Yeah, the comms around this has been very concerning. Do I need to rotate every config var on all of my apps? Re-install every add-on?
While the nature of what limited things they had disclosed to date pointed to this situation part of me wanted to believe it wasn't as bad as I was assuming. And now the trendline on this suggests I should have already done everything I've outlined above. And I'm low confidence anybody is going to be proactive in telling me until it's absolutely obvious that these things have been compromised and exploited.
IIRC the environment variable settings are encrypted in a physically separate database. However it may be a good idea to rotate your secrets anyways. My hunch would be that there are so many "juicy" targets on Heroku that you probably don't need to worry too much right now unless you are or work for a "juicy" target.
Why would the Github API keys not fall into the same separate database and be encrypted as well? It's especially baffling if they already have an example/process of doing this properly.
While the nature of what limited things they had disclosed to date pointed to this situation part of me wanted to believe it wasn't as bad as I was assuming. And now the trendline on this suggests I should have already done everything I've outlined above. And I'm low confidence anybody is going to be proactive in telling me until it's absolutely obvious that these things have been compromised and exploited.