{"UUID":"e242d62d-32f3-4bc0-b4e9-5a0a15a82863","URL":"https://github.blog/news-insights/company-news/github-availability-report-may-2021/","ArchiveURL":"","Title":"GitHub Actions and Pages impacted by scoped token INT32 overflow","StartTime":"2021-05-16T07:17:00Z","EndTime":"2021-05-16T16:05:00Z","Categories":["automation","config-change","security"],"Keywords":["github","actions","pages","api","git","scoped tokens","int32","database"],"Company":"GitHub","Product":"GitHub Actions, GitHub Pages, GitHub API, Git commands","SourcePublishedAt":"2021-06-03T00:00:00Z","SourceFetchedAt":"2026-05-04T19:52:41.173878Z","Summary":"A foreign key on the scoped-tokens table hit max INT32, causing high failure rates for Actions and Pages and breaking scoped-token Git operations for 9h48m. Mitigation required a long-running schema migration to INT64. Linting that would have caught the column predated the column itself; one Action briefly received unauthorized access grants that were then revoked.","Description":"On May 16, 2021, GitHub experienced an incident lasting 9 hours and 48 minutes, which significantly impacted GitHub Actions, GitHub Pages, and operations against the GitHub API and low-level Git commands that utilized scoped tokens. Users encountered high failure rates across these services.\n\nThe root cause was identified as a foreign key for scoped tokens exceeding the maximum value for an INT32 data type. This integer overflow led to widespread service degradation for features relying on these tokens.\n\nMitigation involved a long-running schema migration to change the affected foreign key to an INT64 data type, allowing for a larger range of values. Following the migration, invalid token records stored in the cache layer were systematically removed to restore functionality.\n\nExisting alerting and linting mechanisms designed to prevent integer overflows were insufficient in this specific case because the foreign key predated the implementation of these preventative measures. GitHub is now manually auditing all INT32 columns and enhancing automation to prevent similar issues.\n\nDuring the incident, a single GitHub Action on one repository briefly received unauthorized access grants. These grants were promptly revoked, and GitHub confirmed that no unauthorized access was gained through this vulnerability.\n\nSeparately, on May 8, 2021, a 46-minute incident affected the GitHub Container registry service due to failures in an underlying MySQL database. This was resolved by performing a failover to a database replica, and subsequent work is planned to improve resilience against such outages."}