Learn how to automate, secure, and scale like the best

We've recently launched a new learning portal to help you get more out of GitHub's platform. With three new Learning Pathways—Automation, Security, and Administration & Governance—there's something for everyone! In this newsletter, we'll introduce you to the experts behind the pathways and guide you in choosing the right starting point for your learning journey.

Meet the instructors

Automation - Bekah Whittle, Director of Compute Products, GitHub 

Security - Nick Liffen, Director of GitHub Advanced Security, GitHub 

Administration & Governance - Jessi Moths, Director of Enterprise and Platform Products, GitHub

Who will benefit from your Learning Pathway?

Bekah: The Automation Learning Pathway includes three modules focused on essential, intermediate, and advanced automation concepts. For people just getting started with automating workflows on GitHub Actions, the Essentials of automation module will walk you through how to build, test, and deploy a simple web application using Actions and GitHub Pages. Our Intermediate automation module is great for anyone that wants to extend their use of automation or learn how to implement Actions within an organization. We cover best practices for runner management, workflow monitoring, and detail how to make the most of reusable workflows. Our Advanced automation module highlights where GitHub Actions really becomes powerful: scalability! Automating a single workflow is one thing. Expanding that across your entire enterprise is something else entirely. If you are interested in learning how to succeed with automation at enterprise-scale, this is the module for you! How about you Nick, what does the Security pathway look like?

Nick: In the Security Pathway, the Essentials of security module is for people who have a GitHub Advanced Security license but haven't started using it yet, or who just want to see how simple it is to set up. We explain all the different features GitHub Advanced Security provides and show you how to enable them with just a few clicks. The Intermediate security module is for those who want or need a bit more customization. It guides you through configuring CodeQL, secret scanning, and dependency review, shows you how to enable the most common customizations, and explains why you might want to enable them. The Advanced security module is for those who want to take GitHub Advanced Security to the next level by creating centralized configurations that can be used across an enterprise, or by digging deeper into supply chain security issues like transient dependencies and software-bill-of-materials (SBOM).

Jessi: Our Essentials of administration and governance module is great for GitHub administrators of all types, and anyone else who wants to learn more about the best practices for configuring and administering GitHub Enterprise Cloud, such as security and procurement stakeholders. It may even be interesting for individual developers who want to peek behind the curtain and understand why things work the way they do!

What less obvious challenge(s) does your Learning Pathway solve?

Nick: I would say the challenge of getting familiar with the wide range of GitHub Advanced Security configuration options. When companies adopt GitHub Advanced Security, they use the defaults 90% of the time—and for good reason! We put a lot of work into curating the defaults so that you don’t need to configure much, if anything, out of the box. But after a while, you might want to tailor the configuration to optimize for specific scenarios. We make it so that when you’re ready to configure, you can.

Jessi: Optimizing your GitHub Enterprise Cloud setup and creating policies and procedures that support and benefit all of a company’s users—which can often be much less clear-cut than some buttons or checkboxes in a menu might first indicate. There’s nuances to be considered and discussions to be had before making any of these myriad choices, and they end up being ongoing topics as requirements and culture change. We walk you through some of those considerations and offer best practices where the documentation might just lay out all the options. 

Bekah: An underrated element of GitHub Actions is how it strengthens security. While many associate automation with just speeding up tasks, it's a crucial tool for maintaining consistent security standards. This becomes especially important when enforcing securing protocols across an entire organization. In our guide on securing CI/CD with secrets and variables, we walk through how to manage sensitive information at the organizational level, outline the role of variables in your workflows, and implement OpenID Connect (OIDC) for robust cloud authentication.

We know you’re the experts, but did you learn anything new about your topic?

Nick: Working in this space every day, you think you know pretty much all the edge cases and best practices, but going through these Learning Pathway experiences opened my eyes to how many different ways GitHub Advanced Security can be used and configured. Hopefully these pathways will help people get started on their own journey. 

Jessi: It’s always great to have a reminder of the different ways that GitHub’s customers make decisions about, set up, and manage against their needs.

Bekah: Working with Actions every day, I sometimes forget how impactful the fundamentals are. Going through these guides, especially the Essentials of automation module, reminded me how much you can achieve with a basic understanding of workflow automation. 

Learning Pathways include valuable insights from world-class teams who use GitHub. Did any particular insight really stand out for you?

Jessi: I think it’s interesting how large companies with similar goals often have completely different implementation approaches. Thankfully, we’ve built a platform that can flexibly handle many different development and administrative needs. The guide on strategies for using organizations in GitHub Enterprise Cloud, for example, shows how Fidelity and Philips both want to encourage innersource, but take different structural approaches to getting there.

"Now, we have all of our developers and our internal code in a single GitHub organization where we set our internal repositories to read access by default, which makes it easier to discover and reuse code."

-Niek Palm // Principal Software Engineer // Philips

"We ended up using the red-green-sandbox-archive, which provided us with an open, visible model that would promote innersource, re-use, and discovery, while also giving us the security and compliance controls we needed for our highly-confidential and regulated code."

-Ger McMahon // Product Area Leader // Fidelity

Bekah: Salesforce’s migration experience and their success with the GitHub Actions Importer tool was great to hear. The self-serve nature of GitHub Actions empowered them to collaborate across the enterprise. Mauricio Gomes, Principal Engineer at Salesforce, shares this insight in our guide on Planning for migration to GitHub Actions: “We had a tight 60-day deadline to migrate our entire CI/CD pipeline to a new system. The GitHub Actions Importer tool was crucial for this transition, making it easier to move configurations and settings. The self-serve functionality was particularly beneficial because it allowed more team members to get involved, giving everyone a solid starting point. IssueOps was another game-changer for us; it streamlined how we handled incidents and made coordination seamless. All these elements together ensured that we met our deadline while maintaining the integrity and performance of our pipeline.”

Nick: As I mentioned earlier, the default configurations for GitHub Advanced Security’s core features are good enough for most. But there are times when it makes sense to customize your setup. KPMG Engineering Director Leonid Stolyarov explains why they decided to go beyond CodeQL’s defaults: "We enabled advanced setup at KPMG because we saw the benefit of using CodeQL not just for security, but for code quality as well. Pull request reviews are great, but can only get you so far. We use several automated linting and code quality tools, but we've found that no tool catches everything. GitHub's security-and-quality query pack helps us catch things we wouldn't catch otherwise.”

Coming soon: GitHub certifications

GitHub certifications validate your skills, credibility, and knowledge of the technologies and tools that are used by more than 100 million developers worldwide. Our new certification program will be generally available in early 2024. If you are planning to attend GitHub Universe in person on November 8-9, make sure to take the exam and become one of the first to be certified. If you can't make it in person, sign up for the waitlist to secure priority scheduling once the program launches.

New from The ReadME Project 

Building autonomy with AI by Mike Melanson

Dr. Chieko Asakawa has been working on accessible technology for decades. She helped bring Braille to the digital world in the 1980s, and created the first screen reader for the web in the 1990s. Today, she's working on an AI-enabled suitcase that can help navigate airports and other spaces. She says collaboration is the key to making tech more empowering.

CodeQL: A quick-start guide by Denys Lashchevskyi

Transform your code into a structured database that you can use to surface security vulnerabilities and discover new insights.

Scaling standards and community in your organization by Nick Penston

Learn how to apply open source community ideas to your organization to spread standards and best practices without sacrificing autonomy and innovation.

GitHub's Learning Pathways are your gateway to learning the intricacies of the platform. From automation and security to administration & governance, elevate your skills by learning from the experts. Start your learning journey today!