Replacing the GitHub Apps "Creating an installation access token" endpoint

We are announcing the deprecation plan of the previously deprecated "Create an installation access token" endpoint: POST /installations/:installation_id/access_tokens.

The supported replacement endpoint is named consistently with other GitHub Apps API endpoints and has been available since 2018.

Deprecation Timeline

Brownouts

During a brownout, calls to the old version of this endpoint will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated endpoint calls.

The brownouts are scheduled for:

• August 1 2020

  • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC

• September 1 2020

  • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC

Removal Date

The legacy "Create an installation access token" endpoint will be disabled at the earliest on October 1 2020.

Changes to make

Replace all uses of the deprecated endpoint for creating an installation token for a GitHub App with the new endpoint:

POST /app/installations/:installation_id/access_tokens

If you have any questions or feedback, please let us know!

Replacing the integration_installation and integration_installation_repositories webhook events

We are announcing the deprecation of two legacy GitHub Apps-related webhook events:

• integration_installation
• integration_installation_repositories

These events have been undocumented for some time and will be removed on the following timeline.

Deprecation Timeline

Brownouts

During a brownout, the deprecated events will not be sent. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated event subscriptions. If this brownout is causing significant disruptions for your service, please contact support.

The brownouts are scheduled for:

• August 1 2020

  • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC

• September 1 2020

  • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC

Removal date

The legacy integration_installation and integration_installation_repositories events will no longer be sent after October 1 2020.

Changes to make

Replace all uses of the integration_installation and integration_installation_repositories events with the new events:

• installation
• installation_repositories

If you have any questions or feedback, please let us know!

Expanding REST API support for triage and maintain roles

We are expanding support for the triage and maintain permissions in the REST API. Users with the triage or maintain permissions can now use endpoints that reflect what they can do in a repository, such as adding a label to an issue. Additionally, these new permissions can now be granted and managed via the API and will show up as assigned roles in API responses.

For more information about these roles, see "Repository permission levels for an organization" in the GitHub Help documentation.

Endpoints you can access with the triage permission

• POST /repos/:owner/:repo/issues/:issue_number/labels
• DELETE /repos/:owner/:repo/issues/:issue_number/labels/:name
• POST /repos/:owner/:repo/issues/:issue_number/assignees
• DELETE /repos/:owner/:repo/issues/:issue_number/assignees
• POST /repos/:owner/:repo/pulls/:pull_number/requested_reviewers

Endpoints you can access with the maintain permission

• PUT /repos/:owner/:repo/topics
• PUT /repos/:owner/:repo/interaction-limits
• All of the endpoints that you can use with the triage permission role:
  • POST /repos/:owner/:repo/issues/:issue_number/labels
  • DELETE /repos/:owner/:repo/issues/:issue_number/labels/:name
  • POST /repos/:owner/:repo/issues/:issue_number/assignees
  • DELETE /repos/:owner/:repo/issues/:issue_number/assignees
  • POST /repos/:owner/:repo/pulls/:pull_number/requested_reviewers

Endpoints to assign, update, or view permissions

These endpoints will now work to manage the triage and maintain permissions.

• PUT /repos/:owner/:repo/collaborators/:username
• GET /repos/:owner/:repo/invitations
• PATCH /repos/:owner/:repo/invitations/:invitation_id
• GET /user/repository_invitations
• GET /orgs/:org/teams/:team_slug/repos/:owner/:repo
• PUT /orgs/:org/teams/:team_slug/repos/:owner/:repo
• GET /orgs/:org/teams/:team_slug/repos

Shadow-cat and Gambit previews graduate

Some API previews have graduated and are now an official part of the API. These preview headers are no longer required.

gambit preview graduates

The "Delete an installation" endpoint no longer requires the gambit preview.

 application/vnd.github.gambit-preview+json

For more information about this endpoint, see the "Delete an installation."

shadow-cat preview graduates

To create a draft pull request or see whether a pull request is in a draft state, you no longer need to use the shadow-cat preview.

application/vnd.github.shadow-cat-preview+json

For more information about the affected endpoints, see the "Pull Requests API."

Thanks again to everyone that tried out these API features during the preview period.

Actions API GA

The Actions API is now generally available and out of Beta! For more information about this API, see the "Actions API."

Thank you to everyone who tried out this API and provided feedback during the beta period.

Temporary GraphQL Explorer downtime

We are temporarily removing access to GraphQL Explorer so we can improve how it works in different browsers.

The downtime is scheduled for:

• March 20, 2020
  • From 3:00 PM UTC - 5:00 PM UTC

We apologize for any inconvenience during this time.

Filtering jobs for a workflow run

We are introducing a breaking change to the List jobs for a workflow run endpoint.

The new default behavior will list jobs from the most recent execution of the workflow run. You can specify all with the filter parameter when you want to see all jobs for a particular workflow run, including from old executions of the workflow run.

Please update your code accordingly, and let us know if you have any questions.

Replacing the "Delete reactions" endpoint

We are announcing a new set of "Deleting reactions" endpoints in the Reactions API to replace the existing "Delete reactions" endpoint DELETE /reactions/:reaction_id.

The new endpoints will allow us to scale and support the Reactions API long-term.

Deprecation timeline

The existing "Delete reaction" endpoint deleting a reaction will be disabled a year from now at the earliest on February 1st 2021.

Replacement endpoints

These are the new replacement Reaction API endpoints for deleting reactions:

• Delete a commit comment reaction
  • DELETE /repos/:owner/:repo/comments/:comment_id/reactions/:reaction_id

• Delete an issue reaction
  • DELETE /repos/:owner/:repo/issues/:issue_number/reactions/:reaction_id

• Delete a reaction to a commit comment
  • DELETE /repos/:owner/:repo/issues/comments/:comment_id/reactions/:reaction_id

• Delete a pull request comment reaction
  • DELETE /repos/:owner/:repo/pulls/comments/:comment_id/reactions/:reaction_id

• Delete team discussion reaction
  • DELETE /orgs/:org/teams/:team_slug/discussions/:discussion_number/reactions/:reaction_id

• Delete team discussion comment reaction
  • DELETE /orgs/:org/teams/:team_slug/discussions/:discussion_number/comments/:comment_number/reactions/:reaction_id

Deprecating OAuth Application API

As mentioned in this previous blog post, GitHub no longer supports the OAuth application endpoints and have replaced them with a version that moves the access token to the request body for improved security.

This deprecation has not been applied to GitHub Enterprise offerings yet. Please check the latest Enterprise release notes to learn when this deprecation is initiated and which version of GitHub Enterprise Server will have the OAuth Application API removed.

Deprecation timeline

Brownouts

During a brownout, calls to the old version of OAuth application endpoints will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated endpoint calls.

The brownouts are scheduled for:

• March 17, 2021

  • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC

• April 14, 2021

  • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC

Removal date

All calls to the old version of the OAuth application endpoints will return a status code of 404 starting on:

• May 5, 2021 at 4:00 PM UTC

Changes to make

Using calls to OAuth Application API

If you're using the version of the OAuth Application API that includes :access_token in the path like:

curl -u my_client_id:my_client_secret -X POST "https://api.github.com/applications/123/tokens/my_access_token"

Instead, you'll need to call the new version that moves :access_token in the request body:

curl -u my_client_id:my_client_secret -X PATCH "https://api.github.com/applications/123/token -d {"access_token": "my_access_token"}"

See the list of OAuth application endpoints below that you'll need to replace with the new endpoints.

Endpoints affected

The following list of OAuth Application endpoints are deprecated and should be replaced with the new corresponding endpoints.

If you have any questions or feedback, please let us know!

Deprecating OAuth Authorization API

As mentioned in this previous blog post, GitHub has deprecated the OAuth authorization endpoints and recommends that integrators switch to the web application flow to generate access tokens.

Since the OAuth Authorization API requires password authentication, this API will not work once password authentication has been deprecated.

This deprecation has not been applied to GitHub Enterprise offerings, yet. Though, we still recommend GHES customers to make the changes in their applications, if possible. Please check the latest Enterprise release notes to learn when deprecation is initiated and on which GHES version OAuth Authorization API will be removed.

Deprecation timeline

Removal date

All calls to the OAuth authorization endpoints will return a status code of 404 starting on:

• November 13, 2020 at 4:00 PM UTC

Brownouts

During a brownout, calls to the old version of the OAuth Authorization API will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated endpoint calls.

The brownouts are scheduled for:

• September 30, 2020

  • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC

• October 28, 2020

  • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC

Changes to make

Calls to OAuth Authorizations API

If you're making OAuth Authorization API calls to manage your OAuth app's authorizations or to create personal access or OAuth tokens like:

curl -u my_username:my_password -X POST "https://api.github.com/authorizations" -d '{"scopes":["public_repo"], "note":"my token", "client_id":"my_client_id", "client_secret":"my_client_secret"}'

Then you must switch to the web application flow to generate access tokens.

Endpoints affected

The following list of OAuth authorization endpoints are deprecated:

• GET /authorizations
• GET /authorizations/:authorization_id
• POST /authorizations
• PUT /authorizations/clients/:client_id
• PUT /authorizations/clients/:client_id/:fingerprint
• PATCH /authorizations/:authorization_id
• DELETE /authorizations/:authorization_id
• GET /applications/grants
• GET /applications/grants/:grant_id
• DELETE /applications/grants/:grant_id

If you have any questions or feedback, please let us know!