[daily secrets] Daily Secrets Analysis — 2026-04-15

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-04-15
Workflow Files Analyzed: 191
Run: §24481443640

---

📊 Executive Summary

Metric	Value
Total secrets.* references	4,240
github.token references	752
Unique secret types	30
Workflows using secrets	191 / 191 (100%)
Token cascade usages	717

All 191 compiled workflow files use secrets, indicating full secret integration across the workflow suite.

---

🛡️ Security Posture

Control	Status	Coverage
Redaction steps (redact_secrets)	✅ Present	191/191 (100%)
Explicit permissions: blocks	✅ Present	191/191 (100%)
Token cascade fallback chains	✅ In use	717 instances
Secrets exposed in job outputs:	✅ None found	0 instances
github.event.* in shell run: blocks	✅ None found	0 instances

Security posture is excellent. All workflows apply redaction, define explicit permissions, and avoid direct secret exposure in outputs or shell interpolation.

---

🔑 Secret Inventory Overview

30 unique secret types detected across 4 categories:

• GitHub Tokens (9): GITHUB_TOKEN, GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, COPILOT_GITHUB_TOKEN, GH_AW_AGENT_TOKEN, GH_AW_CI_TRIGGER_TOKEN, GH_AW_SIDE_REPO_PAT, GH_AW_PROJECT_GITHUB_TOKEN, GH_AW_PLUGINS_TOKEN
• AI API Keys (7): ANTHROPIC_API_KEY, OPENAI_API_KEY, CODEX_API_KEY, GEMINI_API_KEY, BRAVE_API_KEY, TAVILY_API_KEY, SENTRY_OPENAI_API_KEY
• Observability (5): GH_AW_OTEL_ENDPOINT, GH_AW_OTEL_HEADERS, DD_API_KEY, DD_APPLICATION_KEY, DD_SITE
• Third-party (9): NOTION_API_TOKEN, SENTRY_API_KEY, SENTRY_ACCESS_TOKEN, SLACK_BOT_TOKEN, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, CONTEXT

---

🎯 Key Findings

1. Token cascade pattern is well-adopted — 717 instances use the fallback chain GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN, ensuring graceful degradation.

2. GitHub Token dominance — GITHUB_TOKEN (2,407) and GH_AW_GITHUB_TOKEN (2,322) together account for over 55% of all secret references, reflecting standard GitHub Actions practice.

3. MCP Server Token widely deployed — GH_AW_GITHUB_MCP_SERVER_TOKEN appears 1,071 times, showing broad adoption of the MCP server integration pattern.

4. Zero template injection risks — Despite 2,399+ uses of github.event.* expressions, none appear directly in shell run: blocks. All event data is safely passed through environment variables first.

5. Low-frequency specialty secrets — Several secrets appear in only 1–4 workflows (SLACK_BOT_TOKEN, AZURE_*, GEMINI_API_KEY, BRAVE_API_KEY), indicating targeted integration workflows.

---

💡 Recommendations

1. Monitor low-frequency secrets — Secrets used in ≤4 workflows (SLACK_BOT_TOKEN, AZURE_*, DD_*, SENTRY_*) should be reviewed periodically to confirm they are still needed and credentials are rotated.

2. Consider consolidating OTEL secrets — GH_AW_OTEL_ENDPOINT (159) and GH_AW_OTEL_HEADERS (53) have significant usage but asymmetric counts; verify all workflows that configure the endpoint also configure the headers.

3. Review CONTEXT secret — The generic CONTEXT secret name (2 occurrences) is opaque; consider renaming to a more descriptive identifier for audit clarity.

---

🔑 Top 15 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	2,407	GitHub Token
2	GH_AW_GITHUB_TOKEN	2,322	GitHub Token
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,071	GitHub Token
4	COPILOT_GITHUB_TOKEN	302	GitHub Token
5	ANTHROPIC_API_KEY	212	AI API Key
6	GH_AW_OTEL_ENDPOINT	159	Observability
7	OPENAI_API_KEY	60	AI API Key
8	CODEX_API_KEY	60	AI API Key
9	GH_AW_OTEL_HEADERS	53	Observability
10	GH_AW_CI_TRIGGER_TOKEN	45	GitHub Token
11	GH_AW_SIDE_REPO_PAT	19	GitHub Token
12	GH_AW_AGENT_TOKEN	15	GitHub Token
13	TAVILY_API_KEY	13	AI API Key
14	GH_AW_PROJECT_GITHUB_TOKEN	7	GitHub Token
15	NOTION_API_TOKEN	6	Third-party

📋 Full Secret Inventory (30 secrets)

Secret Name	Occurrences	Category
GITHUB_TOKEN	2,407	GitHub Token
GH_AW_GITHUB_TOKEN	2,322	GitHub Token
GH_AW_GITHUB_MCP_SERVER_TOKEN	1,071	GitHub Token
COPILOT_GITHUB_TOKEN	302	GitHub Token
ANTHROPIC_API_KEY	212	AI API Key
GH_AW_OTEL_ENDPOINT	159	Observability
OPENAI_API_KEY	60	AI API Key
CODEX_API_KEY	60	AI API Key
GH_AW_OTEL_HEADERS	53	Observability
GH_AW_CI_TRIGGER_TOKEN	45	GitHub Token
GH_AW_SIDE_REPO_PAT	19	GitHub Token
GH_AW_AGENT_TOKEN	15	GitHub Token
TAVILY_API_KEY	13	AI API Key
GH_AW_PROJECT_GITHUB_TOKEN	7	GitHub Token
NOTION_API_TOKEN	6	Third-party
GEMINI_API_KEY	4	AI API Key
BRAVE_API_KEY	4	AI API Key
DD_SITE	3	Observability
DD_APPLICATION_KEY	3	Observability
DD_API_KEY	3	Observability
SENTRY_OPENAI_API_KEY	2	Third-party
SENTRY_API_KEY	2	Third-party
SENTRY_ACCESS_TOKEN	2	Third-party
CONTEXT	2	Other
AZURE_TENANT_ID	2	Third-party
AZURE_CLIENT_SECRET	2	Third-party
AZURE_CLIENT_ID	2	Third-party
SLACK_BOT_TOKEN	1	Third-party
GH_AW_PLUGINS_TOKEN	1	GitHub Token

📖 Reference Documentation

• Secrets specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs

---

Generated: 2026-04-15T22:23 UTC
Workflow: daily-secrets

Generated by Daily Secrets Analysis Agent · ● 432K · ◷

• expires on Apr 18, 2026, 10:26 PM UTC

[github-actions[bot]]

🤖 Beep boop! The smoke test agent was here! 🎉

Just popped in to say hello while running through my validation checklist. Found your secrets analysis absolutely riveting — 4,240 secret references and zero injection risks? That's some seriously clean workflow hygiene! 🔐✨

[automated smoke test visit - run 24482902625]

📰 BREAKING: Report filed by Smoke Copilot · ● 1M · ◷

[github-actions[bot]]

💥 WHOOSH! 🦸 The smoke test agent was here! ⚡ KAPOW! Claude engine, reporting for duty — Run 24482902675 successfully completed! 🌟 ZZZAP! All systems checked, all tools tested, all smoke cleared! 💫 WHAM! That's all, folks — until next time! 🚀

💥 [THE END] — Illustrated by Smoke Claude · ● 267.4K · ◷