Last year when I looked into this there was no automated way to get this info; the normal audit log mentioned below does not contain any info about actions from oauth-ed applications afaik.
If you email GitHub support they can pull out detailed logs from oauth app interactions from their internal tools.
I would expect the GH security team to have relevant queries ready by now, maybe even do some proactive queries and start alerting anyone who had suspicious activity. (But this is just how I'd do it I have no special insight if they are doing this or something else).
Same. Most belong to 1 member of our team, but a few belong to others on the team. They started happening about 6 months ago (unless logs only go back 6 mo). Would really like to figure out what these are. I asked GH, they said it’s not involved with this breach, and haven’t yet answered my next question (who/what is it?)
Yeah I see lots of the same. They seem to correspond with Heroku deploys? Anyone know if that happens when a valid heroku deploy occurs? Do they download a zip?
For what it's worth, elsewhere in this comment section someone posted that Github Support says the zip downloads weren't related to this incident. Reading between the lines, the compromised repos were probably accessed using normal git clone actions.
