GitHub Actions Certification Guide 2026: GH-200 Is a Workflow Operations Exam
The GitHub Actions certification (GH-200) is not a YAML trivia quiz. The January 2026 study guide update makes the exam a practical test of whether you can author, troubleshoot, secure, and govern automation at scale. If you only memorize on: push examples, you will miss questions about reusable workflows, enterprise policies, runner groups, OIDC, artifact attestations, matrix behavior, caching, and secure use of third-party actions.
Use the official Microsoft Learn certification page for current scheduling and logistics: learn.microsoft.com/credentials/certifications/github-actions. Use the official GH-200 study guide for the exam objectives: Study guide for Exam GH-200.
free GitHub Actions certification questionsPractice questions with detailed explanations
GH-200 Exam Snapshot
| Item | 2026 detail |
|---|---|
| Certification | GitHub Actions |
| Exam code | GH-200 |
| Level | Intermediate |
| Roles | Administrator, Developer, DevOps Engineer, Solution Architect, Student |
| Exam time | 100 minutes |
| Delivery | Proctored exam scheduled through Pearson VUE |
| Languages listed | English, Spanish, Portuguese (Brazil), Korean, Japanese |
| Passing score | 700 or greater on Microsoft credential exams |
| Last updated | February 5, 2026 page update; skills measured as of January 2026 |
| Price | Region-based at scheduling |
Microsoft's exam details page says the exam is proctored and may include interactive components. It also states that GitHub exams do not provide Microsoft Learn access during the exam, so you need recall plus hands-on fluency before test day.
The Five GH-200 Domains
The official study guide lists five skill areas:
| Domain | Weight |
|---|---|
| Author and manage workflows | 20-25% |
| Consume and troubleshoot workflows | 15-20% |
| Author and maintain actions | 15-20% |
| Manage GitHub Actions for the enterprise | 20-25% |
| Secure and optimize automation | 10-15% |
The two largest domains are workflow authoring and enterprise management. Security and optimization is smaller by percentage, but it cuts across the whole exam because insecure workflow design can appear inside workflow, enterprise, runner, and action questions.
What Changed in the January 2026 Objectives
The official study guide notes that the exam changed significantly in January 2026: new objectives were added, some were removed, existing objectives moved, and all were reworded. The current guide includes topics that are easy to miss if you study from older blog posts:
workflow_dispatchinputs and reusable workflow inputs/secrets viaworkflow_call- Service containers, health checks, and matrix strategy controls such as
include,exclude,fail-fast, andmax-parallel - YAML anchors, aliases, and merge keys inside workflow files
- Runtime vs static expression evaluation and the full set of contexts
- Job summaries through
GITHUB_STEP_SUMMARY - Starter workflows vs reusable workflows vs composite actions
- Immutable actions behavior and version pinning expectations
- Runner image changes and toolcache awareness
- Organization and repository action allow/deny policies
- OIDC federation, least-privilege
GITHUB_TOKENpermissions, and artifact attestations
That is why hands-on practice matters. You need to know how GitHub Actions behaves when a workflow is parsed, when jobs start, when a matrix expands, when a reusable workflow is called, and when a secret is unavailable because of scope or event context.
Study Strategy by Domain
1. Author and Manage Workflows
Build workflows from scratch. Cover triggers, scheduled runs, manual dispatch, repository events, job dependencies, conditions, environment variables, contexts, expressions, matrix jobs, service containers, outputs, artifacts, caches, status badges, and environment protection rules.
Hands-on task: create a workflow with a matrix, a service container, a cache, a job output passed to a dependent job, and a Markdown job summary.
2. Consume and Troubleshoot Workflows
Practice reading logs and run history. Know how to locate artifacts, rerun failed jobs, interpret matrix failures, and distinguish copied starter workflows from centrally maintained reusable workflows. Understand what happens when a workflow is disabled versus deleted.
Hands-on task: intentionally break a workflow three ways: bad YAML, missing secret, and failed service container health check. Fix each from logs.
3. Author and Maintain Actions
Know the differences between JavaScript actions, Docker container actions, and composite actions. Study action.yml, inputs, outputs, branding, versioning, release tags, Marketplace distribution, private action use, and workflow commands inside actions.
Hands-on task: write a small composite action, tag it, pin it by SHA in a workflow, and compare that with calling it by a moving version tag.
4. Manage GitHub Actions for the Enterprise
This is a large domain. Study runner groups, self-hosted runners, GitHub-hosted runner images, organization policies, action usage restrictions, non-public templates, reusable components, secrets and variables at org/repo/environment scope, and REST API management for logs, artifacts, workflow runs, secrets, and variables.
Hands-on task: diagram how a workflow would be governed differently in a personal repo, an organization repo, and a regulated enterprise repo.
5. Secure and Optimize Automation
Security topics are concrete. Know least-privilege permissions, GITHUB_TOKEN lifecycle, PAT vs GITHUB_TOKEN, OIDC id-token permission, secret leakage prevention, script-injection risks, full-SHA pinning for third-party actions, untrusted input handling, required reviewers for environments, caching strategy, artifact retention, and artifact attestations.
Hands-on task: take a workflow that uses cloud credentials as a long-lived secret and redesign it with OIDC, explicit token permissions, action SHA pinning, and environment approvals.
A 4-Week GH-200 Study Plan
Week 1: Workflow Fundamentals
Read the official study guide and GitHub Actions documentation on workflows. Build 5 small workflows: push/PR, scheduled, manual dispatch, matrix, and reusable workflow. Do not copy blindly; explain every context and expression.
Week 2: Actions, Reuse, and Troubleshooting
Create one composite action and one reusable workflow. Then troubleshoot broken runs using logs, artifacts, reruns, and job summaries. Compare starter workflows, reusable workflows, and composite actions until the distinction is automatic.
Week 3: Enterprise and Runner Management
Study policies, runner groups, self-hosted runners, GitHub-hosted runner images, variables, secrets, environments, and organization-level governance. This is where many developer-only candidates are weakest.
Week 4: Security, Optimization, and Timed Practice
Review OIDC, GITHUB_TOKEN permissions, script injection, action pinning, artifact attestations, caching, and retention. Take timed practice sets. For every missed question, reproduce the behavior in a test repository if possible.
Exam-Day Advice
Budget time as if every question matters. You have 100 minutes, and Microsoft does not publish exact item counts on the public exam page. If an item includes a workflow snippet, read the trigger, event context, permissions, secrets scope, and if condition before choosing an answer.
Use elimination. Wrong answers often overgrant permissions, expose secrets to untrusted events, use a PAT where OIDC or GITHUB_TOKEN is safer, confuse composite actions with reusable workflows, or treat a starter workflow as centrally managed after it has been copied.
Official Sources
- GitHub Actions certification page: https://learn.microsoft.com/en-us/credentials/certifications/github-actions/
- GH-200 study guide: https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/gh-200
- GitHub certifications overview: https://docs.github.com/en/get-started/showcase-your-expertise-with-github-certifications/about-github-certifications
- GitHub Actions documentation: https://docs.github.com/en/actions
Turn the Blueprint Into Working Labs
For GitHub Actions Certification Guide 2026: GH-200 Prep, reading alone is rarely enough. Translate each objective into a task you can perform, explain, or troubleshoot. A good study block starts with the official objective, moves into a small lab or documentation walkthrough, and ends with a timed question set. If the topic is security, build a chain from identity to detection to response. If it is cloud, map the service to a failure mode, a cost or governance concern, and an operational control. If it is DevOps or platform work, practice the command, configuration, permission model, and rollback path rather than memorizing vocabulary in isolation.
Keep a lab notebook with three fields: what I changed, what evidence proves it worked, and what would break it. That last field is where exam readiness improves. Certification questions often describe symptoms instead of naming the service or feature. If you know only the happy path, every distractor sounds plausible. If you have intentionally broken a policy, pipeline, role, cluster object, dashboard permission, integration, or service configuration, you can recognize the symptom faster under time pressure.
Official-Source Check
Use GitHub Certifications as the baseline for current exam names, objectives, retirement notices, scheduling rules, and candidate guidance. Vendor blogs, course notes, and older flashcards can be useful, but they often lag behind blueprint revisions. When an objective has changed wording, update your notes to match the current official language. That habit prevents a common failure pattern: overstudying a familiar legacy feature while underpracticing the new wording that appears in modern scenario questions.
Scenario and Troubleshooting Method
Read each technical scenario as an incident ticket. First identify the desired state: secure access, reliable deployment, compliant configuration, correct data result, restored service, or least-privilege operation. Next identify the constraint: no downtime, smallest change, approved service, auditability, cost, latency, regional availability, or user impact. Then eliminate options that solve the wrong layer. Many wrong answers are real tools, but they operate at the network layer when the problem is identity, at the code layer when the problem is configuration, or at the monitoring layer when the question asks for prevention.
For command-heavy or hands-on exams, rehearse search and verification patterns. Know how to inspect state before changing it, how to confirm the change, and how to undo or narrow the blast radius if the first attempt is wrong. For multiple-choice exams, practice explaining why each distractor is attractive. The explanation matters because the exam is testing tradeoffs, not only definitions. A correct answer usually fits the constraint with the fewest unnecessary side effects.
Practice Routing and Final Review
After every practice set, tag misses by failure type: concept, service boundary, syntax, sequence, or speed. Concept misses require documentation review. Service-boundary misses require a comparison table. Syntax misses require a short hands-on drill. Sequence misses require writing the order of operations. Speed misses require smaller timed sets with strict review afterward. Do not treat all misses as equal, because rereading a chapter will not fix a lab-verification problem.
In the final week, mix domains deliberately. Build short sets that combine identity, networking, logging, automation, data, operations, and security so you can switch context the way the exam expects. Also rehearse the first minute of a question: define the goal, underline the constraint, identify the layer, and choose the least risky action. That process is slower while practicing but faster on test day because it keeps you from rereading the same scenario three times.
Buy on Amazon
Learning path on Pluralsight