You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
β Redaction System: 258/258 workflows have redact_secrets steps β full coverage
β Permission Blocks: 258/258 workflows define explicit permissions: β full coverage
β Token Cascade Chains: 930 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN fallback pattern
β Secrets in Job Outputs: None found β no secret values leaked through job output bindings
β secrets: inherit: Not used in any workflow β all secrets are explicitly declared
β github.event.* Usage: All occurrences are safe env-var assignments via ${{ }} expressions, not raw shell interpolations
π― Key Findings
GitHub auth tokens dominate: Tokens for GitHub API access (GITHUB_TOKEN, GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, COPILOT_GITHUB_TOKEN) account for 9,555 references β the vast majority of all secret usage. This reflects the agent-heavy, GitHub-centric nature of these workflows.
AI/LLM keys are tightly scoped: The 450 references to AI API keys (Anthropic, OpenAI, Codex, Gemini, etc.) are concentrated in agent-runner steps. ANTHROPIC_API_KEY leads with 242 occurrences, consistent with Claude-based agentic workflows.
Observability stack is well-instrumented: 1,956 references to OTEL/Sentry/Grafana secrets confirm comprehensive telemetry coverage. Sentry (711 auth + 475 endpoint) and Grafana (473 auth + 237 endpoint) are the primary backends.
High-complexity workflows identified: mcp-inspector.lock.yml uses 23 distinct secret types β the most diverse in the repo. smoke-otel-backends.lock.yml (19 types) and daily-token-consumption-report.lock.yml (13 types) follow. These are prime candidates for periodic review.
Cloud/third-party credentials are limited in scope: Azure credentials (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID) appear only in smoke-copilot-aoai-entra.lock.yml. Slack (SLACK_BOT_TOKEN) and Notion (NOTION_API_TOKEN) are each used in exactly one workflow.
π‘ Recommendations
Review mcp-inspector.lock.yml periodically: With 23 distinct secret types, this workflow is the highest-complexity credential consumer. Verify that all 23 secrets remain necessary and actively rotate any that are long-lived.
Audit Datadog migration status: DD_API_KEY, DD_APP_KEY, DD_APPLICATION_KEY, and DD_SITE appear in 7β10 references each, alongside GH_AW OTEL variants. Confirm whether Datadog integration is fully active or transitional.
Confirm GH_AW_OTEL_DATADOG_* usage: Only 2 references to GH_AW_OTEL_DATADOG_API_KEY and 1 to GH_AW_OTEL_DATADOG_ENDPOINT β very low usage. Verify these are intentionally limited or remove if unused.
Monitor CONTEXT and OPENROUTER_API_KEY: Each appears only once (2 and 1 reference respectively). Confirm these are deliberate single-use secrets or candidates for removal.
π Top 20 Secrets by Usage
Rank
Secret Name
Occurrences
Category
1
GITHUB_TOKEN
4,253
GitHub Auth
2
GH_AW_GITHUB_TOKEN
3,332
GitHub Auth
3
GH_AW_GITHUB_MCP_SERVER_TOKEN
1,407
GitHub Auth
4
github.token (direct)
1,569*
GitHub Auth
5
GH_AW_OTEL_SENTRY_AUTHORIZATION
711
Observability
6
GH_AW_OTEL_SENTRY_ENDPOINT
475
Observability
7
GH_AW_OTEL_GRAFANA_AUTHORIZATION
473
Observability
8
COPILOT_GITHUB_TOKEN
452
GitHub Auth
9
ANTHROPIC_API_KEY
242
AI/LLM
10
GH_AW_OTEL_GRAFANA_ENDPOINT
237
Observability
11
OPENAI_API_KEY
81
AI/LLM
12
CODEX_API_KEY
80
AI/LLM
13
GH_AW_CI_TRIGGER_TOKEN
60
GitHub Auth
14
GH_AW_SIDE_REPO_PAT
24
GitHub Auth
15
GH_AW_AGENT_TOKEN
15
GitHub Auth
16
TAVILY_API_KEY
12
AI/LLM
17
SENTRY_OPENAI_API_KEY
10
AI/LLM
18
SENTRY_ACCESS_TOKEN
10
Observability
19
DD_APP_KEY
10
Observability
20
DD_APPLICATION_KEY
10
Observability
* github.token counted separately from secrets.* references
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
π Daily Secrets Analysis Report
Date: 2026-07-04
Workflow Files Analyzed: 258
Run: Β§28714760645
π Executive Summary
secrets.*Referencesgithub.tokenReferencesπ‘οΈ Security Posture
β Redaction System: 258/258 workflows have
redact_secretssteps β full coverageβ Permission Blocks: 258/258 workflows define explicit
permissions:β full coverageβ Token Cascade Chains: 930 instances of
GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENfallback patternβ Secrets in Job Outputs: None found β no secret values leaked through job output bindings
β
secrets: inherit: Not used in any workflow β all secrets are explicitly declaredβ
github.event.*Usage: All occurrences are safe env-var assignments via${{ }}expressions, not raw shell interpolationsπ― Key Findings
GitHub auth tokens dominate: Tokens for GitHub API access (
GITHUB_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,COPILOT_GITHUB_TOKEN) account for 9,555 references β the vast majority of all secret usage. This reflects the agent-heavy, GitHub-centric nature of these workflows.AI/LLM keys are tightly scoped: The 450 references to AI API keys (Anthropic, OpenAI, Codex, Gemini, etc.) are concentrated in agent-runner steps.
ANTHROPIC_API_KEYleads with 242 occurrences, consistent with Claude-based agentic workflows.Observability stack is well-instrumented: 1,956 references to OTEL/Sentry/Grafana secrets confirm comprehensive telemetry coverage. Sentry (711 auth + 475 endpoint) and Grafana (473 auth + 237 endpoint) are the primary backends.
High-complexity workflows identified:
mcp-inspector.lock.ymluses 23 distinct secret types β the most diverse in the repo.smoke-otel-backends.lock.yml(19 types) anddaily-token-consumption-report.lock.yml(13 types) follow. These are prime candidates for periodic review.Cloud/third-party credentials are limited in scope: Azure credentials (
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID) appear only insmoke-copilot-aoai-entra.lock.yml. Slack (SLACK_BOT_TOKEN) and Notion (NOTION_API_TOKEN) are each used in exactly one workflow.π‘ Recommendations
Review
mcp-inspector.lock.ymlperiodically: With 23 distinct secret types, this workflow is the highest-complexity credential consumer. Verify that all 23 secrets remain necessary and actively rotate any that are long-lived.Audit Datadog migration status:
DD_API_KEY,DD_APP_KEY,DD_APPLICATION_KEY, andDD_SITEappear in 7β10 references each, alongside GH_AW OTEL variants. Confirm whether Datadog integration is fully active or transitional.Confirm
GH_AW_OTEL_DATADOG_*usage: Only 2 references toGH_AW_OTEL_DATADOG_API_KEYand 1 toGH_AW_OTEL_DATADOG_ENDPOINTβ very low usage. Verify these are intentionally limited or remove if unused.Monitor
CONTEXTandOPENROUTER_API_KEY: Each appears only once (2 and 1 reference respectively). Confirm these are deliberate single-use secrets or candidates for removal.π Top 20 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENgithub.token(direct)GH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYSENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENDD_APP_KEYDD_APPLICATION_KEY*
github.tokencounted separately fromsecrets.*referencesποΈ Secret Categories Breakdown
Note: Does not include the 1,569
github.tokendirect references.π Highest Complexity Workflows (by distinct secret types)
mcp-inspectorsmoke-otel-backendsdaily-token-consumption-reportdaily-model-inventorysmoke-projectπ Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjs.github/workflows/smoke-otel-backends.lock.ymlGenerated: 2026-07-04T17:57 UTC
Workflow Run: Β§28714760645
Beta Was this translation helpful? Give feedback.
All reactions