DEV Community

Cover image for Heroku's GitHub integration has been stopped due to attack. Are you affected?
Luke Cartwright
Luke Cartwright

Posted on

Heroku's GitHub integration has been stopped due to attack. Are you affected?

This morning heroku blocked all github integrations 'until further notice' (see the note here).

This means that users can't deploy new features to heroku via automatic deployments. I only found this out after an email was sent at 4am this morning informing me of this.

I am now fully understanding the impact.

When I push features to Github, there is an automatic deployment to Heroku. This returned an error of unauthorised. I went to the Heroku dashboard and saw I needed to reconnect my Github. Odd I thought.So I disconnected and tried to reconnect but then I get an internal error. Brilliant.

So now 'until further notice', I am unable to deploy any new features to my heroku app. There is a suggestion to deploy directly via git but that is a big work around to set up the heroku remote and use heroku instead of Github.

Surely I'm not the only one affected. Anyone else having these issues?

[Update] Upon further research, Heroku has blocked current github tokens and any created ones to protect against future attacks at the moment. It was noticed an attacker had stolen some Github access tokens to get private repos on github. To protect all users this integration between github and heroku has been stopped until this has been fixed. Please read more at:
https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/

Discussion (9)

Collapse
danmba profile image
Dan

FYI: There is a GitHub action to deploy to Heroku.

I have been using this for a while because the GitHub integration didn't exist when I first deployed my projects & it isn't worth my time to migrate.

Collapse
lukeecart profile image
Luke Cartwright Author • Edited on

Thank you for sharing this

Collapse
lukeecart profile image
Luke Cartwright Author

Thank you for replying. Yeah it was a quick response. And because its Easter aswell, it's thankfully not affecting as many people as usual.

I can add a new git remote, but it's just a hassle compared to the automated deploys.

It's times like these when things fall apart when you realise how dependent you are on them.

Collapse
gulshanaggarwal profile image
Gulshan Aggarwal

I got the same email yesterday.

Collapse
lukeecart profile image
Luke Cartwright Author

Here is more on the story:
github.blog/2022-04-15-security-al...

Collapse
lukeecart profile image
Luke Cartwright Author

Thanks to this article being shared on the dev community group on Facebook this has not crossed 1200 views. Thank you 🤯

Collapse
bruce_j profile image
Bruce Johnson

Yes, I just got this error tonight... Would've thought they'd have created some sort of fix by now... 😬 Wonder how long this'll last...