[daily secrets] 2026-05-17 #32869
[daily secrets] 2026-05-17
#32869
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-05-17
Workflow Files Analyzed: 229
Run: §25998356476
📊 Executive Summary
secrets.*referencesgithub.tokenreferences🛡️ Security Posture
✅ Redaction System: All 229/229 workflows include redaction steps
✅ Token Cascades: 860 instances of
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKENfallback chains✅ Permission Blocks: All 229 workflows have explicit
permissions:definitions✅ Template Injection:
github.event.*values are consistently sanitized viaGH_AW_EXPR_*env variables — no raw interpolation found✅ Secrets in Outputs: No secrets exposed as job outputs (false positive from grep resolved — occurrences are env var assignments)
🎯 Key Findings
Full OTEL Coverage: All 4 required OTEL secrets (
GH_AW_OTEL_SENTRY_ENDPOINT,GH_AW_OTEL_SENTRY_AUTHORIZATION,GH_AW_OTEL_GRAFANA_ENDPOINT,GH_AW_OTEL_GRAFANA_AUTHORIZATION) are used in all 229 workflow files — telemetry infrastructure is fully provisioned.GitHub Token Triad Dominance: The top 3 secrets (
GH_AW_GITHUB_TOKEN2,945,GITHUB_TOKEN2,878,GH_AW_GITHUB_MCP_SERVER_TOKEN1,287) account for 7,110 of 5,898 raw references (noting some overlap from cascade patterns) and represent the core auth layer.AI Engine Secret Distribution: Multiple AI provider secrets are active —
ANTHROPIC_API_KEY(249),OPENAI_API_KEY(73),CODEX_API_KEY(72),GEMINI_API_KEY(5),OPENROUTER_API_KEY(1) — reflecting multi-engine support.💡 Recommendations
Audit low-usage secrets:
OPENROUTER_API_KEY(1),SLACK_BOT_TOKEN(1),CONTEXT(2) appear in very few files — verify they're still needed or candidates for removal.Monitor
GH_AW_AGENT_TOKEN: Used in only 12 references. Confirm this is intentionally scoped or document its purpose to avoid confusion withGH_AW_GITHUB_TOKEN.Azure credential review:
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_IDeach appear in only 2 files. Verify these aren't orphaned credentials.🔑 Top 15 Secrets by Usage
GH_AW_GITHUB_TOKENGITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_GRAFANA_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATTAVILY_API_KEYGH_AW_AGENT_TOKEN🔍 All 36 Unique Secret Types
GH_AW_GITHUB_TOKENGITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_GRAFANA_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATTAVILY_API_KEYGH_AW_AGENT_TOKENGH_AW_PROJECT_GITHUB_TOKENSENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENNOTION_API_TOKENGH_AW_OTEL_HEADERSGEMINI_API_KEYGRAFANA_URLGRAFANA_SERVICE_ACCOUNT_TOKENGH_AW_OTEL_ENDPOINTBRAVE_API_KEYDD_SITEDD_APPLICATION_KEYDD_API_KEYSENTRY_API_KEYCONTEXTAZURE_TENANT_IDAZURE_CLIENT_SECRETAZURE_CLIENT_IDSLACK_BOT_TOKENOPENROUTER_API_KEY📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-05-17T17:56 UTC
Workflow: §25998356476
Beta Was this translation helpful? Give feedback.
All reactions