[daily secrets] 2026-05-10 Secret Usage Report #31364
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Daily Secrets Analysis Agent. A newer discussion is available at Discussion #31554. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-05-10
Workflow Files Analyzed: 218
Run: §25635652965
📊 Executive Summary
secrets.*referencesgithub.tokenreferences🛡️ Security Posture
env:blocksAll 218 workflows have redaction steps and explicit permission blocks — excellent security posture.
github.event.*references are consistently set viaenv:variables (the recommended safe pattern), not used in inline expressions.🎯 Key Findings
Token cascade pattern is robust: 814 instances of
${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}provide graceful fallback across all agent workflows.Top 3 secrets dominate usage:
GH_AW_GITHUB_TOKEN(2,798),GITHUB_TOKEN(2,740), andGH_AW_GITHUB_MCP_SERVER_TOKEN(1,219) account for ~63% of all secret references — expected for a GitHub-centric agent platform.AI engine secrets well-distributed:
ANTHROPIC_API_KEY(245),COPILOT_GITHUB_TOKEN(355),OPENAI_API_KEY(73),CODEX_API_KEY(72) reflect healthy multi-engine support.Redaction is universal: 100% of workflow files include redaction steps — this is the strongest indicator of a mature secrets management posture.
💡 Recommendations
Audit low-usage secrets:
SLACK_BOT_TOKEN(1),OPENROUTER_API_KEY(1),CONTEXT(2) appear rarely — confirm they are actively needed or clean up unused references.Monitor
secrets.*in env blocks afteroutputs:: 37 matches appeared in a grep nearoutputs:lines; verify these are env vars (safe) and not actual job output values exposing secrets.Track OTEL secret pairs together:
GH_AW_OTEL_HEADERSandGH_AW_OTEL_ENDPOINTalways appear together (437 each) — consider bundling into a single composite secret for easier rotation.🔑 Top 15 Secrets by Usage
GH_AW_GITHUB_TOKENGITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_HEADERSGH_AW_OTEL_ENDPOINTCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYGH_AW_PROJECT_GITHUB_TOKENNOTION_API_TOKEN🗂️ All 31 Unique Secret Types
ANTHROPIC_API_KEYAZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_TENANT_IDBRAVE_API_KEYCODEX_API_KEYCONTEXTCOPILOT_GITHUB_TOKENDD_API_KEYDD_APPLICATION_KEYDD_SITEGEMINI_API_KEYGH_AW_AGENT_TOKENGH_AW_CI_TRIGGER_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_GITHUB_TOKENGH_AW_OTEL_ENDPOINTGH_AW_OTEL_HEADERSGH_AW_PROJECT_GITHUB_TOKENGH_AW_SIDE_REPO_PATGITHUB_TOKENGRAFANA_SERVICE_ACCOUNT_TOKENGRAFANA_URLNOTION_API_TOKENOPENAI_API_KEYOPENROUTER_API_KEYSENTRY_ACCESS_TOKENSENTRY_API_KEYSENTRY_OPENAI_API_KEYSLACK_BOT_TOKENTAVILY_API_KEY📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-05-10T17:55 UTC
Workflow: Daily Secrets Analysis
Beta Was this translation helpful? Give feedback.
All reactions