[daily secrets] Secret Usage Analysis — 2026-06-28

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-06-28
Workflow Files Analyzed: 257
Run: §28330964736

---

📊 Executive Summary

Metric	Value
Total workflow files	257
Lines with secrets.* references	7,553
Lines with github.token references	1,562
Unique named secret types	39
Workflows with redaction steps	257 / 257 (100%)
Workflows with permission blocks	257 / 257 (100%)
Token cascade fallback instances	926

---

🛡️ Security Posture

✅ Universal Redaction: 100% of workflows include redact_secrets steps — no unmasked leakage risk
✅ Universal Permissions: 100% of workflows define explicit permissions: blocks — least-privilege enforced
✅ Token Cascades: 926 instances of the 3-tier fallback chain (GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN) — resilient token resolution
✅ No Secrets in Outputs: Confirmed no job-level outputs: expose secret values
✅ No Template Injection: Apparent github.event.* patterns in YAML are Handlebars templates within agent system prompts, not GitHub Actions expressions — no injection risk

---

🎯 Key Findings

1. GitHub auth tokens dominate (~60% of all refs): Across 9 distinct GitHub tokens, secrets.GITHUB_TOKEN (4,227 lines) and secrets.GH_AW_GITHUB_TOKEN (3,320 lines) together account for the vast majority of all secret references — expected for an agentic workflow platform.

2. Multi-provider AI key coverage: 7 distinct AI providers are configured — GitHub Copilot leads at 179 workflows, Anthropic/Claude at 62 workflows, with OpenAI, Codex, Gemini, Foundry, and OpenRouter also present, demonstrating strong provider resilience.

3. Observability secrets are well-structured: 1,966+ references across Sentry, Grafana, and Datadog form a dedicated OTEL tier with GH_AW_OTEL_* prefix convention — clean separation from core auth tokens.

4. Secret naming conventions are consistent: The GH_AW_OTEL_* prefix for observability, GH_AW_* for workflow-specific secrets, and provider-name suffixes (_API_KEY, _TOKEN) show a mature naming taxonomy across all 39 secrets.

---

💡 Recommendations

1. Audit low-use secrets: Several secrets appear in very few workflows — AWI_MAINTENANCE_TOKEN (3 refs), GH_AW_PROJECT_GITHUB_TOKEN (7 refs), FOUNDRY_API_KEY (3 refs), AZURE_* (2 refs each), CONTEXT (2 refs). Confirm these are still needed or consider removal.

2. Review CONTEXT secret: Only 2 occurrences of secrets.CONTEXT — unusual name; verify this is not a miscategorized variable or leftover from an older workflow.

3. Consolidate Datadog entries: DD_API_KEY, DD_APP_KEY, and DD_APPLICATION_KEY appear to overlap in purpose (8–10 refs each). Confirm these are intentionally distinct or consolidate to reduce secret sprawl.

---

🔑 Top 15 Secrets by Line Count

Rank	Secret Name	Lines	Category
1	GITHUB_TOKEN	4,227	GitHub Auth
2	GH_AW_GITHUB_TOKEN	3,320	GitHub Auth
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,401	GitHub Auth
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	711	Observability
5	GH_AW_OTEL_SENTRY_ENDPOINT	475	Observability
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	473	Observability
7	COPILOT_GITHUB_TOKEN	448	GitHub Auth
8	ANTHROPIC_API_KEY	242	AI Provider
9	GH_AW_OTEL_GRAFANA_ENDPOINT	237	Observability
10	OPENAI_API_KEY	87	AI Provider
11	CODEX_API_KEY	86	AI Provider
12	GH_AW_CI_TRIGGER_TOKEN	60	GitHub Auth
13	SENTRY_ACCESS_TOKEN	10	Observability
14	DD_APP_KEY	10	Observability
15	DD_APPLICATION_KEY	10	Observability

🗂️ Secret Inventory by Category (39 total)

GitHub Auth (9 secrets)
GITHUB_TOKEN · GH_AW_GITHUB_TOKEN · GH_AW_GITHUB_MCP_SERVER_TOKEN · COPILOT_GITHUB_TOKEN · GH_AW_CI_TRIGGER_TOKEN · GH_AW_SIDE_REPO_PAT · GH_AW_AGENT_TOKEN · GH_AW_PROJECT_GITHUB_TOKEN · AWI_MAINTENANCE_TOKEN

AI Provider Keys (8 secrets)
ANTHROPIC_API_KEY · OPENAI_API_KEY · CODEX_API_KEY · GEMINI_API_KEY · FOUNDRY_API_KEY · FOUNDRY_OPENAI_ENDPOINT · OPENROUTER_API_KEY · ANTIGRAVITY_API_KEY

Observability / OTEL (14 secrets)
GH_AW_OTEL_SENTRY_AUTHORIZATION · GH_AW_OTEL_SENTRY_ENDPOINT · GH_AW_OTEL_GRAFANA_AUTHORIZATION · GH_AW_OTEL_GRAFANA_ENDPOINT · GH_AW_OTEL_DATADOG_API_KEY · GH_AW_OTEL_DATADOG_ENDPOINT · SENTRY_ACCESS_TOKEN · SENTRY_OPENAI_API_KEY · DD_API_KEY · DD_APP_KEY · DD_APPLICATION_KEY · DD_SITE · GRAFANA_SERVICE_ACCOUNT_TOKEN · GRAFANA_URL

Third-party APIs (4 secrets)
TAVILY_API_KEY · NOTION_API_TOKEN · BRAVE_API_KEY · SLACK_BOT_TOKEN

Cloud / Identity (3 secrets)
AZURE_CLIENT_ID · AZURE_CLIENT_SECRET · AZURE_TENANT_ID

Internal / Other (1 secret)
CONTEXT

🤖 AI Provider Workflow Coverage

Provider	Workflows Using	Primary Secret
GitHub Copilot	179	COPILOT_GITHUB_TOKEN
Anthropic (Claude)	62	ANTHROPIC_API_KEY
OpenAI	22	OPENAI_API_KEY
Codex	15	CODEX_API_KEY
Gemini	3	GEMINI_API_KEY
Foundry	1	FOUNDRY_API_KEY
OpenRouter	1	OPENROUTER_API_KEY

📖 Reference Documentation

• Secrets specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs

---

Generated: 2026-06-28 17:59 UTC
Workflow: §28330964736

Generated by 🔒 Daily Secrets Analysis Agent · 46.7 AIC · ⌖ 11.9 AIC · ⊞ 6.2K · ◷

• expires on Jul 1, 2026, 10:04 AM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #42320.