GitHub's certification program has matured into a focused four-track portfolio (Foundations, Actions, Administration, Advanced Security). Among them, the GitHub Actions Certification (GH-200) is the most career-relevant for developers, DevOps engineers, and platform engineers because GitHub Actions is now the dominant CI/CD runner across open-source and a fast-growing share of enterprise pipelines.
Exam At a Glance
| Attribute | Value |
|---|---|
| Exam code | GH-200 |
| Cost (USD) | $99 |
| Format | Multiple choice + multiple-response + true/false |
| Number of questions | Approximately 65 |
| Duration | 120 minutes |
| Passing score | ~70% |
| Validity | 2 years |
| Recommended experience | 6+ months building Actions workflows |
Exam Domains
| Domain | Approx weight |
|---|---|
| 1. Author and maintain workflows | 40% |
| 2. Consume workflows | 20% |
| 3. Author and maintain actions | 25% |
| 4. Manage GitHub Actions for the enterprise | 15% |
What the Exam Actually Tests
Workflow Authoring (40%)
- YAML syntax for
jobs,steps,strategy,matrix - Triggers:
push,pull_request,schedule,workflow_dispatch,repository_dispatch,workflow_run,workflow_call - Filtering (
branches,tags,paths,paths-ignore) - Contexts and expressions (
github,env,secrets,steps,needs) - Conditionals (
if), job dependencies (needs), and fail-fast strategies - Reusable workflows vs composite actions — the most-tested distinction
- Caching with
actions/cache; artifacts vs caches
Consuming Workflows (20%)
- Calling reusable workflows across repos
- Marketplace vetting and pinning actions to commit SHAs (security best practice)
- Environment-specific secrets and required reviewers on environments
- Deployment protection rules
Authoring Actions (25%)
| Action type | When to use | Notes |
|---|---|---|
| JavaScript | Cross-OS portability, fastest start | Runs on the runner host directly |
| Docker container | Linux only, isolate dependencies | Slower cold start; specify image in action.yml |
| Composite | Group multiple shell steps as one action | No language runtime needed |
Know the action.yml schema: inputs, outputs, runs, branding. Understand versioning (tag, branch, or SHA) and publishing to GitHub Marketplace.
Enterprise Management (15%)
- Self-hosted runners: single-machine, runner groups, autoscaling with ARC (Actions Runner Controller on Kubernetes)
- Runner labels and targeting
- Allow lists for actions (organisation- and enterprise-level policy)
- OIDC integration with cloud providers (replaces long-lived secrets)
- Audit log and billing for Actions minutes
Critical Concepts Most Candidates Miss
Reusable Workflow vs Composite Action
| Aspect | Reusable workflow | Composite action |
|---|---|---|
| Called via | uses: org/repo/.github/workflows/file.yml@ref | uses: org/repo/path@ref |
| Trigger | on: workflow_call | No trigger — runs in the calling job |
| Can contain jobs? | Yes (own jobs, own runners) | No — runs inline in the parent step |
| Secrets | Explicit secrets input or secrets: inherit | Inherits the parent's context |
| Use case | Cross-repo standardisation, multi-job pipelines | Bundle shell commands as one step |
OIDC Cloud Authentication
Pinning AWS/Azure/GCP secrets in GitHub is now considered an anti-pattern. The exam expects you to know:
- The
id-token: writepermission needed in workflow YAML - How OIDC trust is configured on the cloud side (subject claim, audience)
- Why OIDC eliminates static credentials and reduces blast radius
Concurrency & Cancellation
concurrency.groupandconcurrency.cancel-in-progress: truefor PR build cancellation- Per-environment concurrency for serialised deploys
- Distinguishing job-level vs workflow-level concurrency
Security Hardening
- Pin third-party actions to a full commit SHA, not a tag
- Restrict default GITHUB_TOKEN permissions to
readat workflow level, escalate per job - Use
permissions:block defensively - Disable forking-PR access to secrets via repo settings
Sample Question Style
A team wants every job in a multi-job workflow to be re-runnable from a failed step. Which feature should they configure?
(A)
retryon the job
(B)continue-on-error: true
(C) Re-run failed jobs from the GitHub UI
(D)workflow_runtrigger on the same workflow
Correct answer: C. GitHub Actions has a native "Re-run failed jobs" option that re-executes only failed jobs while preserving successful ones. The other options change semantics.
5-Week Study Plan
| Week | Focus | Hands-on |
|---|---|---|
| 1 | YAML, triggers, jobs, contexts | Build a CI workflow with matrix for 3 Node versions |
| 2 | Reusable workflows + composite actions | Extract a common deploy job into a reusable workflow |
| 3 | Publish a JavaScript action to Marketplace | Write & tag a versioned action |
| 4 | Self-hosted runners + OIDC to AWS | Federate to AWS, assume IAM role via OIDC |
| 5 | Practice tests + review weak domains | 2 timed full-length attempts |
Recommended Resources
- GitHub Skills (skills.github.com) — free interactive Actions courses
- GitHub Actions documentation — required, especially the Reusing workflows and Security hardening pages
- act (nektos/act) — run Actions workflows locally to iterate faster
- "Learning GitHub Actions" by Brent Laster (O'Reilly, 2024)
- CertQnA GH-200 practice questions — free
GH-200 vs GitHub Foundations vs GHAS Cert
| Cert | Level | Best for |
|---|---|---|
| GitHub Foundations | Foundational | Newcomers; covers full GitHub product surface |
| GitHub Actions (GH-200) | Associate | Developers and DevOps writing pipelines |
| GitHub Administration (GH-300) | Associate | Org/enterprise admins |
| GitHub Advanced Security (GH-500) | Associate | AppSec engineers using CodeQL, secret scanning, Dependabot |
Verdict
GH-200 is a high-value, low-cost cert ($99) that validates a skill nearly every engineering team now expects. If you write CI/CD pipelines and your team is on GitHub, take GH-200 — it pairs naturally with a Kubernetes cert (CKA/CKAD) and a cloud associate cert for a full delivery-engineer profile.
If you're new to GitHub overall, take GitHub Foundations first; otherwise go straight to GH-200.