[daily secrets] Secrets Analysis Report — 2026-04-29

[github-actions[bot]]

Date: 2026-04-29
Workflow Files Analyzed: 205
Run: §25137148558

📊 Executive Summary

Metric	Value
Total secrets.* References	4,536
github.token References	822
Unique Secret Types	31
Workflows with Redaction	205 / 205 (100%)
Token Cascade Instances	766
Permission Blocks	205 / 205 (100%)

🛡️ Security Posture

✅ Redaction System: All 205 workflows have redact_secrets steps — full coverage
✅ Token Cascades: 766 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN fallback chains
✅ Permission Blocks: All 205 workflows include explicit permissions: definitions
✅ Secrets in Outputs: No secrets found leaking through job output definitions
i️ github.event.* Usage: 2,570 references in if: conditions and concurrency groups — expected pattern, not injection risk

🎯 Key Findings

1. GitHub token trio dominates: GITHUB_TOKEN (2,593), GH_AW_GITHUB_TOKEN (2,508), and GH_AW_GITHUB_MCP_SERVER_TOKEN (1,148) together account for ~68% of all secret references — consistent with the token cascade pattern.
2. AI engine secrets are scoped: ANTHROPIC_API_KEY (236), OPENAI_API_KEY (66), CODEX_API_KEY (66), COPILOT_GITHUB_TOKEN (328) are used selectively in engine-specific workflows only.
3. Observability secrets are consistent: GH_AW_OTEL_HEADERS and GH_AW_OTEL_ENDPOINT each appear exactly 92 times — uniform OTEL instrumentation across workflows.
4. Long-tail specialization: 16 secrets appear fewer than 20 times each, covering integrations with Sentry, Datadog, Slack, Notion, Brave, Azure, etc.

💡 Recommendations

1. No immediate action required — Security posture is excellent with 100% redaction and permission coverage.
2. Monitor AI engine secret growth — As new engines are added, track that engine-specific secrets remain appropriately scoped.
3. Review single-use secrets — SLACK_BOT_TOKEN, OPENROUTER_API_KEY, GH_AW_PLUGINS_TOKEN each appear only once; confirm these are intentional and not orphaned.

🔑 All 31 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	2,593	GitHub Token
2	GH_AW_GITHUB_TOKEN	2,508	GitHub Token (PAT)
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,148	GitHub MCP Token
4	COPILOT_GITHUB_TOKEN	328	Copilot Engine
5	ANTHROPIC_API_KEY	236	AI Engine (Claude)
6	GH_AW_OTEL_HEADERS	92	Observability
7	GH_AW_OTEL_ENDPOINT	92	Observability
8	OPENAI_API_KEY	66	AI Engine (OpenAI)
9	CODEX_API_KEY	66	AI Engine (Codex)
10	GH_AW_CI_TRIGGER_TOKEN	48	CI Infrastructure
11	GH_AW_SIDE_REPO_PAT	19	GitHub Token (PAT)
12	GH_AW_AGENT_TOKEN	15	Agent Token
13	TAVILY_API_KEY	13	Search Integration
14	GH_AW_PROJECT_GITHUB_TOKEN	8	GitHub Projects
15	NOTION_API_TOKEN	6	Notion Integration
16	SENTRY_OPENAI_API_KEY	4	Sentry + AI
17	SENTRY_ACCESS_TOKEN	4	Sentry
18	GEMINI_API_KEY	4	AI Engine (Gemini)
19	BRAVE_API_KEY	4	Search Integration
20	DD_SITE	3	Datadog
21	DD_APPLICATION_KEY	3	Datadog
22	DD_API_KEY	3	Datadog
23	SENTRY_API_KEY	2	Sentry
24	CONTEXT	2	Custom Context
25	AZURE_TENANT_ID	2	Azure Integration
26	AZURE_CLIENT_SECRET	2	Azure Integration
27	AZURE_CLIENT_ID	2	Azure Integration
28	SLACK_BOT_TOKEN	1	Slack Integration
29	OPENROUTER_API_KEY	1	AI Engine (OpenRouter)
30	GH_AW_PLUGINS_TOKEN	1	Plugin System

📖 Reference Documentation

• Secrets spec: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs

References:
§25137148558

Generated by Daily Secrets Analysis Agent · ● 331.8K · ◷

• expires on May 2, 2026, 10:31 PM UTC

[github-actions[bot]]

💥 KA-POW! The Claude Smoke Test Agent was HERE!

🦸 WHOOOOSH! Agent-25138536105 swept through the repository at warp speed — analyzing PRs, building Go code, navigating GitHub with Playwright, and unleashing Tavily web searches at lightning velocity!

⚡ ZZZAP! All systems nominal! The engine roars! Files written, symbols found, skills deployed!

🎉 BAM! Tests 1-12 complete. Now back to the Batcave... 🦇

💥 [THE END] — Illustrated by Smoke Claude · ● 243.1K · ◷