You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
β Redaction System: 100% of workflows (257/257) include redact_secrets steps β full coverage
β Token Cascades: 926 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN fallback chains β least-privilege ordering confirmed
β Permission Blocks: 100% of workflows (257/257) define explicit permissions: β no implicit permission escalation
β No Secrets in Run Steps: github.event.* references only appear in env: variable assignments β no direct shell interpolation
β No Secrets in Job Outputs: Confirmed zero secret values exposed through job output mappings β οΈSecrets Passed via with:secrets:: 33 instances where secrets are forwarded through job with: blocks β expected pattern for reusable workflows, but warrants periodic review
π― Key Findings
GitHub Token Dominance: GITHUB_TOKEN (4,254) and GH_AW_GITHUB_TOKEN (3,630) together account for ~93% of all secret references β consistent with a GitHub-native agentic platform
AI Provider Diversity: 40 unique secret types span 8+ AI providers (Anthropic, OpenAI, Codex, Gemini, OpenRouter, Foundry, Brave, Tavily) β broad model coverage but increases secret rotation surface
Observability Stack Secrets: Sentry, Grafana, and Datadog secrets appear across many workflows (698 + 464 + 8 occurrences) β monitoring infrastructure is deeply integrated
github.event.* Pattern Volume: 4,593 references to github.event.* β all safely assigned to env: variables before use (no shell injection risk detected)
Reusable Workflow Secret Forwarding: The 33 with:secrets: forwarding instances are the expected pattern for called reusable workflows; values are correctly passed as secret references, not plaintext
π‘ Recommendations
Secret Rotation Surface: With 40 unique secret types across 8+ AI providers, ensure rotation schedules are documented and automated β high volume increases blast radius if any single key is compromised
Reusable Workflow Audit: Periodically review the 33 secret-forwarding with: blocks to ensure least-privilege β only forward secrets actually needed by called workflows
Azure Credential Scope: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID each appear only 2 times β verify these are appropriately scoped and not over-permissioned for their limited usage
π All 40 Secrets by Usage Count
Rank
Secret Name
Occurrences
Category
1
GITHUB_TOKEN
4,254
GitHub Auth
2
GH_AW_GITHUB_TOKEN
3,630
GitHub Auth
3
GH_AW_GITHUB_MCP_SERVER_TOKEN
1,696
GitHub Auth
4
COPILOT_GITHUB_TOKEN
705
GitHub Auth
5
GH_AW_OTEL_SENTRY_AUTHORIZATION
698
Observability
6
GH_AW_OTEL_SENTRY_ENDPOINT
466
Observability
7
GH_AW_OTEL_GRAFANA_AUTHORIZATION
464
Observability
8
ANTHROPIC_API_KEY
242
AI Provider
9
GH_AW_OTEL_GRAFANA_ENDPOINT
232
Observability
10
OPENAI_API_KEY
81
AI Provider
11
CODEX_API_KEY
80
AI Provider
12
GH_AW_CI_TRIGGER_TOKEN
60
CI/CD
13
GH_AW_SIDE_REPO_PAT
24
GitHub Auth
14
GH_AW_AGENT_TOKEN
15
GitHub Auth
15
TAVILY_API_KEY
12
AI Provider
16
SENTRY_OPENAI_API_KEY
10
Observability
17
SENTRY_ACCESS_TOKEN
10
Observability
18
DD_APP_KEY
10
Observability
19
DD_APPLICATION_KEY
10
Observability
20
DD_API_KEY
8
Observability
21
DD_SITE
7
Observability
22
NOTION_API_TOKEN
6
Integration
23
GRAFANA_URL
6
Observability
24
GRAFANA_SERVICE_ACCOUNT_TOKEN
6
Observability
25
FOUNDRY_OPENAI_ENDPOINT
6
AI Provider
26
ANTIGRAVITY_API_KEY
6
Integration
27
GH_AW_PROJECT_GITHUB_TOKEN
5
GitHub Auth
28
GEMINI_API_KEY
5
AI Provider
29
BRAVE_API_KEY
4
AI Provider
30
AWI_MAINTENANCE_TOKEN
4
CI/CD
31
FOUNDRY_API_KEY
3
AI Provider
32
GH_AW_OTEL_DATADOG_API_KEY
2
Observability
33
CONTEXT
2
Other
34
AZURE_TENANT_ID
2
Cloud Auth
35
AZURE_CLIENT_SECRET
2
Cloud Auth
36
AZURE_CLIENT_ID
2
Cloud Auth
37
SLACK_BOT_TOKEN
1
Integration
38
OPENROUTER_API_KEY
1
AI Provider
39
GH_AW_OTEL_DATADOG_ENDPOINT
1
Observability
40
GH_AW_OTEL_GRAFANA_ENDPOINT
232
Observability
π€ AI Provider Coverage (Workflows Using Each Key)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
π Daily Secrets Analysis Report
Date: 2026-07-13
Workflow Files Analyzed: 257
Run: Β§29273522276
π Executive Summary
secrets.*referencesgithub.tokenreferencespermissions:blocksπ‘οΈ Security Posture
β Redaction System: 100% of workflows (257/257) include
β οΈ Secrets Passed via
redact_secretssteps β full coverageβ Token Cascades: 926 instances of
GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENfallback chains β least-privilege ordering confirmedβ Permission Blocks: 100% of workflows (257/257) define explicit
permissions:β no implicit permission escalationβ No Secrets in Run Steps:
github.event.*references only appear inenv:variable assignments β no direct shell interpolationβ No Secrets in Job Outputs: Confirmed zero secret values exposed through job output mappings
with:secrets:: 33 instances where secrets are forwarded through jobwith:blocks β expected pattern for reusable workflows, but warrants periodic reviewπ― Key Findings
GITHUB_TOKEN(4,254) andGH_AW_GITHUB_TOKEN(3,630) together account for ~93% of all secret references β consistent with a GitHub-native agentic platformgithub.event.*Pattern Volume: 4,593 references togithub.event.*β all safely assigned toenv:variables before use (no shell injection risk detected)with:secrets:forwarding instances are the expected pattern for called reusable workflows; values are correctly passed as secret references, not plaintextπ‘ Recommendations
with:blocks to ensure least-privilege β only forward secrets actually needed by called workflowsAZURE_CLIENT_ID,AZURE_CLIENT_SECRET, andAZURE_TENANT_IDeach appear only 2 times β verify these are appropriately scoped and not over-permissioned for their limited usageπ All 40 Secrets by Usage Count
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYSENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENDD_APP_KEYDD_APPLICATION_KEYDD_API_KEYDD_SITENOTION_API_TOKENGRAFANA_URLGRAFANA_SERVICE_ACCOUNT_TOKENFOUNDRY_OPENAI_ENDPOINTANTIGRAVITY_API_KEYGH_AW_PROJECT_GITHUB_TOKENGEMINI_API_KEYBRAVE_API_KEYAWI_MAINTENANCE_TOKENFOUNDRY_API_KEYGH_AW_OTEL_DATADOG_API_KEYCONTEXTAZURE_TENANT_IDAZURE_CLIENT_SECRETAZURE_CLIENT_IDSLACK_BOT_TOKENOPENROUTER_API_KEYGH_AW_OTEL_DATADOG_ENDPOINTGH_AW_OTEL_GRAFANA_ENDPOINTπ€ AI Provider Coverage (Workflows Using Each Key)
ANTHROPIC_API_KEYOPENAI_API_KEYCODEX_API_KEYTAVILY_API_KEYGEMINI_API_KEYBRAVE_API_KEYFOUNDRY_API_KEYOPENROUTER_API_KEYπ Reference Documentation
actions/setup/js/redact_secrets.cjsscratchpad/secrets-yml.mdGenerated: 2026-07-13 18:15 UTC
Workflow Run: Β§29273522276
Beta Was this translation helpful? Give feedback.
All reactions