[daily secrets] Secret Usage Analysis Report - February 11, 2026

[github-actions[bot]]

Daily analysis of secret usage patterns across all compiled workflow files in the repository.

📊 Executive Summary

Analysis Date: February 11, 2026
Workflow Files Analyzed: 148
Total Secret References: 5,117 (secrets.*)
GitHub Token References: 440 (github.token)
Unique Secret Types: 24

Key Findings:

• ✅ All 148 workflows have redaction steps enabled
• ✅ Comprehensive token cascade fallback system (461 instances)
• ✅ All workflows have explicit permission blocks (148/148)
• ⚠️ 1,922 instances of github.event.* expressions detected (requires review)
• ✅ No secrets exposed in job outputs

🔑 Top Secret Types by Usage

Rank	Secret Name	Occurrences	Purpose
1	GITHUB_TOKEN	1,676	Default GitHub Actions token
2	GH_AW_GITHUB_TOKEN	1,511	Primary workflow authentication
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	744	MCP server authentication
4	COPILOT_GITHUB_TOKEN	491	GitHub Copilot API access
5	CLAUDE_CODE_OAUTH_TOKEN	175	Anthropic Claude authentication
6	ANTHROPIC_API_KEY	175	Anthropic API access
7	OPENAI_API_KEY	64	OpenAI API access
8	CODEX_API_KEY	64	Codex API access
9	TAVILY_API_KEY	15	Tavily search API
10	NOTION_API_TOKEN	8	Notion integration

View Complete Secret Inventory (24 types)

Secret Name	Occurrences
GITHUB_TOKEN	1,676
GH_AW_GITHUB_TOKEN	1,511
GH_AW_GITHUB_MCP_SERVER_TOKEN	744
COPILOT_GITHUB_TOKEN	491
CLAUDE_CODE_OAUTH_TOKEN	175
ANTHROPIC_API_KEY	175
OPENAI_API_KEY	64
CODEX_API_KEY	64
TAVILY_API_KEY	15
NOTION_API_TOKEN	8
GH_AW_PROJECT_GITHUB_TOKEN	6
BRAVE_API_KEY	6
GH_AW_AGENT_TOKEN	4
SENTRY_OPENAI_API_KEY	3
(Plus 10 additional secret types with lower usage)

Note: 5,117 secret references include an empty pattern match, indicating some secret references without explicit names (likely dynamic or computed references).

🏗️ Structural Analysis

Secret Location Distribution:

• Job-Level: 0 references (0%)
• Step-Level: 1,738 references (100%)

Observation: All secrets are defined at the step level, which provides:

• ✅ Fine-grained access control
• ✅ Reduced secret exposure scope
• ✅ Better isolation between workflow steps

🛡️ Security Posture

Protection Mechanisms

Mechanism	Coverage	Status
Secret Redaction	148/148 workflows (100%)	✅ Excellent
Token Cascades	461 fallback chains	✅ Robust
Permission Blocks	148/148 workflows (100%)	✅ Complete

Security Checks

1. Template Injection Analysis

⚠️ Found 1,922 instances of github.event.* expressions

While github.event.* is commonly used for workflow context, direct interpolation can pose template injection risks if not properly handled through environment variables.

Most Common Patterns:

• github.event.pull_request.number (338 occurrences)
• github.event.issue.number (337 occurrences)
• github.event.discussion.number (297 occurrences)
• github.event.comment.id (295 occurrences)
• github.event.comment.body (116 occurrences)

Affected Workflows: All 148 workflows use github.event.* expressions

View Sample Affected Workflows

• agent-performance-analyzer.lock.yml
• agent-persona-explorer.lock.yml
• ai-moderator.lock.yml
• archie.lock.yml
• artifacts-summary.lock.yml
• (143 more workflows...)

2. Secrets in Job Outputs

✅ No secrets exposed in job outputs - Zero instances detected

📈 Workflow Distribution

Workflows with Highest Secret Usage:

Workflow	Secret References
mcp-inspector.lock.yml	74
daily-news.lock.yml	54
smoke-claude.lock.yml	49
deep-report.lock.yml	48
prompt-clustering-analysis.lock.yml	46
daily-observability-report.lock.yml	45
smoke-codex.lock.yml	44
daily-performance-summary.lock.yml	44
daily-issues-report.lock.yml	44
cloclo.lock.yml	44

🎯 Key Findings

1. Comprehensive Secret Protection: All workflows (100%) implement secret redaction, providing strong protection against accidental secret leakage in logs.

2. Robust Token Management: The token cascade system (461 instances) ensures fallback authentication paths, improving workflow reliability:

   GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN
   

3. GitHub Event Expression Usage: While 1,922 instances of github.event.* were detected, these are commonly used for workflow context. However, patterns like github.event.comment.body (116 occurrences) should be reviewed to ensure proper sanitization through environment variables.

4. Step-Level Secret Isolation: 100% of secrets are defined at the step level, providing optimal security boundaries and reducing the blast radius of potential compromises.

5. Diverse Secret Portfolio: 24 different secret types support various integrations (GitHub, Anthropic, OpenAI, Tavily, Notion, etc.), indicating a rich ecosystem of tool integrations.

💡 Recommendations

1. Review Template Injection Patterns (Priority: Medium)

   • Audit the 116 instances of github.event.comment.body usage
   • Ensure user-controlled input flows through environment variables, not direct interpolation
   • Consider adding template injection validation to the compilation process

2. Document Secret Usage Patterns (Priority: Low)

   • Create documentation for the 5,117 empty pattern matches to understand dynamic secret references
   • Establish naming conventions for new secrets to maintain consistency

3. Monitor Secret Proliferation (Priority: Low)

   • Track when new secret types are added (currently 24 types)
   • Ensure new secrets follow security best practices
   • Consider consolidating similar secrets where possible

4. Maintain Current Security Posture (Priority: High)

   • Continue 100% coverage of redaction steps
   • Maintain explicit permission blocks in all workflows
   • Keep token cascade fallback system active

📖 Reference Documentation

For detailed information about secret usage patterns:

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascade Pattern: Used in 461 workflow steps for robust authentication

---

Generated: 2026-02-11 18:36 UTC
Workflow Run: §21918037474
Workflow Definition: .github/aw/daily-secrets.md

AI generated by Daily Secrets Analysis Agent

• expires on Feb 14, 2026, 6:44 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-14T18:44:03.074Z.

Closed by Workflow