Review Apps
Last updated February 07, 2025
Table of Contents
Review apps run the code in any GitHub pull request in a complete, disposable Heroku app. Review Apps each have a unique URL you can share, making them a great way to propose, test, and merge changes to your code base.
You can configure review apps to spin up automatically for each pull request, or you can create them manually from your app’s Pipeline page in the Heroku Dashboard. Note that your app must enable both Heroku Pipelines and GitHub integration to use review apps.
Setup
Prerequisites
- An existing pipeline. Learn more about pipelines and creating one here.
- An existing repo on GitHub.com with your application source code.
Getting Started
If you are new to review apps, navigate to your pipeline’s Settings tab in the Heroku Dashboard. On that page, connect your pipeline to the corresponding GitHub repository.
You may need to also configure an app.json if you have not used Review Apps before. See the configuration section and the app.json Schema for further details. For any secret config var values that you do not wish to add to your app.json, set them as review app config variables in the pipeline’s settings.
After configuring the app.json, first-time review app users can select the Enable Review Apps option from either under the Settings tab of the Pipeline tab or the Review Apps column of the Pipeline:
Selecting the URL pattern
After enabling Review Apps, visit the pipeline’s Settings tab to check and update the URL pattern. The default is set to random but click Update URL pattern to open a side panel with options for random or predictable naming.
Using a predictable URL with Review Apps can expose those apps to a possible subdomain takeover.
Due to this security risk, the predictable URL feature isn’t planned for Fir-generation apps. If you have a current use case that uses predictable URLs, submit a product feedback ticket at Heroku Support to help inform a potential, future solution for Fir-generation apps.
Setting up permissions
You can manage access to all review apps and CI apps within a pipeline via the pipeline access tab. To learn more about pipeline-level permissions please see ephemeral app permissions in pipelines.
Creating review apps
When creating a review app, Heroku deploys the HEAD commit of the branch that the associated pull request is based on. Whenever the branch is updated, Heroku deploys the latest commit to the review app.
Manual creation
Your app’s Pipeline page displays your connected GitHub repo’s open pull requests. You can manually create review apps for a listed pull request by clicking the Create button next to it.
Automatic creation
With automatic creation, Heroku creates a review app as soon as a pull request is opened on your app’s connected GitHub repo. For security and billing reasons, Heroku does not automatically create review apps for pull requests to public repos that are sent from forks. You can still create review apps for these pull requests manually.
Only review apps which are automatically created are automatically destroyed when the PR is closed.
Viewing review apps
When a review app is created, a link to open it in your browser is available from GitHub (in the pull request’s Conversation tab):
This link is also available in the Heroku Dashboard (in the Review Apps column of your app’s Pipeline page):
You can view, manage, and inspect a review app just like you would any other Heroku app. You can view a details of its deployment status by clicking the View initial app setup and View latest build links.
Configuration
An app.json file is required in the root of your app’s GitHub repo for review apps to work. The app.json file is used to configure new apps created when pull requests are opened.
An add-on provider may specify a default ephemeral plan that overrides any plan choices you’ve made. If an add-on provider has specified an ephemeral default plan, new instances of each add-on specified in your app.json will be provisioned using it. This provides a fast, inexpensive set of dependencies to test pull requests while allowing add-on partners to constraint provisioning costs.
Some add-ons do not support review and CI apps. You’ll see an error message like <add-on service slug> has opted out of supporting Review and CI apps if you attempt to use an add-on that has opted out of Review and CI app support.
All configuration must exist in theapp.json or the pipeline Settings tab.
Sensitive config vars
Set any sensitive environment variables in the Review app config vars section of your pipeline’s settings. All review app config vars from the pipeline settings will be injected into the review app when it is created, regardless of whether or not it is included in the app.json.
Environments in app.json
Similar to the behavior in Heroku CI, the Review Apps support the “environments” key. For configuration specific to review apps, you may use the environments.review key. For instance, if you want to use a different database plan for review apps, you could use a configuration like below. Anything nested inside the environments.review key will be merged into the base configuration.
{
"addons": ["heroku-postgresql:standard-0"],
"environments": {
"review": {
"addons": ["heroku-postgresql:essential-0"]
}
}
}
Review app names
Review Apps uses some randomness to prevent naming collisions. Instead of inferring details about the app with HEROKU_APP_NAME and regular expressions, we suggest using the automatically injected environment variables instead.
The postdeploy script
The app.json file has a scripts section that lets you specify a postdeploy command. Use this to run any one-time setup tasks that make the app, and any databases, ready and useful for testing. Postdeploy is handy for one-off tasks, such as:
- Setting up OAuth clients and DNS
- Loading seed/test data into the review app’s test database
For a Ruby-on-Rails app, your postdeploy command might be:
bundle exec rake db:schema:load db:seed
In this case, the db/seeds.rb file should seed the database with comprehensive data so that the review apps can be used for testing without further setup.
The size of the dyno on which the command will be run can be configured by specifying an object with command and size keys.
Postdeploy is run only once after the app has been created
Note that postdeploy is run only once, after the app has been created and deployed for the first time. It is not run when subsequent changes are deployed. To re-run a review app’s postdeploy script, you have to close and re-open the pull request. This causes Heroku to destroy and re-create the review app.
If your post-deploy script fails, we will recreate the app on the next push and execute the post-deploy script again.
Use release phase to run commands with each change to a pull request
To run commands with each change to a pull request, use release phase. Release phase is useful for tasks such as, uploading assets to a CDN, invalidating or priming cache stores, and running database schema setup and migrations. Release phase is run before the postdeploy script.
Copying full database contents to a Review apps is not currently supported. Copying production data to test apps means risk of data leaks or other programming mistakes operating on recent customer data. Instead, we recommend seeding databases comprehensively with non-production data using seed scripts run with the postdeploy command.
pr-predestroy script
You can optionally specify a pr-predestroy script on your app.json file. This script runs when review apps are destroyed once the associated pull request is merged or closed.
{
"name":"Node.js Sample",
"scripts": {
"postdeploy": "bin/bootstrap",
"pr-predestroy": "bin/teardown"
}
}
Use the pr-predestroy script to tear down any resources provisioned during postdeploy and to do other clean-up.
The command is prefixed with “pr-” because it is ONLY run as part of the pull request (PR) app flow.
Output from this script is not sent to the log drain.
Apps using Docker images can’t use pr-predestroy scripts. These scripts get ignored if included in your app.json file.
The size of the dyno on which the command will be run can be configured by specifying an object with command and size keys.
Injected environment variables
The following environment variables are added to each review app when it is created:
HEROKU_APP_NAME: The name of the review appHEROKU_BRANCH: The name of the remote branch the review app is trackingHEROKU_PR_NUMBER: The GitHub Pull Request number if the review app is created automatically
To help with scripting, two special config vars are available to review apps. They are available to all Review Apps and there is no need to specify them in the app.json file.
HEROKU_APP_NAME, HEROKU_BRANCH and HEROKU_PR_NUMBER are likely to change. They’re only available via the review app creation flow and will not be updated if apps are renamed.
Disabling review apps
You can disable review apps at any time. Doing so prevents new review apps from being created.
Disabling review apps also deletes existing associated review apps.
Heroku Postgres Extensions
Starting July 10, 2023, new review apps that provision Heroku Postgres databases, such as an Essential-tier database, install extensions in the public schema by default. If your application expects extensions in the heroku_ext schema, then errors can occur.
You can define a schema for extensions with CREATE EXTENSION…WITH SCHEMA…. For example, to have your review apps install extensions in the heroku_ext schema, use the following in your database setup scripts:
CREATE EXTENSION extension_name WITH SCHEMA heroku_ext
Review apps and CI
If you have Heroku CI enabled for your pipeline, note that all subsequent commits to the pull request will run your tests against the review app’s updated build. Test results are available as usual in the pipeline’s Tests tab. The updated code will be built and deployed even if tests fail (because pull requests are experimental by nature, Heroku does not block deployment to review apps).
The above conventions are also true for other CI systems you integrate with Heroku Pipelines.
Only check “Wait for CI to pass” in Review Apps settings if either Heroku CI or another CI service runs on every commit to your app. Otherwise, Review Apps may wait indefinitely for tests to pass when no CI is configured.
Review apps and Heroku Private Spaces
Private Spaces are dedicated environments for running dynos and certain types of add-ons enclosed within an isolated network. Apps that reside in private spaces can occupy any stage in a pipeline.
Review apps can spawn and run in any Private Spaces as long as the region or space is specified as part of the apps’s configuration in the app.json file. Example:
{
"app": { "region": "us" }
}
{
"app": { "space": "1234-abcd" }
}
Review apps and Docker
If you want to use a Dockerfile to define your build, you need to include a heroku.yml file in your project. With heroku.yml, Heroku builds the Docker image(s) that you specify and uses them in your review apps (an app.json file is still required).
Review apps management and costs
Dynos and add-ons used by review apps are charged in exactly the same way as for normal apps. Costs are pro-rated to the second, and you’re only charged for the time that the review app exists.
In most cases, Heroku defaults to using the least expensive dyno available in your plan for review apps. However, apps in Private Spaces default to using private-m dynos. You can specify a different dyno size in your app.json file.
Review apps exist only for the life of their associated pull request, and can be set to be destroyed automatically after 1, 2, 5, 14 or 30 days of inactivity:
You can optionally specify free or low-cost add-on plans in your app.json if those plans are sufficient to run and test your app. Because review apps are typically short-lived, and you are charged only while they exist, monthly charges are typically small.
For review apps that are automatically created, any costs are incurred by the user who connected the app to GitHub. When review apps are manually created, the cost is incurred by the user who created the review app.
See the Usage and Billing article for details.
Review apps API
The Review Apps API is an extension of the Heroku’s Platform API. It allows you to enable, disable, create, and delete review apps. See the API documentation for more details, in particular the sections for review apps, review app configuration, and config vars.
Permission Changes
In addition to Pipeline permissions and capabilities, review apps also have the following permission model changes:
- All Heroku Team and Enterprise Team users with “admin” role have full access to all Review Apps and CI Apps within the team.
- All Heroku Team and Enterprise Team users with “member” role have the “View”, “Deploy” and “Operate” permissions on all Review Apps and CI Apps inside the team. These permissions don’t enable these users to promote the application though. Enterprise Team admins can adjust permissions per user or change the auto-join permission settings.
- If a user creates a pull request in Github, they will only be able to see the review app generated for that pull request in Heroku if their Heroku account has access to the application. Having the permission to create a pull request in the Github repo does not guarantee access to the review app.
- Review Apps will be built for new commits even if the user making changes and commits on GitHub doesn’t have access to the Heroku app.
- We use the token of the user who links the Pipeline to Github for creating Review Apps.
- Users with “Collaborator” permission on an app within a Pipeline can not access Review Apps automatically. To give collaborators access to Review Apps and CI Apps, please add them to the new permission table in the pipeline’s access tab.
FAQ
Do git submodules work?
No, GitHub repos that use submodules will generally not deploy correctly on Heroku. This is because GitHub does not include submodule contents when repo-content tarballs are generated.
Fourchette and review apps
The idea of creating Heroku apps for pull requests created on GitHub was pioneered by Rainforest with Fourchette.