You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Date: June 17, 2026 Workflow Files Analyzed: 250 Run: §27710626902
📊 Executive Summary
Metric
Value
Total secrets.* References
7,420
github.token References
1,512
Combined Secret References
8,932
Unique Secret Types
39
Workflows with Redaction
250 / 250 (100%)
Workflows with Permission Blocks
250 / 250 (100%)
🛡️ Security Posture
✅ Redaction System: All 250 workflows include redact_secrets steps — no raw secret values will appear in logs.
✅ Permission Blocks: Every workflow declares explicit permissions: — least-privilege principle applied universally.
✅ Token Cascades: 924 three-way and 2,679 two-way fallback chains enable graceful degradation without exposing unnecessary tokens.
✅ No Template Injection: Zero github.event.* references found directly in shell run: blocks — all event data is accessed through safe ${{ }} expression contexts or environment variables.
✅ No Secrets in Job Outputs: No secret values are propagated through job output definitions.
✅ No Hardcoded Credentials: All token: references in shell scripts use environment-variable indirection (${GITHUB_TOKEN}), set from secrets via env blocks.
🎯 Key Findings
GitHub tokens dominate (83% of secret refs): The three core token variants — GITHUB_TOKEN (4,172), GH_AW_GITHUB_TOKEN (3,286), and GH_AW_GITHUB_MCP_SERVER_TOKEN (1,376) — account for the majority of references, reflecting the platform-native token-cascade architecture.
Observability telemetry is pervasive (233 workflows, 93%): Sentry, Grafana, and DataDog secrets appear across nearly all workflows (GH_AW_OTEL_SENTRY_AUTHORIZATION alone: 697 refs), indicating a robust observability layer.
AI provider diversity (90 workflows, 10 providers): Anthropic (261 refs) leads among AI providers, with OpenAI/Codex (79/78), Tavily (13), and niche providers (Gemini, Foundry, Brave, OpenRouter, ANTIGRAVITY, Sentry-OpenAI) representing a multi-model strategy.
Cascade fallback patterns are systematic: The GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN three-way chain appears 911 times, and GH_AW_GITHUB_TOKEN → GITHUB_TOKEN 2,679 times — intentional progressive-privilege patterns.
CONTEXT7_API_KEY gap in analysis: 7 references to CONTEXT7_API_KEY exist in workflows but were missed by the secrets\.[A-Z_]* extraction regex (it contains a digit). Minor analysis gap, not a security issue.
💡 Recommendations
No immediate security actions required: All critical controls (redaction, permissions, no-injection) confirmed in 100% of workflows.
Fix secret-name extraction regex: Update [A-Z_]* → [A-Z0-9_]* in future scans to capture alphanumeric secret names like CONTEXT7_API_KEY.
Document AI provider rotation matrix: With 10 distinct AI provider secrets across 90 workflows, create a documented matrix of which workflows use which providers to simplify key-rotation procedures.
Clarify DataDog dual-key alias: Both DD_APP_KEY and DD_APPLICATION_KEY appear in cascade expressions. Confirm this is intentional and document the canonical name to avoid confusion.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: June 17, 2026
Workflow Files Analyzed: 250
Run: §27710626902
📊 Executive Summary
secrets.*Referencesgithub.tokenReferences🛡️ Security Posture
✅ Redaction System: All 250 workflows include
redact_secretssteps — no raw secret values will appear in logs.✅ Permission Blocks: Every workflow declares explicit
permissions:— least-privilege principle applied universally.✅ Token Cascades: 924 three-way and 2,679 two-way fallback chains enable graceful degradation without exposing unnecessary tokens.
✅ No Template Injection: Zero
github.event.*references found directly in shellrun:blocks — all event data is accessed through safe${{ }}expression contexts or environment variables.✅ No Secrets in Job Outputs: No secret values are propagated through job output definitions.
✅ No Hardcoded Credentials: All
token:references in shell scripts use environment-variable indirection (${GITHUB_TOKEN}), set from secrets via env blocks.🎯 Key Findings
GitHub tokens dominate (83% of secret refs): The three core token variants —
GITHUB_TOKEN(4,172),GH_AW_GITHUB_TOKEN(3,286), andGH_AW_GITHUB_MCP_SERVER_TOKEN(1,376) — account for the majority of references, reflecting the platform-native token-cascade architecture.Observability telemetry is pervasive (233 workflows, 93%): Sentry, Grafana, and DataDog secrets appear across nearly all workflows (GH_AW_OTEL_SENTRY_AUTHORIZATION alone: 697 refs), indicating a robust observability layer.
AI provider diversity (90 workflows, 10 providers): Anthropic (261 refs) leads among AI providers, with OpenAI/Codex (79/78), Tavily (13), and niche providers (Gemini, Foundry, Brave, OpenRouter, ANTIGRAVITY, Sentry-OpenAI) representing a multi-model strategy.
Cascade fallback patterns are systematic: The
GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKENthree-way chain appears 911 times, andGH_AW_GITHUB_TOKEN → GITHUB_TOKEN2,679 times — intentional progressive-privilege patterns.CONTEXT7_API_KEY gap in analysis: 7 references to
CONTEXT7_API_KEYexist in workflows but were missed by thesecrets\.[A-Z_]*extraction regex (it contains a digit). Minor analysis gap, not a security issue.💡 Recommendations
No immediate security actions required: All critical controls (redaction, permissions, no-injection) confirmed in 100% of workflows.
Fix secret-name extraction regex: Update
[A-Z_]*→[A-Z0-9_]*in future scans to capture alphanumeric secret names likeCONTEXT7_API_KEY.Document AI provider rotation matrix: With 10 distinct AI provider secrets across 90 workflows, create a documented matrix of which workflows use which providers to simplify key-rotation procedures.
Clarify DataDog dual-key alias: Both
DD_APP_KEYandDD_APPLICATION_KEYappear in cascade expressions. Confirm this is intentional and document the canonical name to avoid confusion.🔑 Top 15 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENgithub.tokenGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENGH_AW_OTEL_GRAFANA_ENDPOINTANTHROPIC_API_KEYOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENTAVILY_API_KEYGH_AW_AGENT_TOKEN🗂️ Secret Categories Breakdown
GitHub Tokens (
secrets.*only, excludinggithub.token)Observability / Telemetry
AI Providers
Other
🔗 Token Cascade Patterns
The codebase uses systematic fallback chains to degrade gracefully from specialized tokens to the base
GITHUB_TOKEN:MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKENGH_AW_GITHUB_TOKEN || GITHUB_TOKENGH_AW_AGENT_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKENCODEX_API_KEY || OPENAI_API_KEYDD_APPLICATION_KEY || DD_APP_KEY📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjs.github/workflows/*.lock.ymlGenerated: 2026-06-17T18:28:08Z
Workflow: §27710626902
References:
Beta Was this translation helpful? Give feedback.
All reactions