>_
2026 // UPDATED EDITION

Git & GitHub
Complete Master Notes

From the four-stage Git architecture to Git 2.54's git replay, merge queues, reusable GitHub Actions, supply-chain security, and Copilot coding agents — everything a developer needs in one dark, distraction-free reference.

15
Sections
60+
Commands
10
Mermaid Diagrams
2026
Updated For

📁 Fundamentals

01

Git vs GitHub, the 4-stage architecture, install & global config.

🌿 Branching

03

Branch models, merge strategies, conflict resolution with diagrams.

🆕 Git 2.54

09

git replay, --no-auto-advance, and the latest core Git changes.

⚙️ Actions 2026

11

Rebuilt Actions architecture, reusable workflows, OIDC, merge queues.

🛡️ Security

12

CodeQL, secret scanning, Copilot Autofix, signed commits.

🤖 Copilot Agents

13

Coding agent, agent mode, MCP support, worktree-based parallel sessions.

01Fundamentals

Git vs GitHub · the 4-stage architecture · installation

🔧 Git

local

A distributed version control system installed on your machine. Tracks every change to your files and lets you branch, merge, and roll back history offline.

☁️ GitHub

remote

A cloud platform built around Git that adds collaboration: pull requests, issues, Actions, code review, and project management.

The Four-Stage Architecture

flowchart LR
  A[Working Directory] -- "git add" --> B[Staging Area / Index]
  B -- "git commit" --> C[Local Repository]
  C -- "git push" --> D[Remote — GitHub]
  D -- "git pull / fetch" --> A
  style A fill:#15181b,stroke:#39ff7a,color:#fff
  style B fill:#15181b,stroke:#4fb6ff,color:#fff
  style C fill:#15181b,stroke:#ffd166,color:#fff
  style D fill:#15181b,stroke:#ff5b77,color:#fff
Fig 1.1 — File lifecycle from your editor to GitHub

Install & Global Config

bash
git --version
git config --global user.name "Your Name"
git config --global user.email "you@example.com"
git config --global init.defaultBranch main
git config --global core.editor "code --wait"
git config --list

02Core Workflow

init, add, commit, status, log, diff

bash
git init                       # start a new repo
git clone <url>                # copy a remote repo
git status                     # see what changed
git add file.js                # stage a file
git add .                      # stage everything
git commit -m "feat: add login"
git log --oneline --graph --all
git diff                       # unstaged changes
git diff --staged              # staged changes
CommandPurpose
git restore fileDiscard unstaged changes
git restore --staged fileUnstage a file (modern alternative to git reset)
git commit --amendEdit the last commit's message/content
git show <commit>Inspect a single commit
Tip: Use git add -p to stage changes hunk-by-hunk instead of whole files — essential for clean, atomic commits.

03Branching & Merging

Branch models · merge strategies · resolving conflicts

gitGraph
   commit id: "init"
   branch feature/login
   checkout feature/login
   commit id: "add form"
   commit id: "add validation"
   checkout main
   commit id: "hotfix"
   merge feature/login id: "merge login"
   branch feature/payments
   checkout feature/payments
   commit id: "stripe setup"
   checkout main
   merge feature/payments
Fig 3.1 — Feature branch workflow merging into main
bash
git branch feature/login         # create
git checkout feature/login       # switch
git switch -c feature/login      # create + switch (modern)
git merge feature/login          # merge into current branch
git branch -d feature/login      # delete (merged)
git branch -D feature/login      # force delete

Merge Conflicts

flowchart TD
  A[Two branches edit same lines] --> B{git merge}
  B -->|No overlap| C[Auto-merged ✅]
  B -->|Overlap| D[Conflict markers added]
  D --> E["<<<<<<< HEAD  ...  =======  ...  >>>>>>> branch"]
  E --> F[Manually edit file]
  F --> G[git add resolved-file]
  G --> H[git commit]
  style C fill:#0d1f12,stroke:#39ff7a,color:#39ff7a
  style D fill:#2b1212,stroke:#ff5b77,color:#ff8a8a
Fig 3.2 — Conflict detection-to-resolution flow
Strategy comparison: git merge preserves full history with a merge commit; git merge --squash condenses a branch into one commit; git rebase rewrites history into a straight line (see Section 04).

04Rebase & History

Linear history · interactive rebase · merge vs rebase

flowchart LR
  subgraph Merge
  direction LR
  m1((A)) --> m2((B)) --> m3((C))
  m1 --> m4((D)) --> m5((E))
  m3 --> m6((M))
  m5 --> m6
  end
  subgraph Rebase
  direction LR
  r1((A)) --> r2((B)) --> r3((C)) --> r4((D')) --> r5((E'))
  end
  style m6 fill:#0d1f12,stroke:#ffd166,color:#ffd166
Fig 4.1 — Merge keeps both histories; rebase replays commits onto a new base
bash
git rebase main                  # rebase current branch onto main
git rebase -i HEAD~3              # interactive: squash/reword/reorder
git rebase --continue
git rebase --abort
git pull --rebase                 # avoid merge-commit noise on pull
Golden Rule: Never rebase commits that have already been pushed and shared with others — it rewrites history and breaks teammates' clones.

05Remote & Collaboration

push, pull, fetch, forks, upstream

flowchart LR
  L[Local Repo] -- "git push origin main" --> O[origin — your fork]
  O -- "Pull Request" --> U[upstream — main repo]
  U -- "git fetch upstream" --> L
  O -- "git clone" --> L
  style O fill:#15181b,stroke:#4fb6ff
  style U fill:#15181b,stroke:#39ff7a
Fig 5.1 — Fork-based contribution model
bash
git remote add origin <url>
git remote add upstream <original-repo-url>
git push -u origin main
git pull origin main
git fetch --all --prune
git remote -v

06Worktree & Sparse Checkout

Work on multiple branches in parallel · partial clones for huge repos

Worktrees let you check out several branches simultaneously in separate folders without stashing or cloning again — now a first-class feature in GitHub Desktop 3.6, which uses worktrees so Copilot can run isolated parallel agent sessions.

bash
# Add a new worktree for a branch
git worktree add ../hotfix-area hotfix/critical-bug
git worktree list
git worktree remove ../hotfix-area

# Sparse checkout — only pull the folders you need
git clone --filter=blob:none --sparse <url>
git sparse-checkout set src/ docs/

# Partial clone — skip large blob history
git clone --filter=blob:none <url>
Why it matters in 2026: Monorepos and AI coding agents both push the same need — spin up an isolated workspace instantly. Worktrees + partial clone keep huge repositories fast for both humans and agents.

07Stash, Tags & Reflog

Temporary saves · release markers · the ultimate safety net

📦 Stash

temp

Shelve uncommitted work to switch context, then bring it back later.

🏷️ Tags

release

Immutable pointers to a commit — used for versioning (v1.0.0, v2.3.1).

bash
git stash                       # save working changes
git stash list
git stash pop                   # reapply + remove from stash
git stash apply stash@{1}       # reapply, keep in stash

git tag -a v1.0.0 -m "First release"
git push origin --tags

git reflog                      # every HEAD movement, ~90 days
git reset --hard HEAD@{2}       # time-travel back to a reflog entry

08Cherry-pick & Bisect

Pulling single commits · binary-searching for bugs

bash
git cherry-pick abc1234          # apply one commit onto current branch

git bisect start
git bisect bad                   # current commit is broken
git bisect good v1.2.0           # this old tag was fine
# Git checks out the midpoint — test it, then:
git bisect good   # or
git bisect bad
git bisect reset                 # done
flowchart LR
  G[good v1.2.0] --> M1((mid)) --> M2((mid)) --> B[bad HEAD]
  M1 -- "bisect bad" --> M3((narrower mid))
  M3 -- "bisect good" --> F[🎯 first bad commit found]
  style F fill:#0d1f12,stroke:#39ff7a,color:#39ff7a
Fig 8.1 — Binary search isolates the offending commit in O(log n) steps

09Git 2.54 — What's New

The latest stable Git release and its headline features

git replay (maturing)

An experimental command that replays a range of commits onto a new base without touching your working tree — useful for rewriting history on bare repos or automation pipelines. Git 2.54 made it perform atomic reference updates by default, added a --revert mode, support for dropping commits that become empty, and the ability to replay down to the root commit.

bash
git replay --onto main feature~5..feature
git replay --revert main~3..main
git replay --contained --onto main feature

git add -p --no-auto-advance

Normally git add -p auto-advances to the next file once every hunk is decided. The new flag keeps the session on the current file so you can navigate with < / > and review decisions holistically before committing.

bash
git add -p --no-auto-advance
Also in recent Git releases: faster git status on large monorepos, improved partial clone filters, safer default merge strategies (ort), and continued FSMonitor performance work for huge working trees.

10Pull Requests & Reviews

Code review · merge queues · branch protection

sequenceDiagram
  participant Dev as Developer
  participant Repo as Feature Branch
  participant PR as Pull Request
  participant CI as CI Checks
  participant Main as main
  Dev->>Repo: git push origin feature
  Repo->>PR: Open PR
  PR->>CI: Trigger Actions
  CI-->>PR: ✅ checks pass
  PR->>PR: Reviewer approves
  PR->>Main: Merge (or via Merge Queue)
Fig 10.1 — Standard PR lifecycle with required checks
FeaturePurpose
Merge QueueSerializes PR merges, re-testing each against the latest main before merging — prevents "broken main" from racing merges
CODEOWNERSAuto-requests review from the right people based on changed file paths
Branch Protection RulesRequire reviews, passing checks, signed commits, and linear history before merge
Draft PRsOpen work-in-progress PRs for early feedback without triggering "ready to merge" signals

11GitHub Actions (2026)

Rebuilt core architecture · reusable workflows · OIDC · CI/CD observability

GitHub rebuilt Actions' core execution architecture in 2025–26 to improve performance, workflow flexibility, and reliability, and the 2026 roadmap focuses on secure-by-default policies, org-wide policy controls, and end-to-end CI/CD observability for the software supply chain.

flowchart TD
  A[Push / PR / Schedule] --> B[Workflow Triggered]
  B --> C[Job: build]
  B --> D[Job: test]
  C --> E[Job: deploy]
  D --> E
  E --> F[GitHub Pages / Registry / Cloud]
  style F fill:#0d1f12,stroke:#39ff7a,color:#39ff7a
Fig 11.1 — Typical CI/CD pipeline as parallel + dependent jobs
.github/workflows/ci.yml
name: CI
on:
  push: { branches: [main] }
  pull_request: { branches: [main] }
  workflow_dispatch:

jobs:
  build-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: '20' }
      - run: npm ci
      - run: npm test
      - run: npm run build

Reusable Workflows & OIDC

bash / yaml
# call a shared workflow from another repo
jobs:
  call-shared:
    uses: org/shared-workflows/.github/workflows/deploy.yml@v2
    secrets: inherit

# OIDC — push to cloud without storing long-lived secrets
permissions:
  id-token: write
  contents: read
Why OIDC matters: Workflows authenticate to AWS/Azure/GCP using short-lived tokens instead of static secrets stored in repo settings — a core 2026 secure-default recommendation.

12Security & Supply Chain

CodeQL · secret scanning · Copilot Autofix · signed commits

🔍 CodeQL

SAST

Semantic code analysis that scans every pull request for vulnerabilities before merge.

🔑 Secret Scanning

leak

Detects leaked API keys, tokens, and credentials in commits — can block pushes containing secrets.

🩹 Copilot Autofix

AI

Generates automatic patches for ~90% of common alert types across JS, TS, Java, and Python.

✍️ Signed Commits

GPG/SSH

Cryptographically verify commit authorship; branch protection can require it.

bash
git config --global commit.gpgsign true
git config --global user.signingkey <KEY_ID>
git commit -S -m "signed commit"
git log --show-signature -1
2026 reality check: Supply-chain attacks have escalated — including AI-enabled attacks via malicious pull requests on misconfigured repos. Always audit dependencies, require MFA org-wide, and enable Dependabot + secret scanning by default.

13Copilot & AI Agents

Coding agent · agent mode · MCP · remote control

flowchart LR
  A[Assign issue to Copilot] --> B[Copilot Coding Agent]
  B --> C[Runs in GitHub Actions sandbox]
  C --> D[Writes code in isolated worktree]
  D --> E[Opens Pull Request]
  E --> F[Human review & merge]
  G[Mobile / github.com] -- "remote control" --> B
  style B fill:#0d1f12,stroke:#39ff7a,color:#39ff7a
Fig 13.1 — Copilot coding agent lifecycle: issue → PR
  • Copilot coding agent — assign an issue, it runs autonomously in a GitHub Actions sandbox and submits a PR for review.
  • Agent mode + MCP support — in VS Code, Copilot can call Model Context Protocol tools to read docs, run tests, and act across your toolchain.
  • Remote control — start a Copilot session from VS Code or the CLI and finish it from GitHub Mobile or github.com.
  • GitHub Desktop 3.6 — Copilot SDK powers AI commit-message generation and AI-assisted merge-conflict resolution, plus native worktree support for parallel agent sessions.
  • Code review agent — Copilot can review PRs automatically and leave inline suggestions before a human ever looks.
Model choice: Copilot now offers model selection across Anthropic, OpenAI, and Google models, plus BYOK (bring your own key) for third-party or local models.

14Hooks & Submodules

Automate local checks · nest repositories

bash
# .git/hooks/pre-commit (make executable)
#!/bin/sh
npm run lint || exit 1

git submodule add <url> libs/shared
git submodule update --init --recursive
git submodule foreach git pull origin main
HookFires
pre-commitBefore a commit is created — lint/format checks
commit-msgValidates commit message format (e.g. Conventional Commits)
pre-pushBefore pushing — run tests, block on failure

15Quick Reference Cheatsheet

Everything on one screen

📁 SETUP

git initgit clone urlgit config --global user.name

🔍 STATUS

git statusgit log --oneline --graphgit diff

➕ STAGING

git add .git add -pgit restore --staged file

💾 COMMIT

git commit -m "msg"git commit --amendgit commit -S -m "msg"

🌿 BRANCH

git switch -c namegit merge namegit branch -d name

☁️ REMOTE

git push -u origin maingit pull --rebasegit fetch --prune

🔄 ADVANCED

git rebase -i HEAD~3git replay --onto main A..Bgit cherry-pick <sha>

📦 STASH/TAG

git stash / stash popgit tag -a v1.0.0git reflog

🧩 WORKTREE

git worktree add ../x brgit sparse-checkout set src/git clone --filter=blob:none

🎯 Key Takeaways

  1. Git = local version control. GitHub = remote collaboration + automation platform.
  2. 4 stages: Working Directory → Staging → Local Repo → Remote (GitHub).
  3. Rebase = linear history; merge = preserved history. Never rebase shared/public branches.
  4. Worktrees let you (and Copilot agents) work on several branches at once without stashing.
  5. git replay is the modern, working-tree-free way to move commits onto a new base.
  6. Merge queues + branch protection keep main green even with concurrent PRs.
  7. Security is default-on in 2026: CodeQL, secret scanning, signed commits, OIDC over static secrets.
  8. Copilot coding agent turns an assigned issue straight into a reviewable pull request.
  9. Reflog is your 90-day safety net — almost nothing in Git is truly unrecoverable.
  10. Sparse checkout + partial clone keep massive monorepos fast for humans and agents alike.