[Update: May 25, 2022 - GitHub integration is now re-enabled. You can connect to GitHub immediately or wait for the enhanced integration as described below. To re-establish your GitHub connection now, please follow these instructions.]
We know you are waiting for us to re-enable our integration with GitHub, and we've committed to you that we would only do so following a security review. We are happy to report that the review has now been completed.
One of the areas of focus was a review of the scope of tokens we request from GitHub and store on your behalf. Currently, when you authenticate with GitHub using OAuth, we request repo scope. The repo scope gives us the necessary permissions to connect a Heroku pipeline to your repo of choice and also allows us to monitor your repos for commits and pull requests. It also enables us to write commit status and deploy status to your repo on GitHub. As GitHub OAuth integration is designed, it provides us with greater access than we need to get the integration working.
In an effort to improve the security model of the integration, we are exploring additional enhancements in partnership with GitHub, which include moving to GitHub Apps for more granular permissions and enabling RFC8705 for better protection of OAuth tokens. As these enhancements require changes by both Heroku and GitHub, we will post more information as the engagement evolves.
Meanwhile, we are working quickly to re-enable the integration after running through a detailed checklist with the current permissions in place. Once the integration is re-enabled, you will be able to reconnect with GitHub and restore the Heroku pipeline functionality, including review apps, with newly generated tokens. We will be turning the integration back on next week and will notify you via a Heroku status post when it is available again for use.
When we re-enable the integration next week, you will be able to re-connect to GitHub or choose to wait for us to improve on our integration with GitHub as described earlier. The choice is yours. Either way, we recommend git push heroku to keep your services up and running until you choose to re-connect with GitHub on Heroku.
Thank you for your patience. We are as excited as you are to re-enable the GitHub integration as we know you are eager to start using it again.