Keyboard shortcuts, URL tricks, and UI features most developers never discover. These work on github.com without any extensions.
Keyboard shortcuts
Any page
?
Show all keyboard shortcuts for the current page
Any page
t
Fuzzy file finder — search files in the current repo
Any page
w
Switch branch or tag from anywhere in the repo
Any page
l
Jump to a line number in the current file
Any page
b
Open git blame view for the current file
Any page
s or /
Focus the global search bar
PR / Issue
c
Open new comment box
PR review
n
Jump to next diff file
PR review
Alt+click checkbox
Mark all files as viewed at once
URL tricks
Compare any two refs
github.com/owner/repo/compare/main...feature
Visual diff between any two branches, tags, or SHAs
Permalink to a line
Press Y on any file view
Converts branch URL to SHA-pinned permalink — safe to share
Raw file content
github.com/owner/repo/raw/main/file.txt
Direct download link — useful in curl / wget scripts
Patch of a commit
github.com/owner/repo/commit/SHA.patch
Machine-readable unified diff of any commit
PR as patch
github.com/owner/repo/pull/N.patch
Full patch of a PR — apply with git am
Delete branch from URL
github.com/owner/repo/branches
Bulk-delete stale branches without the CLI
UI features most developers miss
Code search
github.com/search (type: code)
Regex-capable code search across all of GitHub — now powered by Blackbird engine
Suggested changes
PR review → ```suggestion
Propose an exact code fix in a review comment — author applies with one click
Saved replies
Settings → Saved replies
Store canned review comments — insert with the ↩ icon in any comment box
Notifications routing
Settings → Notifications → Custom routing
Route org notifications to a different email than personal ones
Draft PR conversion
PR sidebar → "Ready for review"
Convert draft ↔ open without closing and reopening
Pinned issues
Issue ··· menu → Pin issue
Pin up to 3 issues to the top of the issues list — great for tracking milestones
GitHub.dev editor
Press . on any repo
Opens VS Code in the browser — full editor, no install
Codespaces
, (comma) on any repo
Opens a full cloud dev environment — runs the actual code, not just the editor
Issue templates
/issues/new/choose
Deep-link directly to a specific issue template by adding ?template=name.yml
Link to comment
··· menu on any comment
Copy a direct link to any comment — useful in Slack/email threads
A.2
GitHub Search Syntax Cheat Sheet
📚 Free Weekly Tutorials
Java, Spring Boot, AWS, DevOps & AI — straight to your inbox.
GitHub's search engine supports qualifiers across repositories, code, issues, PRs, commits, users and discussions. Combine qualifiers with AND, OR, NOT (or - prefix to negate).
Repository search
stars:>1000Repos with more than 1,000 stars
language:typescriptRepos with primary language TypeScript
topic:kubernetesRepos tagged with the kubernetes topic
org:acme is:publicAll public repos in the acme org
pushed:>2026-01-01Repos pushed to after Jan 1 2026
size:>10000Repos larger than 10 MB (size in KB)
archived:false fork:falseExclude archived repos and forks
Code search
repo:acme/platform "api_key"Exact string in a specific repo
path:src/auth extension:tsTypeScript files under src/auth/
symbol:UserRepositoryFind a class/function/symbol by name
content:password NOT path:testFind "password" in code, exclude test dirs
language:python path:*.py size:<1000Python files smaller than 1,000 bytes
$ gh workflow list
$ gh workflow run deploy.yml --ref main --field env=prod
$ gh run list --workflow=ci.yml --limit 5
$ gh run watch # stream live run output$ gh run download 9876543 --name coverage-report
API calls
$ gh api repos/acme/platform # GET$ gh api repos/acme/platform/issues --method POST \
--field title="Bug" --field 'labels[]=bug' # POST$ gh api repos/acme/platform/issues/88 --method PATCH \
--field state=closed # PATCH$ gh api repos/acme/platform --paginate \
--jq '.name' # paginate + filter$ gh api graphql -f query='{ viewer { login } }' # GraphQL
Aliases & Config
$ gh alias set prm 'pr merge --squash --auto --delete-branch'
$ gh alias list
$ gh config set git_protocol ssh
$ gh config set editor "code --wait"
$ gh extension install github/gh-copilot
$ gh extension upgrade --all
A.5
Branch Protection Rules vs Repository Rulesets
GitHub introduced Repository Rulesets in 2023 as a more flexible, layered alternative to classic branch protection rules. Both coexist — rulesets are the recommended approach for new setups.
Feature
Branch Protection Rules
Repository Rulesets
Scope
Per repo, per branch pattern
Per repo or org-wide across all repos
Layering
One rule per branch pattern
Multiple rulesets stack — most restrictive wins
Bypass actors
Admins can bypass (all or nothing)
Specific roles, teams, or apps can bypass selectively
Enforcement modes
Active only
Active, Evaluate (audit-only), Disabled
Org-level enforcement
❌ Not supported
✅ Org rulesets apply across all repos
Tag protection
Via separate tag protection rules
✅ Rulesets cover both branches and tags
Required status checks
✅
✅
Required PR reviews
✅
✅
CODEOWNERS required review
✅
✅
Block force push
✅
✅
Require signed commits
✅
✅
Require linear history
✅
✅
Import / Export via API
Limited
✅ Full JSON import/export
Audit log entries
Basic
Detailed — includes who bypassed and why
Recommended for new setups?
Legacy — still works
✅ Yes — more flexible, org-scalable
MIGRATION TIP
You can run branch protection rules and rulesets simultaneously on the same branch — both enforce. Migrate gradually: create rulesets that mirror your existing rules, verify they behave correctly in "Evaluate" mode, then disable the old rules.
A.6
REST API Quick-Reference
Base URL: https://api.github.com. All requests need Authorization: Bearer TOKEN and Accept: application/vnd.github+json headers. Add X-GitHub-Api-Version: 2022-11-28 for stability.
X-RateLimit-Limit: 5000 # requests per hourX-RateLimit-Remaining: 4832 # remaining this windowX-RateLimit-Reset: 1749024000 # Unix timestamp when limit resetsX-RateLimit-Used: 168 # used this windowRetry-After: 60 # only present on 429 — seconds to wait
A.7
GitHub Security Features Decision Tree
Match the threat to the right GitHub feature. Many teams enable everything — but knowing why each feature exists helps you configure it correctly and interpret its alerts.
Secret committed to repoSecret Scanning + Push ProtectionDetects secrets in commits; push protection blocks the push before it lands. Enable both. Add custom patterns for internal tokens.
Vulnerable dependency (CVE)Dependabot Alerts + Security UpdatesAlerts flag known CVEs in your lockfile. Security Updates auto-opens PRs with the fix. Enable version updates separately for non-security bumps.
Vulnerable code pattern (SQL injection, XSS)Code Scanning (CodeQL)Static analysis on your code — not dependencies. CodeQL is free for public repos. Use default setup for most projects; custom queries for domain-specific patterns.
Malicious third-party Action in workflowPin Actions to SHA + Dependabot for ActionsTag-pinning is not safe (tags can be moved). Pin to a commit SHA. Enable Dependabot for Actions ecosystem to get auto-PRs when a pinned SHA has a new version.
Supply chain compromise (dependency confusion, typosquatting)Artifact Attestations + SBOM + SigstoreAttest build provenance so consumers can verify the artifact came from your workflow. Generate SBOMs at release time. Sign container images with cosign/Sigstore.
Third-party SAST tool findings (Semgrep, Snyk, Trivy)SARIF Upload to Code ScanningAny tool that outputs SARIF can feed into GitHub's code scanning alerts. Centralises all SAST findings in one UI regardless of tool vendor.
Workflow with excessive permissionspermissions: key (least privilege)Set permissions: read-all at the workflow level, then grant write only to the jobs that need it. Set org-default to read-only in Actions policy.
Cloud credentials stored as long-lived secretsOIDC (keyless auth)Replace AWS/GCP/Azure secrets with OIDC token exchange. No stored credentials = no credential rotation, no secret leak risk. Covered in Phase 6.
Insider threat / unauthorized force-push to mainBranch Protection / Rulesets + Audit LogRulesets block force-push and require PRs. Audit log streams every branch protection change to your SIEM. Add an alert rule for protected_branch.* changes outside business hours.
Vulnerability disclosure from external researcherSECURITY.md + Private Vulnerability ReportingSECURITY.md tells researchers how to report. Private Vulnerability Reporting lets them submit directly to you via GitHub without public disclosure. You can then draft a security advisory and request a CVE.
Low OpenSSF Scorecard scoreOpenSSF Scorecard ActionRun on a schedule. Each check maps to a concrete fix (pin Actions, enable branch protection, sign releases). Scorecard is also checked by package managers and enterprises during vendor review.
A.8
SemVer + Conventional Commits Quick Reference
Semantic Versioning (SemVer)
MAJOR.MINOR.PATCH[-pre-release][+build]
Rules:
MAJOR bump → breaking change (incompatible API change)
MINOR bump → new feature, backwards-compatible
PATCH bump → bug fix, backwards-compatible
Examples:
1.0.0 initial stable release
1.1.0 added a new feature
1.1.1 fixed a bug in the new feature
2.0.0 breaking API change
2.0.0-alpha.1 pre-release alpha
2.0.0-rc.1 release candidate
1.0.0+20260613 build metadata (ignored in precedence)
Conventional Commits format
type(scope): short description
[optional body — more detail]
[optional footer(s) — BREAKING CHANGE, Fixes #N, Co-authored-by]
Commit types → SemVer impact
Type
Meaning
SemVer bump
Example
feat
New feature
MINOR
feat(auth): add OAuth2 login
fix
Bug fix
PATCH
fix(api): handle null response from payment service
BREAKING CHANGE
Breaking API change (in footer)
MAJOR
feat!: rename config keys or footer BREAKING CHANGE: ...
docs
Documentation only
none
docs: update README setup steps
style
Formatting, whitespace
none
style: run prettier
refactor
Code restructure, no behaviour change
none
refactor(db): extract query builder
perf
Performance improvement
PATCH
perf(cache): use Redis pipeline for bulk reads
test
Add or fix tests
none
test(auth): add edge cases for token expiry
build
Build system or dependency changes
none
build: upgrade webpack to 5.90
ci
CI config changes
none
ci: add caching to build job
chore
Maintenance tasks
none
chore: update .gitignore
revert
Revert a commit
depends
revert: feat(auth): add OAuth2 login
Tools that automate this
Tool
What it does
Phase reference
release-please
Reads conventional commits, opens a release PR with bumped version + changelog
Generates a CHANGELOG.md from conventional commits — highly configurable
Phase 10
commitlint
Lints commit messages against the conventional commits spec — run in CI or as a git hook
—
commitizen
Interactive CLI for writing conventional commits — guides developers through the format
—
🎉 Series Complete
You've finished the GitHub Advanced for Senior Developers series — 14 phases and this appendix. You now have a complete reference for Git internals, Actions at scale, security, API automation, Copilot, and enterprise governance.