In order to get your builds working again, we need to reauthenticate with GitHub and other services used in your build.
When you log in to CircleCI via GitHub's OAuth, we get an API key to call the GitHub API, update the GitHub commit status, list your projects on the add projects page, etc.
We revoked all OAuth tokens to protect your GitHub repositories. The first time you log in to Circle, you'll have to reauthenticate the Circle GitHub application to get a new token.
When you first follow a repo, we auto-generate a unique SSH key and use your GitHub token to add it to your repo's "deploy" keys. We revoked these keys to protect your code, and so they will need to be replaced with new ones for your checkouts to succeed on CircleCI.
A new key will be created the next time an admin follows the project. You can trigger this by having an admin unfollow and refollow the project from the add projects page or from the project's settings page (https://circleci.com/gh/:orgname/:reponame/settings).
If you see an error about permissions, you should validate that you're an admin, or ask an admin to the unfollow-and-refollow step.
Until you re-add an SSH key to checkout code, your builds will be marked as "not run".
We have not deleted any environment variables from the CircleCI UI. However, we have worked with some providers to revoke their keys, such as Stripe and Coveralls.
If your environment variables include API tokens for 3rd parties, you should revoke those keys and upload new ones.
GitHub "user keys" have access to all of your GitHub repos. We do not use these by default, but they can be useful to run tests which have dependencies in multiple GitHub repositories, which is common with bundler, npm, pip, composer, etc.
If you set yourself as the "GitHub user" for one of your projects, we can automatically generate a user key and add it to your GitHub account. All user keys have been revoked, but you can generate a new one from the Project Settings > GitHub User page.
We worked with Heroku to revoke any Heroku API keys uploaded to CircleCI, and any Heroku SSH keys we generated. Both are needed to deploy to Heroku.
You can add a new SSH key by following the instructions on the Project Settings > Heroku page (under the "Continuous deployment" heading). You will need to add a Heroku API key first.
If you deploy via SSH, then you uploaded an SSH public/private keypair to CircleCI.
We did not have access to revoke these keys. You should consider them compromised and work to secure the servers they give access to. We haven't deleted these keys from CircleCI so that you can see what keys need to be revoked. You can find them in the UI on the Project Settings > SSH keys page.
After revoking these keys from your servers, you should replace them on CircleCI with new deployment keys.
We have contacted upstream to revoke the tokens, but we have left them in the UI for now. Update them with new API tokens to reenable notifications. Revoked keys will give harmless warnings on each build.
When GitHub tokens are disabled, we typically unfollow users from their projects. Unfortunately, this happened accidentally this time. So this is a good time to remind your colleagues to log back into Circle and follow their projects again.
We've revoked all CircleCI API tokens; both user tokens and project tokens. If you used them in a dashboard, in CCmenu, in an app, or via a Status Badge, you'll need to create a new token. You should prefer a token with the lowest possible privilege: tokens with access to only a single project can be created from Project Settings > API tokens.
Project Settings > API tokens has been renamed to Project Settings > API Permissions.