_app_restrictions: "enabled"
Policy Enforcement Automation:
# Security policy enforcement automation
class SecurityPolicyEnforcer:
def __init__(self, org, token):
self.org = org
self.headers = {
'Authorization': f'token {token}',
'Accept': 'application/vnd.github.v3+json'
}
def enforce_branch_protection(self, repo, branch="main"):
"""Enforce branch protection rules"""
protection_config = {
"required_status_checks": {
"strict": True,
"contexts": ["ci/build", "security/scan"]
},
"enforce_admins": True,
"required_pull_request_reviews": {
"required_approving_review_count": 2,
"dismiss_stale_reviews": True,
"require_code_owner_reviews": True
},
"restrictions": None,
"allow_force_pushes": False,
"allow_deletions": False
}
response = requests.put(
f'https://api.github.com/repos/{self.org}/{repo}/branches/{branch}/protection',
headers=self.headers,
json=protection_config
)
return response.status_code == 200
def audit_repository_compliance(self):
"""Audit repository compliance against policies"""
repos = self.get_repositories()
compliance_report = []
for repo in repos:
compliance = self.check_repository_compliance(repo['name'])
compliance_report.append({
'repository': repo['name'],
'compliance_score': compliance['score'],
'issues': compliance['issues']
})
return compliance_report
Lab 3: GitHub Actions Enterprise Administration
Implement comprehensive GitHub Actions administration with self-hosted runners and enterprise policies.
Objectives:
- Set up enterprise GitHub Actions policies
- Deploy and manage self-hosted runner infrastructure
- Implement runner groups and access controls
- Monitor Actions usage and costs
Self-Hosted Runner Deployment:
# Docker Compose for self-hosted runners
version: '3.8'
services:
github-runner-1:
image: myoung34/github-runner:latest
environment:
- ORG_NAME=your-org
- ACCESS_TOKEN=${GITHUB_TOKEN}
- RUNNER_NAME=enterprise-runner-1
- RUNNER_WORKDIR=/tmp/runner/work
- LABELS=self-hosted,production,linux,x64
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /tmp/runner:/tmp/runner
restart: unless-stopped
github-runner-2:
image: myoung34/github-runner:latest
environment:
- ORG_NAME=your-org
- ACCESS_TOKEN=${GITHUB_TOKEN}
- RUNNER_NAME=enterprise-runner-2
- RUNNER_WORKDIR=/tmp/runner/work
- LABELS=self-hosted,production,linux,x64
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /tmp/runner:/tmp/runner
restart: unless-stopped
Actions Administration Scripts:
#!/bin/bash
# GitHub Actions enterprise administration
ORG="your-org"
TOKEN="your-token"
# Create runner group
gh api /orgs/$ORG/actions/runner-groups \
--method POST \
--field name="production-runners" \
--field visibility="selected" \
--field selected_repository_ids:='[123, 456]'
# List runner groups
gh api /orgs/$ORG/actions/runner-groups \
--jq '.runner_groups[] | {id: .id, name: .name, visibility: .visibility}'
# Get Actions usage statistics
gh api /orgs/$ORG/actions/billing/usage \
--jq '{total_minutes_used: .total_minutes_used, total_paid_minutes_used: .total_paid_minutes_used}'
Enterprise Administration Best Practices
Governance Framework
1. Administrative Hierarchy:
# Enterprise governance structure
governance_hierarchy:
enterprise_administrators:
responsibilities:
- Enterprise billing and licensing
- Organisation creation and management
- Enterprise-wide policy enforcement
- Compliance and audit oversight
organisation_owners:
responsibilities:
- Organisation security policies
- Team and repository management
- User access control
- Organisation billing oversight
team_maintainers:
responsibilities:
- Team membership management
- Repository access control
- Team-specific policies
- Developer onboarding
2. Access Control Framework:
# Role-based access control matrix
rbac_matrix:
repository_permissions:
read: ["all_members"]
write: ["team_members", "collaborators"]
admin: ["team_maintainers", "org_owners"]
organisation_permissions:
member: ["basic_access"]
moderator: ["issue_management"]
billing_manager: ["billing_access"]
owner: ["full_access"]
enterprise_permissions:
member: ["org_access"]
billing_manager: ["enterprise_billing"]
owner: ["enterprise_admin"]
Operational Excellence
Monitoring and Alerting:
# Enterprise monitoring and alerting system
class GitHubEnterpriseMonitor:
def __init__(self, enterprise, token):
self.enterprise = enterprise
self.client = GitHubClient(token)
def monitor_user_activity(self):
"""Monitor user login and activity patterns"""
audit_events = self.client.get_audit_events(
phrase='action:oauth_access_token'
)
activity_metrics = {
'total_logins': len(audit_events),
'unique_users': len(set(event['actor'] for event in audit_events)),
'failed_attempts': len([e for e in audit_events if e.get('failure')])
}
return activity_metrics
def monitor_security_compliance(self):
"""Monitor security compliance across organisations"""
orgs = self.client.get_enterprise_orgs()
compliance_summary = {}
for org in orgs:
compliance_summary[org['login']] = {
'saml_enabled': org.get('saml_enabled', False),
'2fa_required': org.get('two_factor_requirement_enabled', False),
'private_repos': org.get('private_repos', 0),
'total_repos': org.get('total_private_repos', 0)
}
return compliance_summary
Cost Optimisation Strategies
License Management:
# GitHub license optimisation
class GitHubLicenseOptimizer:
def __init__(self, enterprise, token):
self.enterprise = enterprise
self.client = GitHubClient(token)
def analyze_license_usage(self):
"""Analyze license usage and identify optimisations"""
consumed_licenses = self.client.get_license_consumption()
analysis = {
'total_licenses': consumed_licenses['total_seats_consumed'],
'active_users': self.count_active_users(),
'inactive_users': self.identify_inactive_users(),
'potential_savings': 0
}
inactive_count = len(analysis['inactive_users'])
analysis['potential_savings'] = inactive_count * self.get_license_cost()
return analysis
def recommend_optimisations(self):
"""Recommend license optimisations"""
analysis = self.analyze_license_usage()
recommendations = []
if analysis['inactive_users']:
recommendations.append({
'type': 'remove_inactive_users',
'description': f"Remove {len(analysis['inactive_users'])} inactive users",
'potential_savings': analysis['potential_savings']
})
return recommendations
Exam Tips and Strategies
Technical Preparation Focus Areas
Enterprise Administration Mastery:
- Multi-organisation management and hierarchy
- Billing administration and cost optimisation
- Enterprise policy implementation and enforcement
- Compliance frameworks and audit requirements
- Support escalation and troubleshooting procedures
Identity Management Expertise:
- SAML SSO configuration and troubleshooting
- SCIM provisioning and user lifecycle automation
- Identity provider integration patterns
- Access review and compliance processes
- Just-in-Time provisioning workflows
Security Governance Proficiency:
- Organisation-wide security policy design
- Branch protection and repository governance
- Compliance monitoring and reporting
- Security incident response procedures
- Risk assessment and mitigation strategies
Exam Day Strategy
Time Management:
- Allocate 1.8 minutes per question average
- Focus on enterprise-scale scenarios
- Use process of elimination for complex questions
- Reserve time for configuration review
Question Approach:
- Identify the administrative domain being tested
- Consider enterprise vs organisation-level implications
- Evaluate compliance and governance requirements
- Apply hands-on administrative experience
- Select the most scalable and secure solution
Common Exam Topics:
- SAML/SCIM configuration syntax and troubleshooting
- Enterprise policy implementation patterns
- Access control and permission management
- Actions administration and runner management
- Billing and license optimisation strategies
Official Study Resources
GitHub Documentation
Microsoft Learn Paths
- Administer GitHub Enterprise
- Implement GitHub administration and security
- Manage GitHub Actions in enterprise
Practice Platforms
Additional Practice Resources
Administration Communities
Hands-On Practice
- Set up GitHub Enterprise trial organisation
- Practice with identity provider integrations
- Implement comprehensive security policies
- Build administrative automation scripts
Final Preparation Checklist
Technical Skills Validation
- Can configure enterprise GitHub settings and policies
- Understand SAML SSO setup and troubleshooting
- Master SCIM provisioning and user lifecycle management
- Know security policy implementation across organisations
- Can administer GitHub Actions at enterprise scale
- Understand GitHub Packages administration
- Know billing and license management
- Can implement compliance monitoring and reporting
- Understand audit logging and analysis
- Know enterprise support and escalation procedures
- Can optimise costs and resource usage
- Understand integration with external systems
Exam Readiness Assessment
- Completed all study plan phases
- Finished hands-on administration laboratories
- Practiced with enterprise scenarios
- Reviewed official documentation thoroughly
- Taken practice assessments consistently
- Confident in all administration domains
- Registered for exam date
- Prepared exam day logistics
Next Steps in Your Journey
After achieving GH-100 certification, consider these advanced paths:
Advanced Certifications
- GitHub Copilot (GH-500): AI-powered development and enterprise Copilot administration
- Microsoft Certifications: Azure DevOps and cloud platform certifications
- Security Specialisation: Advanced security and compliance certifications
Career Advancement
- Enterprise Architect: Design large-scale GitHub implementations
- Platform Engineering Lead: Build and manage developer platforms
- DevOps Director: Lead enterprise DevOps transformation
- Technical Consultant: Provide GitHub expertise to enterprises
Conclusion
The GH-100 GitHub Administration certification validates your expertise in managing GitHub at enterprise scale and positions you as a crucial leader in organisational DevOps transformation. By following this comprehensive study guide, completing the hands-on administration laboratories, and practising with real-world enterprise scenarios, you’ll be well-prepared to pass the exam and excel in enterprise GitHub administration.
Remember that enterprise administration is constantly evolving with new features, security requirements, and compliance needs. Continue learning about emerging GitHub capabilities, industry best practices, and enterprise governance frameworks. The skills you develop preparing for this certification will serve you throughout your career in platform engineering and enterprise administration.
Ready to administer at scale? 🏢
Start your GitHub Administration mastery journey today, and join the ranks of certified enterprise administrators who are enabling developer productivity and organisational success worldwide.
This guide is part of the GitHub Certification Journey series. Previous: GitHub Advanced Security (GH-300) | Next: GitHub Copilot (GH-500) - Coming Soon
Have questions about GitHub Administration certification? Connect with me on LinkedIn or GitHub for guidance and support.
GitHub
Certification
GH-100
GitHub Administration
Enterprise
Administration
GitHub Enterprise
Governance
User Management