APPENDIX

Reference Cards

Eight cheat sheets covering everything in the series — bookmark this page. GitHub power-user tips, search syntax, Actions expressions, gh CLI commands, branch protection vs rulesets, REST API quick-reference, security decision tree, and SemVer + conventional commits.

Cheat Sheet Reference GitHub Search gh CLI Actions SemVer
A.1

Top 25 GitHub Power-User Tips

Keyboard shortcuts, URL tricks, and UI features most developers never discover. These work on github.com without any extensions.

Keyboard shortcuts

Any page
?
Show all keyboard shortcuts for the current page
Any page
t
Fuzzy file finder — search files in the current repo
Any page
w
Switch branch or tag from anywhere in the repo
Any page
l
Jump to a line number in the current file
Any page
b
Open git blame view for the current file
Any page
s or /
Focus the global search bar
PR / Issue
c
Open new comment box
PR review
n
Jump to next diff file
PR review
Alt+click checkbox
Mark all files as viewed at once

URL tricks

Compare any two refs
github.com/owner/repo/compare/main...feature
Visual diff between any two branches, tags, or SHAs
Permalink to a line
Press Y on any file view
Converts branch URL to SHA-pinned permalink — safe to share
Raw file content
github.com/owner/repo/raw/main/file.txt
Direct download link — useful in curl / wget scripts
Patch of a commit
github.com/owner/repo/commit/SHA.patch
Machine-readable unified diff of any commit
PR as patch
github.com/owner/repo/pull/N.patch
Full patch of a PR — apply with git am
Delete branch from URL
github.com/owner/repo/branches
Bulk-delete stale branches without the CLI

UI features most developers miss

Code search
github.com/search (type: code)
Regex-capable code search across all of GitHub — now powered by Blackbird engine
Suggested changes
PR review → ```suggestion
Propose an exact code fix in a review comment — author applies with one click
Saved replies
Settings → Saved replies
Store canned review comments — insert with the ↩ icon in any comment box
Notifications routing
Settings → Notifications → Custom routing
Route org notifications to a different email than personal ones
Draft PR conversion
PR sidebar → "Ready for review"
Convert draft ↔ open without closing and reopening
Pinned issues
Issue ··· menu → Pin issue
Pin up to 3 issues to the top of the issues list — great for tracking milestones
GitHub.dev editor
Press . on any repo
Opens VS Code in the browser — full editor, no install
Codespaces
, (comma) on any repo
Opens a full cloud dev environment — runs the actual code, not just the editor
Issue templates
/issues/new/choose
Deep-link directly to a specific issue template by adding ?template=name.yml
Link to comment
··· menu on any comment
Copy a direct link to any comment — useful in Slack/email threads
A.2

GitHub Search Syntax Cheat Sheet

GitHub's search engine supports qualifiers across repositories, code, issues, PRs, commits, users and discussions. Combine qualifiers with AND, OR, NOT (or - prefix to negate).

Repository search

stars:>1000Repos with more than 1,000 stars
language:typescriptRepos with primary language TypeScript
topic:kubernetesRepos tagged with the kubernetes topic
org:acme is:publicAll public repos in the acme org
pushed:>2026-01-01Repos pushed to after Jan 1 2026
size:>10000Repos larger than 10 MB (size in KB)
archived:false fork:falseExclude archived repos and forks

Code search

repo:acme/platform "api_key"Exact string in a specific repo
path:src/auth extension:tsTypeScript files under src/auth/
symbol:UserRepositoryFind a class/function/symbol by name
content:password NOT path:testFind "password" in code, exclude test dirs
language:python path:*.py size:<1000Python files smaller than 1,000 bytes

Issue & PR search

is:open is:pr review:requiredOpen PRs awaiting required reviews
is:issue assignee:@me label:bugBugs assigned to you
is:pr author:octocat merged:>2026-01-01octocat's merged PRs since Jan 2026
is:issue no:assignee label:priority:highUnassigned high-priority issues
is:pr status:failure head:featurePRs from feature branches with failing CI
involves:octocat updated:>2026-06-01Issues/PRs involving a user, recently updated
linked:pr milestone:"v2.4"Issues linked to a PR in a specific milestone
comments:>5 reactions:>10Highly engaged issues (comments + reactions)

Commit search

repo:acme/platform author:octocatCommits by a specific author in a repo
committer-date:>2026-06-01 merge:falseNon-merge commits after a date
hash:abc1234Find a commit by (partial) SHA
A.3

Actions Expressions & Context Cheat Sheet

Expression syntax

# Wrap any expression in ${{ }} to evaluate it if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} env: IS_PROD: ${{ startsWith(github.ref, 'refs/tags/v') }}

Operators

OperatorExampleNotes
==github.actor == 'octocat'String comparison is case-insensitive
!=github.event_name != 'pull_request'
&&A && BBoth must be truthy
||A || BEither must be truthy
!!cancelled()Negation
> < >= <=github.run_number > 10Numeric comparison

Functions

FunctionExampleReturns
contains(a, b)contains(github.ref, 'release')true if a contains b
startsWith(a, b)startsWith(github.ref, 'refs/tags/')true if a starts with b
endsWith(a, b)endsWith(matrix.os, 'latest')true if a ends with b
format(str, ...)format('Hello {0}', github.actor)Formatted string
join(arr, sep)join(matrix.tags, ',')Array joined as string
toJSON(val)toJSON(github.event)JSON string
fromJSON(str)fromJSON(steps.matrix.outputs.value)Parsed object
hashFiles(path)hashFiles('**/package-lock.json')SHA-256 hash of file(s)
success()if: success()All prior steps succeeded
failure()if: failure()Any prior step failed
cancelled()if: cancelled()Workflow was cancelled
always()if: always()Run regardless of outcome

Key context objects

ContextKey properties
github.event_name .ref .sha .actor .repository .run_id .run_number .workflow .head_ref .base_ref
envAny env var set at workflow/job/step level
varsRepository/org variables (non-secret config values)
secrets.GITHUB_TOKEN + any secrets you've defined
runner.os .arch .temp .tool_cache
job.status (success/failure/cancelled)
steps.<step-id>.outputs.<name> .<step-id>.conclusion
matrixCurrent matrix combination values: matrix.os, matrix.node etc.
needs.<job-id>.outputs.<name> .<job-id>.result
A.4

gh CLI Command Reference

Authentication

$ gh auth login # interactive OAuth login $ echo "$TOKEN" | gh auth login --with-token # non-interactive (CI) $ gh auth status # show current auth state $ gh auth token # print current token

Pull Requests

$ gh pr create --title "..." --body "..." --draft $ gh pr list --state open --assignee @me $ gh pr view 42 --web $ gh pr checkout 42 $ gh pr review 42 --approve --body "LGTM" $ gh pr review 42 --request-changes --body "See comments" $ gh pr merge 42 --squash --delete-branch --auto $ gh pr edit 42 --add-reviewer alice --add-label bug $ gh pr close 42 --comment "Closing — superseded by #55"

Issues

$ gh issue create --title "..." --label bug --assignee @me $ gh issue list --label "priority:high" --state open --limit 20 $ gh issue view 88 $ gh issue close 88 --comment "Fixed in #42" $ gh issue edit 88 --milestone "v2.4" --add-label "backlog"

Repos & Gists

$ gh repo clone acme/platform $ gh repo fork acme/platform --clone $ gh repo create acme/new-svc --private --source=. --push $ gh repo view --web $ gh repo sync --branch main $ gh gist create snippet.py --public --description "rate limiter"

Actions & Workflows

$ gh workflow list $ gh workflow run deploy.yml --ref main --field env=prod $ gh run list --workflow=ci.yml --limit 5 $ gh run watch # stream live run output $ gh run download 9876543 --name coverage-report

API calls

$ gh api repos/acme/platform # GET $ gh api repos/acme/platform/issues --method POST \ --field title="Bug" --field 'labels[]=bug' # POST $ gh api repos/acme/platform/issues/88 --method PATCH \ --field state=closed # PATCH $ gh api repos/acme/platform --paginate \ --jq '.name' # paginate + filter $ gh api graphql -f query='{ viewer { login } }' # GraphQL

Aliases & Config

$ gh alias set prm 'pr merge --squash --auto --delete-branch' $ gh alias list $ gh config set git_protocol ssh $ gh config set editor "code --wait" $ gh extension install github/gh-copilot $ gh extension upgrade --all
A.5

Branch Protection Rules vs Repository Rulesets

GitHub introduced Repository Rulesets in 2023 as a more flexible, layered alternative to classic branch protection rules. Both coexist — rulesets are the recommended approach for new setups.

FeatureBranch Protection RulesRepository Rulesets
ScopePer repo, per branch patternPer repo or org-wide across all repos
LayeringOne rule per branch patternMultiple rulesets stack — most restrictive wins
Bypass actorsAdmins can bypass (all or nothing)Specific roles, teams, or apps can bypass selectively
Enforcement modesActive onlyActive, Evaluate (audit-only), Disabled
Org-level enforcement❌ Not supported✅ Org rulesets apply across all repos
Tag protectionVia separate tag protection rules✅ Rulesets cover both branches and tags
Required status checks
Required PR reviews
CODEOWNERS required review
Block force push
Require signed commits
Require linear history
Import / Export via APILimited✅ Full JSON import/export
Audit log entriesBasicDetailed — includes who bypassed and why
Recommended for new setups?Legacy — still works✅ Yes — more flexible, org-scalable
MIGRATION TIP

You can run branch protection rules and rulesets simultaneously on the same branch — both enforce. Migrate gradually: create rulesets that mirror your existing rules, verify they behave correctly in "Evaluate" mode, then disable the old rules.

A.6

REST API Quick-Reference

Base URL: https://api.github.com. All requests need Authorization: Bearer TOKEN and Accept: application/vnd.github+json headers. Add X-GitHub-Api-Version: 2022-11-28 for stability.

Repositories

MethodEndpointPurpose
GET/repos/{owner}/{repo}Get repo metadata
PATCH/repos/{owner}/{repo}Update repo settings (description, visibility)
GET/orgs/{org}/repos?type=private&per_page=100List org repos
DELETE/repos/{owner}/{repo}Delete a repo (requires delete_repo scope)

Issues & Pull Requests

MethodEndpointPurpose
GET/repos/{owner}/{repo}/issues?state=openList issues (also returns PRs)
POST/repos/{owner}/{repo}/issuesCreate issue
PATCH/repos/{owner}/{repo}/issues/{n}Update issue (close, label, assign)
POST/repos/{owner}/{repo}/issues/{n}/commentsAdd comment
GET/repos/{owner}/{repo}/pulls?state=openList PRs
POST/repos/{owner}/{repo}/pullsCreate PR
PUT/repos/{owner}/{repo}/pulls/{n}/mergeMerge PR
POST/repos/{owner}/{repo}/pulls/{n}/reviewsSubmit review (APPROVE / REQUEST_CHANGES)

Actions & Workflows

MethodEndpointPurpose
GET/repos/{owner}/{repo}/actions/runsList workflow runs
POST/repos/{owner}/{repo}/actions/workflows/{id}/dispatchesTrigger workflow manually
GET/repos/{owner}/{repo}/actions/artifactsList artifacts
GET/repos/{owner}/{repo}/actions/secretsList secret names (not values)
PUT/repos/{owner}/{repo}/actions/secrets/{name}Create/update secret (value must be encrypted)

Releases & Tags

MethodEndpointPurpose
GET/repos/{owner}/{repo}/releases/latestGet latest release
POST/repos/{owner}/{repo}/releasesCreate release
POST/repos/{owner}/{repo}/releases/{id}/assetsUpload release asset
GET/repos/{owner}/{repo}/git/refs/tagsList all tags

Rate limit headers to watch

X-RateLimit-Limit: 5000 # requests per hour X-RateLimit-Remaining: 4832 # remaining this window X-RateLimit-Reset: 1749024000 # Unix timestamp when limit resets X-RateLimit-Used: 168 # used this window Retry-After: 60 # only present on 429 — seconds to wait
A.7

GitHub Security Features Decision Tree

Match the threat to the right GitHub feature. Many teams enable everything — but knowing why each feature exists helps you configure it correctly and interpret its alerts.

Secret committed to repo Secret Scanning + Push Protection Detects secrets in commits; push protection blocks the push before it lands. Enable both. Add custom patterns for internal tokens.
Vulnerable dependency (CVE) Dependabot Alerts + Security Updates Alerts flag known CVEs in your lockfile. Security Updates auto-opens PRs with the fix. Enable version updates separately for non-security bumps.
Vulnerable code pattern (SQL injection, XSS) Code Scanning (CodeQL) Static analysis on your code — not dependencies. CodeQL is free for public repos. Use default setup for most projects; custom queries for domain-specific patterns.
Malicious third-party Action in workflow Pin Actions to SHA + Dependabot for Actions Tag-pinning is not safe (tags can be moved). Pin to a commit SHA. Enable Dependabot for Actions ecosystem to get auto-PRs when a pinned SHA has a new version.
Supply chain compromise (dependency confusion, typosquatting) Artifact Attestations + SBOM + Sigstore Attest build provenance so consumers can verify the artifact came from your workflow. Generate SBOMs at release time. Sign container images with cosign/Sigstore.
Third-party SAST tool findings (Semgrep, Snyk, Trivy) SARIF Upload to Code Scanning Any tool that outputs SARIF can feed into GitHub's code scanning alerts. Centralises all SAST findings in one UI regardless of tool vendor.
Workflow with excessive permissions permissions: key (least privilege) Set permissions: read-all at the workflow level, then grant write only to the jobs that need it. Set org-default to read-only in Actions policy.
Cloud credentials stored as long-lived secrets OIDC (keyless auth) Replace AWS/GCP/Azure secrets with OIDC token exchange. No stored credentials = no credential rotation, no secret leak risk. Covered in Phase 6.
Insider threat / unauthorized force-push to main Branch Protection / Rulesets + Audit Log Rulesets block force-push and require PRs. Audit log streams every branch protection change to your SIEM. Add an alert rule for protected_branch.* changes outside business hours.
Vulnerability disclosure from external researcher SECURITY.md + Private Vulnerability Reporting SECURITY.md tells researchers how to report. Private Vulnerability Reporting lets them submit directly to you via GitHub without public disclosure. You can then draft a security advisory and request a CVE.
Low OpenSSF Scorecard score OpenSSF Scorecard Action Run on a schedule. Each check maps to a concrete fix (pin Actions, enable branch protection, sign releases). Scorecard is also checked by package managers and enterprises during vendor review.
A.8

SemVer + Conventional Commits Quick Reference

Semantic Versioning (SemVer)

MAJOR.MINOR.PATCH[-pre-release][+build] Rules: MAJOR bump → breaking change (incompatible API change) MINOR bump → new feature, backwards-compatible PATCH bump → bug fix, backwards-compatible Examples: 1.0.0 initial stable release 1.1.0 added a new feature 1.1.1 fixed a bug in the new feature 2.0.0 breaking API change 2.0.0-alpha.1 pre-release alpha 2.0.0-rc.1 release candidate 1.0.0+20260613 build metadata (ignored in precedence)

Conventional Commits format

type(scope): short description [optional body — more detail] [optional footer(s) — BREAKING CHANGE, Fixes #N, Co-authored-by]

Commit types → SemVer impact

TypeMeaningSemVer bumpExample
featNew featureMINORfeat(auth): add OAuth2 login
fixBug fixPATCHfix(api): handle null response from payment service
BREAKING CHANGEBreaking API change (in footer)MAJORfeat!: rename config keys or footer BREAKING CHANGE: ...
docsDocumentation onlynonedocs: update README setup steps
styleFormatting, whitespacenonestyle: run prettier
refactorCode restructure, no behaviour changenonerefactor(db): extract query builder
perfPerformance improvementPATCHperf(cache): use Redis pipeline for bulk reads
testAdd or fix testsnonetest(auth): add edge cases for token expiry
buildBuild system or dependency changesnonebuild: upgrade webpack to 5.90
ciCI config changesnoneci: add caching to build job
choreMaintenance tasksnonechore: update .gitignore
revertRevert a commitdependsrevert: feat(auth): add OAuth2 login

Tools that automate this

ToolWhat it doesPhase reference
release-pleaseReads conventional commits, opens a release PR with bumped version + changelogPhase 10
semantic-releaseFully automated: determines version, publishes package, creates GitHub releasePhase 10
git-cliffGenerates a CHANGELOG.md from conventional commits — highly configurablePhase 10
commitlintLints commit messages against the conventional commits spec — run in CI or as a git hook
commitizenInteractive CLI for writing conventional commits — guides developers through the format

🎉 Series Complete

You've finished the GitHub Advanced for Senior Developers series — 14 phases and this appendix. You now have a complete reference for Git internals, Actions at scale, security, API automation, Copilot, and enterprise governance.

Back to Hub More Learning Series