1. Overview & Questions (SQ3R · Survey & Question)

SQ3R Step 1: Skim the big picture, formulate key questions.

What Is GitHub? (More Than Code Hosting)

GitHub is the world's largest software development platform, but it is far more than "a place to store code." Built on top of the Git version control system, GitHub provides a complete development collaboration ecosystem: from code hosting and code review via Issues and Projects for project management, to automated workflows with GitHub Actions, and AI-assisted programming with GitHub Copilot.

Since its launch in 2008, GitHub has hosted over 300 million repositories and serves more than 100 million developers. Its core value lies in combining distributed version control (Git) with social collaboration (Pull Requests, Discussions, Stars, Forks) to create the foundational platform for modern software development.

GitHub's product ecosystem spans six major areas:

  • Collaborative Coding: Repositories, Pull Requests, Codespaces, Discussions
  • CI/CD and DevOps: GitHub Actions, GitHub Packages, GitHub Pages
  • Security and Code Quality: Dependabot, Code Scanning, Secret Scanning, CodeQL
  • Project Management: Issues, Projects, GitHub CLI
  • AI-Assisted Development: GitHub Copilot (code completion, Chat, Agent mode, code review)
  • Enterprise and Teams: Organizations, Enterprise, Teams

Key Questions

  • What is the relationship between GitHub and Git? — Git is the underlying distributed version control system; GitHub is a cloud-based collaboration platform built on top of Git. You can use Git without GitHub, but efficient collaboration is difficult without it.
  • Why choose GitHub over alternatives? — GitHub has the largest developer community and open-source ecosystem, deep integration with mainstream toolchains (IDEs, CI/CD, project management), and GitHub Copilot and GitHub Actions are the most mature options in their categories.
  • What can GitHub Actions do? — Automate builds, tests, deployments, releases, and nearly any repetitive task across the software development lifecycle.
  • How does GitHub Copilot differ from ChatGPT? — Copilot is an AI tool deeply integrated into your development environment. It understands your code context and repository structure, providing real-time code completions and suggestions rather than just a chat interface.

Technology Landscape

GitHub's core architecture can be divided into four layers:

Foundation: Git Version Control — Repositories, branches, commits, merges, and rebases form the basis for all higher-level features. Understanding Git's snapshot model and branching strategies is a prerequisite for using GitHub effectively.

Collaboration Layer: Team Development — Pull Request workflows, the Fork model, code reviews, Issue tracking, Projects boards, Discussions, and CODEOWNERS for code ownership.

Automation Layer: CI/CD and Security — GitHub Actions workflows, Dependabot for dependency updates, Code Scanning for vulnerability detection, Secret Scanning for credential leak detection, and GitHub Packages for package management.

Intelligence Layer: AI Assistance — GitHub Copilot code completion, Copilot Chat for conversational programming, Copilot Agent for autonomous task execution, Copilot Code Review for AI-powered code review, and Copilot CLI for command-line assistance.

2. Explained Simply (Feynman Technique)

Feynman Technique core idea: If you can't explain something in simple language, you don't truly understand it.

Core Concepts Explained

Repository

A repository is your project folder with a superpower: it remembers the complete history of every file change. Think of it as a photo album that automatically takes snapshots — you can revisit any "photo" (i.e., the state at any commit) at any time.

# Create a new repository
git init my-project
cd my-project
git remote add origin https://github.com/username/my-project.git

# Or create on GitHub, then clone locally
git clone https://github.com/username/my-project.git

Branch

A branch is a parallel universe. You live safely in the main universe (main branch) while experimenting in a parallel universe (a feature branch). If the experiment succeeds, merge it back to the main universe; if it fails, simply delete that branch — the main universe remains unharmed.

# Create and switch to a new branch
git checkout -b feature/new-login

# Work on the new branch...
git add .
git commit -m "feat: add new login page"

# When done, switch back to main and merge
git checkout main
git merge feature/new-login

Commit

A commit is a "save point" in the code world. Each commit captures a snapshot of the current code state, accompanied by a descriptive message. A good commit message is like a good diary entry — months later, you can still understand what you did and why.

git add src/login.tsx
git commit -m "feat: implement OAuth2 login with GitHub provider"

Commit messages typically follow the Conventional Commits specification: type(scope): description. Common types include feat (new feature), fix (bug fix), docs (documentation), refactor (refactoring), test (tests), and chore (maintenance).

Pull Request (PR)

A Pull Request is a "please review my code" request. You finish work on a branch, then open a PR so team members can review your code, suggest changes, and confirm everything looks good before merging into the main branch. This is the most important collaboration mechanism in modern software development.

A PR is more than just a code merge — it's a complete conversation: you can comment on specific lines of code, suggest changes, run automated tests, and require all checks to pass before merging.

Issue

An Issue is a "to-do item" or "problem tracker." Bug reports, feature requests, and task assignments can all be managed through Issues. Each Issue functions as a discussion thread that can be assigned to specific people, labeled, and linked to a Project board.

GitHub Actions

Actions is GitHub's built-in automation engine. Think of it as a tireless robot assistant — every time you push code, create a PR, or publish a release, it automatically executes the tasks you've scripted: running tests, building the project, and deploying.

name: CI
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npm ci
      - run: npm test

GitHub Copilot

Copilot is your AI programming partner. It comes in three forms: code completion (you write a line, it predicts the next few), Copilot Chat (ask coding questions in natural language), and Copilot Agent (let it autonomously complete a task like fixing a bug or writing tests). It doesn't replace you — it helps you code faster.

Dependabot

Dependabot is your project's "security butler." It automatically monitors your dependencies, creates PRs to alert you about security vulnerabilities, and checks for dependency updates on a regular schedule.

Analogies and Metaphors

  • GitHub is like Google Docs, but for code — Multiple people can edit simultaneously, track version history, and leave comments and reviews.
  • A branch is like a bookmark — You can place multiple bookmarks at different positions in a book and jump between them freely.
  • A Pull Request is like peer review for a paper — You submit your work for colleagues to review before it gets published.
  • GitHub Actions is like smart home automation — "If I push code, automatically turn on the lights (run tests) and lock the doors (deploy)."
  • Copilot is like an experienced pair programmer sitting next to you — You type a function name, it fills in the body; you describe a requirement, it generates code.

Common Misconceptions Clarified

  • Myth: GitHub is Git — Fact: Git is the version control tool; GitHub is a collaboration platform built on Git. Alternatives include GitLab, Bitbucket, and others.
  • Myth: GitHub is only for hosting code — Fact: GitHub supports Issues (project management), Discussions (community forums), GitHub Pages (static website hosting), Actions (automation), and much more — it's a complete development platform.
  • Myth: Only open-source projects can use GitHub — Fact: GitHub offers free private repositories. You can host personal projects on it.
  • Myth: Copilot will replace programmers — Fact: Copilot is an assistive tool that boosts productivity, but still requires humans for review and decision-making. It can generate code, but cannot understand business requirements.
  • Myth: Actions is only for CI/CD — Fact: Actions is a general-purpose automation platform. You can use it to schedule issue creation, auto-label PRs, manage project boards, call any API, and more.

3. Cone of Depth (Simon Learning Method)

Simon Learning Method core idea: Focus intensely, progressing from fundamentals to advanced topics in a limited timeframe.

Level 1: Core Fundamentals

Repository Management

Everything starts with a repository. After creating one on GitHub, you can clone it locally via HTTPS or SSH:

# HTTPS clone
git clone https://github.com/owner/repo.git

# SSH clone
git clone git@github.com:owner/repo.git

The .gitignore file tells Git which files should not be tracked (e.g., node_modules/, .env), README.md serves as the project's front door, and LICENSE defines the open-source license.

Branching Strategies

Common branching models include:

  • GitHub Flow: The simplest model, ideal for projects with continuous deployment. The main branch is always deployable; all new work happens on feature branches and merges via PRs.
  • Git Flow: More complex, with main, develop, feature, release, and hotfix branches. Best suited for projects with explicit release cycles.
  • Trunk-Based Development: Everyone commits frequently to main (the trunk), using feature flags to manage incomplete features.

GitHub officially recommends GitHub Flow for its simplicity and suitability for most teams.

Commit Conventions

Following the Conventional Commits specification keeps your history clean and readable:

feat(auth): add OAuth2 login support
fix(api): handle null response from user endpoint
docs: update API documentation for v2
refactor(utils): extract date formatting to shared module
test(auth): add unit tests for login flow
chore(deps): upgrade Next.js to 15.1

Pull Request Workflow

PRs are the heart of GitHub collaboration. A typical PR workflow:

  1. Create a feature branch from main
  2. Develop and commit on the feature branch
  3. Push the branch to GitHub and open a PR
  4. Team members review the code, leaving comments and suggestions
  5. Automated checks (CI tests, code quality) pass
  6. All reviews approved — merge into main
  7. Automatically delete the feature branch

PR protection rules can enforce: passing status checks, required review approvals, no force pushes, and more.

Issue Tracking

Issues are more than just bug reports. Issue templates help standardize information collection:

## <!-- .github/ISSUE_TEMPLATE/bug_report.md -->
 
name: Bug Report
about: Report a bug to help us improve
title: "[BUG] "
labels: bug
 
---
 
## Description
 
## Steps to Reproduce
 
## Expected Behavior
 
## Actual Behavior
 
## Environment Info

Code Review

Good code review focuses on several areas: code correctness, readability, performance, security, and test coverage. GitHub's PR interface supports line-by-line comments, suggested changes, and reviewers can Approve, Request Changes, or simply comment.

Markdown Documentation

GitHub Flavored Markdown (GFM) extends standard Markdown with task lists, tables, syntax-highlighted code blocks, auto-links, mentions (@username), issue references (#123), and more.

GitHub Pages

GitHub Pages provides free static website hosting. You can publish directly from a gh-pages branch or the /docs directory of the main branch. Custom domains and HTTPS are supported.

Level 2: Advanced Usage

GitHub Actions CI/CD

Basic Workflow Structure

name: Build and Deploy
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
 
permissions:
  contents: read
  pages: write
  id-token: write
 
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
 
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: "npm"
 
      - name: Install dependencies
        run: npm ci
 
      - name: Run tests
        run: npm test
 
      - name: Build project
        run: npm run build
 
      - name: Upload artifact
        uses: actions/upload-pages-artifact@v3
        with:
          path: ./dist
 
  deploy:
    needs: build
    runs-on: ubuntu-latest
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
    steps:
      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v4

Matrix Builds

When you need to test across multiple Node.js versions or operating systems:

jobs:
  test:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        node-version: [18, 20, 22]
      fail-fast: false
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
      - run: npm ci
      - run: npm test

Secrets Management

Sensitive information (API keys, deploy credentials, etc.) should never be hardcoded in workflow files. GitHub provides a Secrets mechanism:

  • Repository Secrets: Scoped to a single repository
  • Environment Secrets: Tied to deployment environments, with optional approval workflows
  • Organization Secrets: Organization-level secrets shared across multiple repositories
steps:
  - name: Deploy to production
    env:
      API_KEY: ${{ secrets.PRODUCTION_API_KEY }}
    run: ./deploy.sh

Custom Actions

You can create three types of Actions:

  • JavaScript Actions: Built with Node.js, best performance
  • Docker Container Actions: Environment isolation, maximum flexibility
  • Composite Actions: Combine multiple steps, ideal for reusing workflow fragments
# action.yml - Composite Action example
name: "Setup and Build"
description: "Install dependencies and build project"
inputs:
  node-version:
    description: "Node.js version"
    required: false
    default: "20"
runs:
  using: "composite"
  steps:
    - uses: actions/setup-node@v4
      with:
        node-version: ${{ inputs.node-version }}
    - run: npm ci
      shell: bash
    - run: npm run build
      shell: bash

Projects Boards

GitHub Projects is a built-in project management tool supporting board, table, and roadmap views. It links to Issues and PRs, supports custom fields, and offers automation rules (e.g., "automatically move to Done when an Issue is closed").

Discussions

Discussions provide a forum-like community space. Unlike Issues, Discussions are suited for open-ended conversations, Q&A, announcements, and idea collection. You can organize them into categories (e.g., Q&A, Ideas, Announcements).

Codespaces

Codespaces provides cloud-based development environments. With one click, you get a full VS Code editor in your browser, pre-loaded with your project's dependencies and tools. Configure via .devcontainer/devcontainer.json:

{
  "image": "mcr.microsoft.com/devcontainers/universal:2",
  "features": {
    "ghcr.io/devcontainers/features/node:1": {
      "version": "20"
    }
  },
  "postCreateCommand": "npm install",
  "forwardPorts": [3000]
}

Security Features

Dependabot

Automatically detects security vulnerabilities in dependencies and creates fix PRs. Configure version updates via dependabot.yml:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"

Code Scanning

Uses CodeQL or third-party tools to scan for security vulnerabilities in code, with alerts displayed directly in PRs. Supports default setup (zero configuration) and advanced setup (custom workflows).

Secret Scanning

Automatically detects accidentally committed secrets and tokens in repositories (e.g., AWS Access Keys, GitHub Tokens, private keys). Push Protection can block commits containing secrets before they reach GitHub.

GitHub CLI (gh) Advanced Usage

GitHub CLI lets you accomplish almost everything from the terminal:

# Authentication
gh auth login
 
# Create and manage PRs
gh pr create --title "feat: add dark mode" --body "Implements dark mode toggle"
gh pr list --state open
gh pr checkout 123
gh pr merge 123 --squash
 
# Create and manage Issues
gh issue create --title "Bug: login fails on Safari" --body "Description..."
gh issue list --label bug --state open
gh issue close 456
 
# Check Actions run status
gh run list
gh run view 789
gh run watch  # Live-monitor the current run
 
# Manage Releases
gh release create v1.0.0 --title "Version 1.0.0" --notes "Release notes here"
 
# Use Copilot Chat from the terminal
gh copilot suggest "how to find all .tsx files modified in the last week"
gh copilot explain "git rebase -i HEAD~5"
 
# Repository operations
gh repo create my-new-repo --public --clone
gh repo view owner/repo
gh repo fork owner/repo --clone

Level 3: Deep Dive

GitHub Copilot in Depth

Agent Mode

Copilot Agent is the advanced form of Copilot that can autonomously complete an entire development task. You describe the requirement, and the Agent analyzes the codebase, creates a plan, writes code, runs tests, fixes errors, and ultimately submits a PR.

Agent mode supports:

  • Autonomously reading and modifying multiple files
  • Running commands and tests
  • Iteratively fixing compilation or test errors
  • Calling MCP (Model Context Protocol) servers to extend capabilities
  • Controlling execution flow through Hooks

Copilot Code Review

Beyond human review, you can have Copilot automatically review PRs. Copilot checks for potential issues, suggests improvements, and leaves comments directly on the PR. Custom review instructions can be configured.

Custom Instructions

You can guide Copilot's behavior through custom instructions at three levels:

  • Personal Instructions: Apply to all your Copilot interactions
  • Repository Instructions: Via .github/copilot-instructions.md, set coding standards and preferences for a specific project
  • Organization Instructions: Organization-wide unified standards
<!-- .github/copilot-instructions.md -->
 
# Project Coding Standards
 
- Use TypeScript strict mode
- Prefer functional components and Hooks
- Use Vitest + React Testing Library for tests
- Use Tailwind CSS for styling
- Follow Conventional Commits for commit messages

Prompt Files

Prompt files are reusable prompt templates stored in .github/prompts/ that team members can share:

## <!-- .github/prompts/refactor.prompt.md -->
 
name: Refactor Code
description: Analyze and refactor the selected code for readability and performance
 
---
 
Analyze the selected code and:
 
1. Identify areas for improvement
2. Refactor for better readability
3. Ensure external behavior remains unchanged
4. Add necessary type annotations

Large-Scale Open Source Collaboration Patterns

CONTRIBUTING.md

The contribution guide file for open-source projects. It defines how to participate: coding standards, PR process, issue templates, development environment setup, and more. This is the first reference for new contributors.

CODEOWNERS

The CODEOWNERS file defines code ownership, automatically assigning reviewers to PRs:

# CODEOWNERS
# Default owners
* @project-maintainers

# Frontend code reviewed by frontend team
/src/components/ @frontend-team

# Security-related code must be reviewed by security team
/src/auth/ @security-team

# Documentation
/docs/ @docs-team

Branch Protection Rules

Set protections for critical branches (e.g., main):

  • Require PR reviews before merging
  • Require CI status checks to pass
  • Require signed commits
  • Prohibit force pushes and deletions
  • Require branches to be up to date

GitHub Actions Runner Architecture

GitHub provides three types of runners:

  • GitHub-hosted Runners: Virtual machines hosted by GitHub, providing standard environments like ubuntu-latest, macos-latest, and windows-latest. Each run gets a fresh VM that's destroyed after use.
  • Larger Runners: GitHub-hosted runners with bigger configurations (more CPU, memory) for resource-intensive tasks.
  • Self-hosted Runners: Runners on your own machines, ideal for scenarios requiring specific hardware, internal network access, or custom environments. Supports autoscaling via Actions Runner Controller (ARC) on Kubernetes.

Organization Management and Enterprise Features

  • Organizations: Shared repositories with unified permission management and billing for teams
  • Teams: Fine-grained access control, with repository permissions and code review responsibilities assigned by team
  • Enterprise: Cross-organization unified management, SSO, audit logs, policy enforcement
  • GitHub Advanced Security (GHAS): Enterprise-grade security features including Code Scanning, Secret Scanning, Dependabot, and more

GitHub API and Integration Development

GitHub provides two API interfaces:

REST API

# Use gh CLI to call REST API
gh api repos/owner/repo/pulls --method POST \
  -f title="New feature" \
  -f body="Description" \
  -f head="feature-branch" \
  -f base="main"
 
# Get repository info
gh api repos/owner/repo
 
# List PRs
gh api repos/owner/repo/pulls --jq '.[].title'

GraphQL API

The GraphQL API lets you query exactly the data you need, avoiding over-fetching:

query {
  repository(owner: "owner", name: "repo") {
    pullRequests(first: 10, states: [OPEN]) {
      nodes {
        title
        author {
          login
        }
        url
        reviews(first: 5) {
          totalCount
        }
      }
    }
  }
}

Webhooks

Webhooks let external services receive notifications when GitHub events occur. For example, when a PR is created, you can trigger a Slack notification or start an external CI system.

Git Internals and GitHub's Implementation

Git is fundamentally a content-addressable filesystem. Each commit generates a SHA-1 hash pointing to a tree object (directory structure) and parent commits. GitHub builds on this foundation with:

  • Pull Request metadata and associations
  • Issue and Comment storage and indexing
  • Permission management and access control
  • Actions workflow engine
  • Search and code navigation
  • Copilot's code indexing and context analysis

Understanding Git internals helps with resolving complex merge conflicts, recovering lost commits (git reflog), optimizing repository size, and other advanced scenarios.

4. Key Notes (Cornell Note-taking System)

Cornell Notes: Cues/keywords on the left, detailed notes on the right, summary at the bottom.

Key Concept Quick Reference

Cue / KeywordDetailed Notes
RepositoryProject repository containing all files and history. Available as Public or Private visibility.
BranchIndependent line of development. main is the default branch; feature branches isolate work. GitHub Flow is the recommended branching strategy.
CommitCode snapshot with author, timestamp, and changes. Follow Conventional Commits for readable history.
Pull RequestCode merge request — the core collaboration mechanism. Includes diff, comments, reviews, and CI checks. Merge strategies: Merge, Squash, Rebase.
IssueTask tracking and bug reports. Supports labels, assignees, milestones, and templates. Auto-close via keywords (e.g., Fixes #123).
GitHub ActionsCI/CD automation platform. Workflows consist of on (triggers), jobs (work units), and steps (individual tasks). Defined in YAML under .github/workflows/.
GitHub CopilotAI programming assistant. Three forms: code completion (Inline Suggestions), Chat (conversation), Agent (autonomous tasks). Supports multiple AI models.
DependabotDependency management bot. Automatically detects security vulnerabilities and version updates, creating fix PRs. Configured via dependabot.yml.
Secret ScanningAutomatically detects leaked secrets in repositories. Supports Push Protection to block pushes. Covers 200+ secret patterns.
GitHub CLI (gh)Command-line tool. Manage PRs, Issues, Actions, and Releases from the terminal. Supports Copilot Chat. Extensible via custom extensions.
CodespacesCloud development environment. Container-based, configured via .devcontainer/. Supports VS Code and browser-based editing.
CODEOWNERSCode ownership file. Defines who/which teams own which code paths. Automatically assigns reviewers to PRs.
GitHub PagesFree static website hosting. Publish from gh-pages branch or main/docs directory. Custom domains supported.
ProjectsBuilt-in project management. Supports board, table, and roadmap views. Automate workflows and link Issues/PRs.

Common Commands / Workflow Syntax Reference

Command / SyntaxPurposeExample
gh pr createCreate a Pull Requestgh pr create --title "feat: add X" --body "description"
gh pr checkoutCheck out a PR locallygh pr checkout 123
gh pr merge --squashSquash-merge a PRgh pr merge 123 --squash
gh issue createCreate an Issuegh issue create --title "Bug: X" --body "details"
gh run listList workflow runsgh run list --limit 10
gh run watchLive-monitor a rungh run watch
gh repo cloneClone a repositorygh repo clone owner/repo
gh release createCreate a Releasegh release create v1.0.0 --title "v1.0.0"
gh copilot suggestCopilot suggestiongh copilot suggest "list large files"
on: pushWorkflow triggeron: { push: { branches: [main] } }
on: pull_requestPR triggeron: [pull_request]
on: scheduleScheduled triggeron: { schedule: [{ cron: '0 0 * * 1' }] }
strategy.matrixMatrix buildsmatrix: { node: [18, 20], os: [ubuntu, macos] }
${{ secrets.X }}Reference a SecretAPI_KEY: ${{ secrets.API_KEY }}
${{ github.event_name }}Get trigger event name${{ github.event_name }}
uses: actions/checkout@v4Check out repositoryStandard first step to pull code onto the Runner
needs: buildJob dependencydeploy job waits for build job to complete
if: github.ref == 'refs/heads/main'Conditional executionOnly runs when triggered on the main branch
permissions:Permission declarationpermissions: { contents: read, pages: write }
concurrency:Concurrency controlconcurrency: { group: deploy, cancel-in-progress: true }
artifactBuild artifactsactions/upload-artifact@v4 to upload, download-artifact@v4 to download

Section Summary

GitHub's core value chain: Git Version Control → Pull Request Collaboration → Actions Automation → Copilot Intelligence. Mastering these four progressive layers means mastering the complete modern software development workflow. From basic commits and branches, to CI/CD automation, to AI-assisted programming — each layer builds on the previous one to increase efficiency.

5. Review & Practice (SQ3R · Recite & Review)

SQ3R final two steps: Recite key points, reinforce understanding through practice.

Core Takeaways

  1. Git is the foundation: Understanding commits, branches, and merges is a prerequisite for using GitHub. GitHub Flow is the recommended branching strategy — simple and suited for continuous deployment.
  2. Pull Requests are central: PRs are more than merging code — they're the vehicle for code review, discussion, and automated checks. Use PR protection rules to ensure code quality.
  3. Actions is the automation engine: Define workflows in YAML, trigger with on, orchestrate steps in jobs. Leverage matrix builds, secrets, and caching for efficiency.
  4. Copilot is a force multiplier: Code completion, Chat, and Agent modes cover different scenarios. Use custom instructions and prompt files to guide Copilot to follow project conventions.
  5. Security is the baseline: Dependabot manages dependencies, Code Scanning finds vulnerabilities, Secret Scanning prevents leaks. Together, they form a security defense line.
  6. gh CLI is a productivity tool: Handle PRs, Issues, and Actions from the terminal to reduce context switching.

Hands-On Exercises

Exercise 1: Create Your First Workflow

  1. Create .github/workflows/ci.yml in your repository
  2. Configure it to trigger on push and PR events
  3. Add steps for Node.js setup, dependency installation, and running tests
  4. Push your code and observe the run results on the Actions page

Exercise 2: Complete PR Workflow

  1. Create a feature branch feature/hello from main
  2. Add a new file and commit
  3. Push the branch, create a PR using gh pr create
  4. Review the diff on the PR page and add comments
  5. After review approval, merge using --squash
  6. Confirm the feature branch was automatically deleted

Exercise 3: Configure Dependabot

  1. Create .github/dependabot.yml
  2. Configure automatic updates for npm and GitHub Actions
  3. Observe the PRs Dependabot creates automatically

Exercise 4: Use Copilot Chat

  1. Open Copilot Chat in your IDE
  2. Try prompts like "explain this function", "write unit tests for this code", "refactor for readability"
  3. Create .github/copilot-instructions.md with your project's coding preferences
  4. Use Copilot again and observe whether it follows your custom instructions

Exercise 5: GitHub CLI Exploration

  1. Install GitHub CLI: winget install GitHub.cli (Windows) or brew install gh (macOS)
  2. Run gh auth login to authenticate
  3. Try commands like gh repo view, gh issue list, gh pr list
  4. Use gh copilot suggest to get command suggestions

Common Pitfalls

  1. Committing large files to Git: Use .gitignore to exclude node_modules/, .env, build artifacts, etc. If already committed, remove with git rm --cached.
  2. Mixing unrelated changes in a PR: One PR should do one thing. Keep PRs small and focused for easier review and rollback.
  3. Overly broad workflow permissions: Default GITHUB_TOKEN permissions should be read-only; escalate as needed. Use the permissions: field to minimize privileges.
  4. Hardcoding secrets in code: Never write credentials in source code. Use GitHub Secrets and reference them via ${{ secrets.X }}.
  5. Ignoring Dependabot PRs: Security updates should be prioritized. You can configure auto-merge for low-risk dependency updates.
  6. Not reviewing Copilot-generated code: AI-generated code may contain bugs or security issues. Always review before merging.
  7. Abusing force push: Force-pushing on shared branches overwrites others' commits. It should be prohibited on protected branches.

Further Reading