Just as Pete was saying, a remove & re-add of the DVCS connector cleared up our issue. Tried a bunch of different fixes. This was the only thing that worked.

@Bill Goetz yes believe so - Remove and re-add to tickets.

The tickets themselves don't get transitioned or anything during the remove/re-add IIRC. Just a case of the attribute not being available during the change period.

@Pete Stanley, do the commits essentially get removed from the Jira tickets and re-added after re-sync? Did you see tickets become updated when this occurred? I know you say "little risk", but just trying to do a CYA from my standpoint. 

@Bill Goetz, it really depends on how many repositories and historical commits you have to sync. For our well established GitHub account (About 10 years old with ~100 repos) took about 24 hours to sync. You might want to do it over a weekend or plan an outage window with your dev teams.

@Pete Stanley,  how long did it take for the entire "remove and re-add" process to occur? We are considering your solution, but hoping to have some insight into the timeframe. We have over 700 repos.

For those still struggling with this, one way to deal with it is to remove the integration and setup from scratch.

You could just create a new authentication token rather than completely setup the integration again but I had some other technical debt to deal with...

Either way, there's little risk in setting up from scratch as Jira will sync all historical commits from GitHub once reconfigured:

1. Log into your GitHub account (Works for 'Team' or 'Enterprise' accounts).
2. Navigate to Account Settings > Applications > Authorized OAuth Apps > Jira DVCS
3. Delete any existing DVCS connector titled "Jira DVCS" if it already exists.
4. Navigate to Account Settings > Developer Settings > OAuth Apps > Create new OAuth App
5. Set the following:
   1. Application name: JIRA DVCS 
   2. Homepage URL: https://<YOURJIRASERVER>.com
   3. Authorization Callback URL:  https://<YOURJIRASERVER>.com
   4. Save the new application.
6. Generate a new Client Secret - Note this down somewhere safe (e.g. a password vault). It will only be displayed this once.
7. Save the Client ID (key) along with your Client Secret somewhere safe.
8. Navigate to Jira > Settings > Applications > DVCS accounts.
9. Disable/remove any existing instance configuration for your GitHub account. (This may take some time due the size.)
10. Refresh the page once complete to verify the GitHub account has been removed 100%.
11. Choose "Link Bitbucket Cloud or GitHub Account".
12. Complete the following:
    1. Host: Github
    2. Team or User Account: <COMPANYNAME>
    3. Client ID: Enter Client ID previously created.
    4. Client Secret: Enter Client Secret previously created.
    5. Auto Link New Repositories: Yes (Checked)
    6. Enable Smart Commits: Yes (Checked)
13. Note, the initial sync may take hours/days and can take several attempts due to GitHub rate limiting.

@Marcel Haase

We are creating an access token earlier this year and when trying to create a fresh token it has the same length and the same format

Regards

Hello,

It is another "error" . You have to go into github and reset your Auth token (secret token) of the dvs Auth app on github. 

Github changed the format of the secret key. (i.e. length) 

Please follow the steps in the "error"-mail on github and after resetting the token, you shouldn't receive these kind of "error" / notice.

Best regards

We are running Jira Software Version (Data Center) 8.14.1 and still receiving emails from GitHub stating we are using an API with an outdated format. What do we need to do to stop these notifications?

Hi all,

We are running Jira Software Version (Data Center) 8.14.1 and still receiving emails from GitHub stating we are using an API with an outdated format. What do we need to do to stop these notifications?

Please advise

Thanks

James

Hi everyone,

I can confirm that all releases after 8.12.0 will contain this fix including all 8.13.x releases.

Thank you,
Sam Power
Bitbucket Team

+1 to Ramesh's and Christina's comments above.

Is this fixed in Jira 8.13.x Data Center edition? We would like to upgrade to a Long Term Support version instead 8.12 or the latest 8.15 to provide better stability.

Echoing Ramesh's question – can you confirm if this fix in included in the latest LTS release (8.13.2)? Also checked the release notes, and I don't see this bug in there.

Otherwise, if we cannot confirm we'll upgrade to 8.12.0 – which would kinda suck, because it'd be nice to be on the LTS track.

Based on 8.13.x release notes, no where it mentioned that this fix is available.

https://confluence.atlassian.com/jirasoftware/jira-software-8-13-x-release-notes-1018783360.html

Thanks for clarifying Andriy!

Hey christina.jenks

To answer your question, Jira 8.8.X doesn't have a fix. If you want to upgrade to a version with a longer support window, you can choose from two LTS version: 8.5.x and 8.13.x (both has the fix).

Hope this helps.
Cheers.

Best regards,
Andriy | SET

Does anybody know if this affects 8.8.X? I don't see this anywhere in the Affects or Fix versions on this issue, so it's unclear.

It's the furthest we can upgrade at the moment with Okta's Jira integration, and seeing the above comment on 8.11.1 has us a bit worried. We'd consider 8.5.7, but the support on that is only until October next year.

hsu1 Please open a ticket with Atlassian Support so that the assigned engineer can look into this.: https://support.atlassian.com/contact

Hi,

We have upgraded our Jira instance to v8.11.1, but I still got this email from Github Team today:

Hello there!

On November 25th, 2020 at 02:13 (UTC) your application (JIRA DVCS) used an access token (with the User-Agent Apache-HttpClient/4.5.13 (Java/1.8.0_272)) as part of a query parameter to access an endpoint through the GitHub API.

https://api.github.com/repositories/256567671/hooks

Please use the Authorization HTTP header instead as using the `access_token` query parameter is deprecated.

Depending on your API usage, we'll be sending you this email reminder on a monthly basis.

Visit https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param for more information about suggested workarounds and removal dates.

Thanks,
The GitHub Team

What should I do?

c3a7f033e31a, anna.schiller1170965692, 46b824aac201,

If you are already using the GitHub app for the integration then most likely these e-mails sent by GitHub don't refer to a Jira configuration, but rather to a leftover OAuth configuration still present in GitHub.

Indeed, the integration was previously done using the DVCS connector (instead of the current add-on) and for that you had to create an OAuth access token to authenticate.

In this case, the only thing you need to do is to remove that OAuth setting from GitHub (/settings/developers).

If instead you are still using DVCS (to integrate with GitHub Enterprise) then please create either a support request or a community thread (depending on the kind of license you have) so that we can further look into this.

Cheers,
Dario

On Cloud and still getting these notices...

I received the same email today and I am on Cloud version.  How do we fix this?

Hello, 46b824aac201. No, Jira Cloud uses significantly different technology to access GitHub. I don't know the details but I suspect you may have some other integrations with GitHub that use the deprecated parameter and trigger the alert.

Is this going to automatically roll out for Jira Cloud?  We got the notification from GitHub for this today, but are on Jira Cloud which is "latest". When?

Hey All,

I see that this ticket has a lot of attention, so to confirm previous observation and to add more context.
The new version of the DVCS plugin (jira-dvcs-connector-plugin-5.2.10.jar) with the fix is shipped already with Jira 8.5.7 (see Fix-Versions).
That was the first version that got into the release train since it was the soonest one (and 8.5.x is an LTS). It will be also shipped with future Jira versions 8.11.1 and 8.12.0 when they will be released (no ETA for the moment).

sjm2, 7500536b284b

• 8.11.0 didn't get the fix, it was cut before the merge. Sorry.
• 8.7.x line doesn't contain the fix, you will need to upgrade to 8.11.x or 8.12.x when they are out.

Hope this helps
Cheers

Best regards,
Andriy | SET Atlassian

We're running: 8.11.0 and still get the same notification.

Just upgraded it to 8.5.7 (seems to have fixed)

Made a new DVCS Github connection and did not receive the notification. 

Will this be fixed in 8.7?

Can someone with 8.5.7 please confirm fix?

Is it possible to pull the plugin out of this version and import into our current version?  Requiring full Jira upgrade for a single core plugin is just silly.

Do we now just need to upgrade to an fixed release or is there any configuration adjustments required afterwards?

How is this "Fixed"? I'm still getting emails from github about this issue.

So the fix is to do the upgrade?

Agree.  It will be nice to have a way to correct this without having to perform a full upgrade to the Jira server software.  Perhaps allowing something in the configuration UI.  In my case, the same underlying issue but am using an OAuth application with the "clientID/clientSecret" combination.  This too is part of the GitHub API deprecation path.  The recommended guidance is to follow this pattern within the http header.  Example from GitHub site.  Looking forward to a solution on this one soon.  Thanks!

Using client_id/client_secret as a query param

If you're using an OAuth app's client_id and client_secret to make unauthenticated calls with a higher rate limit similar to
 
curl "https://api.github.com/user/repos?client_id=my_client_id&client_secret=my_secret_id"

Instead, you should use the following format:
 
curl -u my_client_id:my_client_secret https://api.github.com/user/repos

{{}}

https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/

Please fix. This is causing unnecessary issues, distractions, and communications.  "Depending on your API usage, we'll be sending you this email reminder once every 3 days for each token and User-Agent used in API calls made on your behalf."  Anything that requires a reminder every three days I would call high priority. 

Would love to see this issue resolved soon.

I got these even though on Cloud I've already moved to the new GitHub integration: https://community.atlassian.com/t5/Jira-Service-Desk-questions/Why-am-I-receiving-GitHub-API-deprecation-warnings/qaq-p/1404226?utm_source=atlcomm&utm_medium=email&utm_campaign=immediate_general_answer&utm_content=topic

Is this being implemented in such a way that the dvcs connector core plugin can be updated without upgrading jira?

Hi Atlassian,

are you going to update the addon to authenticate as a GitHub app (authorization: bearer TOKEN) that would increase the Rest API rate limit from 5k up to 12,5k?

Thanks,

justin.sabelko
Thanks for sharing!
Those blogposts cover different functionality, so I've added both for the reference to the ticket.

Actually it's November 13, 2020 according to https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/

That's a lot better. Thanks Andriy!

Hey ray.yin
Quick note it's May 5, 2021, so should be enough time

Is there an update on when this fix will be ready as we are less than 3 weeks from the removal date. This would be a major disruption to our operations if GitHub integrations breaks.

Yes, it would be nice if this plugin could be upgraded without having to upgrade Jira.  We are upgrading Jira this weekend and would hate to have to inconvenience thousands of users with another upgrade so soon.

WAT:

"On March 24th, 2020 at 13:30 (UTC) your application (JIRA DVCS) used an access token (with the User-Agent Apache-HttpClient/4.5.11 (Java/1.8.0_242)) as part of a query parameter to access an endpoint through the GitHub API."

March 24 is today !

Can we get a confirmation that the fix for this will be rolled out as an upgrade directly to the Jira DVCS Connector Plugin [ _com.atlassian.jira.plugins.jira-bitbucket-connector-plugin_ ]?

I just wanted to chime in and say that we have several customers that worry about this. Keeping fingers crossed that a fix is being worked on

@dmatthis thanks for clarifying.  Are these the dates that impact regular DVCS connector usage?

Link that @derek mart posted is only for the API endpoint.
See https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/#deprecation-timeline

for deprecation of "access_token"

Brownouts

During a brownout, authentication using query parameters will temporarily fail to alert users who haven't migrated their authentication calls.

The brownouts are scheduled for:

• September 30, 2020

• • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC
• October 28, 2020

• • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC

https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/#removal-dateRemoval date

All authentication using query parameters will return a status code of 401 like all other auth failures starting on:

November 13, 2020 at 4:00 PM UTC

Is there any chance it will make it in the next enterprise release?

Update: The following is for API end points only and does not apply to this specific issue.

https://developer.github.com/changes/2020-02-14-deprecating-oauth-app-endpoint/

Deprecation timeline

Brownouts

During a brownout, calls to the old version of OAuth application endpoints will temporarily fail to alert users who haven't migrated their authentication calls.

The brownouts are scheduled for:

• May 15, 2020

• • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC
• June 12, 2020

• • From 7:00 AM UTC - 10:00 AM UTC
  • From 4:00 PM UTC - 7:00 PM UTC

Removal date

All calls to the old version of the OAuth application endpoints will return a status code of 404 starting on:

• July 1, 2020 at 4:00 PM UTC

We're on 7.10.2 and also seeing this notification. (though....we're upgrading to 8.1.3 in a few weeks)

Expected Results

GitHub should not complain about us using deprecated feature.

I disagree.

The expected results are that Jira should not be using deprecated features!

What is the timeline for implementing a fix for this?

Hopefully before July 1, 2002

We're receiving exactly the same email notification from GitHub.  What is the timeline for implementing a fix for this?

From the FAQ: "GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter for OAuth user authentication or a client_id/client_secret query parameter for OAuth application authentication."
The message indicated this will stop working on July 1, 2020.
Breaking workflow triggers and development information can hardly be considered low priority.

This issue is also occurring in Jira Software v7.13.11 - I received an identical email notification from GitHub with regard to the use of the DVCS connector.

From the configuration page [cloud_installation]/secure/admin/ConfigureDvcsOrganizations!default.jspa I don't seem to be able to DISABLE the DVCS connection either: