Understanding secure authentication is fundamental for any developer. SSH keys and PATs replace insecure password-based workflows for Git operations, while 2FA protects the account itself. Mastering these tools ensures code integrity and prevents unauthorized access to repositories.
Welcome back to GitHub for Beginners. This is the final episode of the season, and we’ve covered a lot so far. Make sure to check out our other episodes to see all the various topics we’ve discussed.
Today, we’re going to spend some time answering some questions that people often have, especially when they’re first getting started. So without further ado, let’s jump right in.
As always, if you prefer to watch the video or want to reference it, we have all of our GitHub for Beginners episodes available on YouTube.
An SSH key is a secure shell key. It’s a pair of files on your computer that has two parts: a private key and a public key.
The private key stays on your computer and should never be shared. The public key is what you share with platforms like GitHub. When you store your public key on GitHub, git uses your private key to confirm your identity when you push and pull code. In order for you to be authenticated, your public key on GitHub needs to match the private key on your computer.
So how do you do this? Let’s create a key pair and add your public key to GitHub now.
(And remember, if you prefer a video walkthrough, that is available.)
ssh-keygen –t ed25519 – C YOUREMAIL@DOMAIN.COMThis will create your new SSH key. Now you want to add it to your ssh-agent. An ssh-agent is a program that securely stores your keys so that you don’t need to keep entering your passphrase.
| 🔍 To learn more, check out our docs about adding your SSH key to ssh-agent. |
To add this new SSH key to the ssh-agent, run the following command. Note that you will need to add your passphrase when prompted.
ssh-add ~/.ssh/id_ed25519Now that you have created the SSH key and configured your ssh-agent, the next step is adding the public key to GitHub.
cat ~/.ssh/id_ed25519.pubCongratulations! Your computer is now configured to connect to GitHub over SSH.
PAT stands for Personal Access Token. A PAT is a special credential that you create on GitHub for tools that need authentication. You control its permissions and can revoke it any time. On GitHub, you’ll commonly use a PAT to authenticate via command line or the GitHub API.
There are two types of PATs available: fine-grained tokens and classic tokens. First we’ll walk through creating a fine-grained PAT.
| 🔍 For more information, check out our documentation about Personal Access Tokens. |
Now let’s go through creating a classic token. As you’ll see, it’s very similar in several ways.
This creates the classic token. The next time that GitHub asks for your password in a terminal, instead of supplying your password, you could paste this token.
A merge conflict is what happens when two changes touch the same part of a file, and git needs your help to decide what the final version should be. There are a few different ways you can resolve this, but we’re just going to walk through it using the GitHub UI.
This updates your pull request with the merged conflict and now you’ll be able to merge that change into your repository. Well done!
Now let’s talk about the difference between merging and rebasing, and when you might want to use one over another.
Merging combines changes from one branch into another by creating a new commit that ties both histories together. It preserves the history of both branches. You should merge when you want to preserve the full history of how work happened. This is commonly used for feature branches that are going to be merged into main, such as when you’re adding new functionality.
On the other hand, rebasing moves or replaces your branch’s commits on top of another branch. It rewrites the history to create a linear and cleaner commit timeline. You should rebase when you want a clean linear history, like when you are updating your feature branch to pull in the latest changes from main. For example, if you are working on a feature, but you want to pull in the latest changes from main before merging.
Let’s say that you’re in a situation where you’ve already pushed your commit to your branch, and you want to undo it. You can undo your commit through the GitHub UI.
If your changes are local, and you haven’t yet pushed to a branch, you can locally revert your commit by running the following command.
git reset --soft HEAD~1This removes the commit from your local repository, but keeps your work staged so that you don’t lose any changes. If you would rather undo your changes even locally to reset your workspace, you can use the following command. Just realize that by doing this, you might lose your work!
git reset --hard HEAD~1 Forking a repository creates your own copy of a project so that you can explore or make changes to it without affecting the original repository. This is especially important when you want to contribute to an open source project. Here’s how you can fork a repository.
| 🔍 You can learn more about forking by checking our documentation. |
Now that you’ve created the fork, you want to make sure that you still pull in the latest changes from the upstream repository. Otherwise, your forked copy can quickly become out of date.
When you do this, GitHub automatically pulls in the latest changes from the upstream repository to keep your fork up to date. You can also do this from the command line.
git remote add upstream YOUR_ORIGINAL_REPOSITORY_URLgit fetch upstreamgit merge upstream/maingit push origin mainNow you know how to work in your own copy of a project and keep your work synchronized!
A pull request (often abbreviated PR) is a place to share code and talk about changes. Here are three helpful practices to keep in mind when you’re reviewing a pull request.
| 🔍 Learn more about reviewing pull requests by taking a look at our documentation on the topic. |
When everything looks ready, use the Submit review button to approve the changes or request updates.
Copilot code review can also help you understand pull requests and suggest improvements. Note that in order to use Copilot, your organization admin needs to enable Copilot for either your repository or your user account. Once Copilot is enabled, you don’t need to install anything special—Copilot code review will automatically appear as an option in pull requests.
In a short amount of time, Copilot will complete its review. You can scroll down and see the comments left by Copilot. It always leaves a “Comment” type of review, not an “Approve” or “Request changes” type of review. This means that Copilot reviews do not count toward required approvals nor will they block merging changes.
| 🔍 Learn more by checking out our Copilot code review documentation. |
And that’s a wrap! With this episode, we’ve finished another season of GitHub for Beginners, ending with some of the most common questions we’ve seen or heard. We hope that you found this information helpful, and don’t forget to check out our full library of GitHub for Beginners topics.
Happy coding!
The post GitHub for Beginners: Answers to some common questions appeared first on The GitHub Blog.
Continue reading on the original blog to support the author
Read full articleGitHub Universe 2026 highlights the shift toward agentic workflows, where AI agents become core collaborators in software development. For engineers, it's a chance to move from AI demos to practical, integrated workflows while networking with peers solving similar scale problems.
AI is evolving from simple autocomplete to autonomous agents that handle complex SDLC tasks. GitHub's leadership highlights the shift toward orchestrating outcomes rather than just writing code, promising significant productivity gains and better governance for enterprise engineering teams.
GitHub is raising the bar for bug bounty submissions to combat low-quality AI noise. This matters to engineers as it clarifies the shared responsibility model for platform security and sets a standard for validating AI-assisted security research and vulnerability reporting.
These laws could force developers to implement complex age-tracking APIs and centralized data collection. For open source contributors, this creates significant compliance burdens and conflicts with decentralized norms, potentially altering how software is distributed and accessed.