[daily secrets] Secret Usage Analysis Report – 2026-06-14

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-06-14
Workflow Files Analyzed: 246
Run: §27507392236

📊 Executive Summary

Metric	Value
Total secrets.* references	7,114
github.token references	1,485
Unique secret types	38
Step-level secret refs	6,172 (87%)
Job-level secret refs	942 (13%)

🛡️ Security Posture

✅ Redaction System: 246/246 workflows (100%) have redaction steps
✅ Token Cascades: 894 instances of 3-level fallback chains (GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN)
✅ Permission Blocks: 246/246 workflows (100%) have explicit permission definitions
✅ Template Injection: 0 actual risks — github.event.* is passed via env vars (safe pattern)
✅ Secrets in Outputs: 0 actual exposures — false positives were workflow-level env: blocks (correct usage)

🎯 Key Findings

1. Universal Token Cascade Coverage: All 246 workflows implement the full 3-level GitHub token fallback chain, ensuring resilient authentication without hard-coding privileged tokens.

2. OTEL Observability Coverage: 232/246 (94%) workflows instrument with Sentry and Grafana OTEL credentials. The 14 without are intentional exceptions (audit runners, daily test harnesses, and utility workflows that don't need telemetry export).

3. AI/LLM Key Concentration: Anthropic API keys are by far the most widely deployed AI credential (65 workflows, 257 references), reflecting the platform's primary AI engine. OpenAI/Codex follows at 15+14 workflows.

💡 Recommendations

1. No Urgent Actions: All core security controls (permissions, redaction, token cascades) are at 100% coverage — no remediation needed.

2. OTEL Gap Review: Confirm the 14 workflows without Sentry OTEL credentials are intentionally excluded (e.g., agentic-token-audit, daily-byok-ollama-test). If any should export telemetry, add the observability block.

3. AI Key Rotation Schedule: With 38 unique secret types and AI keys across 65+ workflows, maintain a documented rotation cadence — especially for ANTHROPIC_API_KEY given its broad usage.

🔑 Top 15 Secrets by Occurrence Count

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	3,898	GitHub Auth
2	GH_AW_GITHUB_TOKEN	3,235	GitHub Auth
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,351	GitHub Auth
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	697	Observability
5	GH_AW_OTEL_SENTRY_ENDPOINT	466	Observability
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	464	Observability
7	COPILOT_GITHUB_TOKEN	419	GitHub Auth
8	ANTHROPIC_API_KEY	257	AI/LLM
9	GH_AW_OTEL_GRAFANA_ENDPOINT	233	Observability
10	OPENAI_API_KEY	79	AI/LLM
11	CODEX_API_KEY	78	AI/LLM
12	GH_AW_CI_TRIGGER_TOKEN	59	CI Automation
13	GH_AW_SIDE_REPO_PAT	24	GitHub Auth
14	GH_AW_AGENT_TOKEN	13	CI Automation
15	TAVILY_API_KEY	13	AI/LLM

🤖 AI/LLM Credentials by Workflow Coverage

Secret	Workflows Using
ANTHROPIC_API_KEY	65
OPENAI_API_KEY	15
CODEX_API_KEY	14
TAVILY_API_KEY	5
SENTRY_OPENAI_API_KEY	4
GEMINI_API_KEY	2
BRAVE_API_KEY	2
FOUNDRY_API_KEY	1
OPENROUTER_API_KEY	1
ANTIGRAVITY_API_KEY	1

📡 Observability Secrets Coverage

Secret	Workflows Using
GH_AW_OTEL_SENTRY_AUTHORIZATION	232
GH_AW_OTEL_SENTRY_ENDPOINT	232
GH_AW_OTEL_GRAFANA_AUTHORIZATION	231
GH_AW_OTEL_GRAFANA_ENDPOINT	231
DD_API_KEY	2
GH_AW_OTEL_DATADOG_API_KEY	1

Workflows without Sentry OTEL (14): agentic-token-audit, agentic-token-optimizer, agentic-token-trend-audit, daily-byok-ollama-test, daily-credit-limit-test, daily-max-ai-credits-test, daily-safeoutputs-git-simulator, daily-team-status, daily-windows-terminal-integration-builder, designer-drift-audit, and 4 others.

📖 Reference Documentation

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs

---

Generated: 2026-06-14T18:03:58Z
Workflow: §27507392236

Generated by 🔒 Daily Secrets Analysis Agent · 129.1 AIC · ⌖ 14.4 AIC · ⊞ 18.3K · ◷

• expires on Jun 17, 2026, 10:09 AM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #39438.