14 deep-dive phases taking you from solid GitHub user to GitHub platform expert. Git internals, Actions at scale, supply chain security, GitHub Apps and webhooks, Copilot Enterprise, org governance — with real code throughout.
Not sure where to start? Pick the track that matches your role — each is a curated path through the 14 phases.
The complete series from Git internals to enterprise governance. For senior devs who want the full picture.
New tech lead or org admin? Focus on team structure, branch policies, org-wide rules, and compliance.
DevOps and platform engineers. CI patterns, reusable workflows, OIDC, self-hosted runners, and API automation.
AppSec champions and security engineers. Secret scanning, CodeQL, supply chain (SBOM, Sigstore), and audit log compliance.
SREs and release managers. Semantic versioning, GitHub Packages, ghcr.io, automated releases, and cost governance.
Click any phase to read it. Each page has a full sidebar with links to every other phase.
Blobs, trees, commits, and tags. How rebase, merge, and cherry-pick differ at the object level. Reflog rescue, interactive rebase, merge strategies, Git LFS, and sparse checkout for monorepos.
Read Phase 1 →Polyrepo vs monorepo vs hybrid decision framework. CODEOWNERS-driven ownership, submodules vs subtrees, repository rulesets vs branch protection rules, and automating new-repo setup with templates.
Read Phase 2 →GitFlow vs trunk-based vs GitHub Flow. Feature flags as branch alternatives. CODEOWNERS for required reviewers. Branch protection rules and rulesets. Merge queues and auto-merge.
Read Phase 3 →Multi-template PR setup, review suggestions in bulk, stacked PRs, PR size discipline, protected branches + required reviews, gh CLI for PR workflows, and cycle time metrics.
Workflow YAML anatomy, all trigger types, runner comparison, job dependencies and fan-out patterns, context objects, expressions, secrets vs variables, environments with deployment protection, caching, service containers, and debug logging.
Read Phase 5 →Reusable workflows, composite actions, custom JS and Docker actions, dynamic matrices, concurrency groups, workflow permissions least-privilege, OIDC keyless auth to AWS/GCP/Azure, and ephemeral self-hosted runners with ARC.
Read Phase 6 →Dependabot alerts, security updates, and version updates. Secret scanning push protection and custom patterns. Security advisories and CVE IDs. Dependency review action to block high-severity CVEs on PRs.
Read Phase 7 →Software supply chain threat model. CodeQL and SARIF. Third-party SAST tools (Semgrep, Snyk, Trivy). Artifact attestations, SBOM generation, Sigstore/cosign for container signing, and OpenSSF Scorecard.
Read Phase 8 →Org structure, nested teams, SSO (SAML/OIDC), fine-grained PATs, OAuth Apps vs GitHub Apps, org-level rulesets, Enterprise Managed Users, audit log streaming, and billing insights.
Read Phase 9 →SemVer, annotated vs signed tags, GitHub Releases with auto-generated notes, release-please and semantic-release, git-cliff changelogs, GitHub Packages (npm, Maven, Docker, NuGet), ghcr.io, and package retention policies.
Read Phase 10 →Projects v2 board/table/roadmap views, custom fields, workflow automation, milestones vs Projects, YAML issue templates, label taxonomy at scale, DORA metrics via GraphQL, Insights tab, and third-party analytics tools.
Read Phase 11 →gh auth, config, extensions, and aliases. Scripting with --json/--jq. REST API v3 pagination. GraphQL API v4 with cursor pagination and mutations. Octokit SDK with throttling. GitHub Apps JWT auth. Webhook HMAC verification and smee.io. Four ready-to-ship automation bots.
Copilot tier comparison (Individual / Business / Enterprise). Chat slash commands and @workspace/@vscode agents. PR description generation, Autofix, and Copilot Workspace. Content exclusions, responsible use, ROI metrics, and copilot-instructions.md prompt engineering.
GHES vs GHEC feature gaps and migration. Org-wide Actions policies, IP allow lists, and required workflows. SOC 2, HIPAA, and FedRAMP shared responsibility. Audit log streaming to SIEM. CODEOWNERS as access control. CLA management. Inner source patterns. Actions cost governance.
Read Phase 14 →GitHub search syntax cheat sheet, Actions expressions & context reference, gh CLI command reference, branch protection vs rulesets comparison table, REST API quick-reference, security features decision tree, and SemVer + conventional commits guide.
Structured courses on other topics — same depth, same free access.