[daily secrets] Daily Secrets Analysis — 2026-04-14

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: April 14, 2026
Workflow Files Analyzed: 191 .lock.yml files
Run: §24425916038

---

📊 Executive Summary

Metric	Value
Total secrets.* references	4,048 (real secrets)
github.token references	752
Unique secret types	30 (across all workflows)
Workflows using secrets	191 / 191 (100%)
Workflows with permission blocks	191 / 191 (100%)
Workflows with redaction steps	191 / 191 (100%)

All 191 compiled workflows have security controls fully applied.

---

🛡️ Security Posture

✅ Redaction System: 191/191 workflows (100%) include a redact_secrets.cjs step
✅ Token Cascade Pattern: 719 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN fallback chains
✅ Permission Blocks: 191 explicit permissions: definitions (one per workflow)
✅ No Secrets in Outputs: Zero instances of secrets being exposed in job outputs:
✅ github.event.* Usage: 2,407 references are all in normal workflow contexts (if conditions, env: blocks) — no template injection risks detected

---

🤖 AI Engine Secret Distribution

AI Engine	Secret	Workflows Using
Copilot	COPILOT_GITHUB_TOKEN	126 (66%)
Anthropic/Claude	ANTHROPIC_API_KEY	53 (28%)
OpenAI	OPENAI_API_KEY	12 (6%)
Codex	CODEX_API_KEY	11 (6%)
Gemini	GEMINI_API_KEY	1 (<1%)

Copilot is the dominant engine (66%), with Claude as a strong secondary option (28%). OpenAI/Codex cover ~6% each. Gemini has minimal adoption (1 workflow).

---

🎯 Key Findings

1. Token hierarchy is well-implemented: The 3-tier cascade (GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN) appears in 719 places, providing robust fallback authentication across all workflows.

2. OTEL observability is broadly deployed: 53 workflows (28%) use GH_AW_OTEL_ENDPOINT and GH_AW_OTEL_HEADERS for telemetry, indicating mature observability coverage.

3. Specialty integrations contained to specific workflows: Azure (3 secrets), Sentry (3 secrets), Slack (1 secret), Notion (1 secret), Datadog (3 secrets) are all isolated to 1-2 workflows (mcp-inspector.lock.yml, daily-otel-instrumentation-advisor.lock.yml), which limits blast radius.

4. secrets.cjs false positive: The grep pattern secrets\.[a-z]* matched .cjs file extension references in require('...redact_secrets.cjs'). Real secret count is 4,048 (not 4,243).

5. No anomalies detected: All secret patterns match expected architecture from the specification.

---

💡 Recommendations

1. Gemini adoption monitoring: Only 1 workflow uses GEMINI_API_KEY. If Gemini engine support is expanding, ensure the cascade/fallback pattern is also implemented for Gemini workflows.

2. Specialty secrets scoping: Azure, Sentry, Datadog, and Slack secrets are concentrated in mcp-inspector.lock.yml. This multi-integration hub workflow should receive elevated security review attention during updates.

3. CI Trigger token review: GH_AW_CI_TRIGGER_TOKEN appears in 45 references across workflows. Confirm PAT rotation schedule and minimal-scope configuration for this token.

---

🔑 Top 15 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	2,408	GitHub Built-in
2	GH_AW_GITHUB_TOKEN	2,325	GitHub PAT (gh-aw)
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,074	GitHub MCP PAT
4	COPILOT_GITHUB_TOKEN	302	AI Engine
5	ANTHROPIC_API_KEY	212	AI Engine
6	GH_AW_OTEL_ENDPOINT	159	Observability
7	OPENAI_API_KEY	60	AI Engine
8	CODEX_API_KEY	60	AI Engine
9	GH_AW_OTEL_HEADERS	53	Observability
10	GH_AW_CI_TRIGGER_TOKEN	45	CI/CD
11	GH_AW_SIDE_REPO_PAT	19	GitHub PAT
12	GH_AW_AGENT_TOKEN	15	Agent Auth
13	TAVILY_API_KEY	13	External Tool (Search)
14	GH_AW_PROJECT_GITHUB_TOKEN	8	GitHub PAT
15	NOTION_API_TOKEN	6	External Integration

🌐 External/Third-Party Secrets

Secret	Occurrences	Service	Risk Level
ANTHROPIC_API_KEY	212	Anthropic AI	Medium
OPENAI_API_KEY	60	OpenAI	Medium
CODEX_API_KEY	60	Codex/OpenAI	Medium
TAVILY_API_KEY	13	Tavily Search	Low
NOTION_API_TOKEN	6	Notion	Low
GEMINI_API_KEY	4	Google Gemini	Medium
BRAVE_API_KEY	4	Brave Search	Low
DD_API_KEY	3	Datadog	Low
DD_APPLICATION_KEY	3	Datadog	Low
DD_SITE	3	Datadog	Low
SENTRY_ACCESS_TOKEN	2	Sentry	Low
SENTRY_API_KEY	2	Sentry	Low
SENTRY_OPENAI_API_KEY	2	Sentry+OpenAI	Medium
SLACK_BOT_TOKEN	1	Slack	Low
AZURE_CLIENT_ID	2	Azure	Medium
AZURE_CLIENT_SECRET	2	Azure	High
AZURE_TENANT_ID	2	Azure	Medium

Azure credentials (AZURE_CLIENT_SECRET) represent the highest-risk external secret and are scoped solely to mcp-inspector.lock.yml.

📖 Reference Documentation

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Security Architecture: SECURITY.md

---

Generated: 2026-04-14T22:25:37Z
References: §24425916038

Generated by Daily Secrets Analysis Agent · ● 387.5K · ◷

• expires on Apr 17, 2026, 10:27 PM UTC

[github-actions[bot]]

🤖 Smoke test agent was here! 👋

Just passing through to confirm the GitHub MCP tools are working smoothly. This is an automated smoke test comment from run §24426417572. Nothing to see here — carry on! 🚀

📰 BREAKING: Report filed by Smoke Copilot · ● 644.7K · ◷

[github-actions[bot]]

💥 WHOOSH!

[PANEL: A caped smoke-test agent bursts through the wall, trailing sparks and leaving a Claude-shaped hole behind]

SMOKE TEST AGENT WAS HERE! ⚡

"By the power of the agentic workflows... RUN 24426417551 IS NOMINAL!"

🔥 KA-POW! All systems tested. All engines firing. Claude engine: TURBOCHARGED!

[CAPTION BOX: "Meanwhile, at the github/gh-aw fortress of automation..."]

"With great workflows comes great responsibility." — Claude, probably

💫 ZZZAP! BZZZT! WHOMP! 💫

💥 [THE END] — Illustrated by Smoke Claude · ● 177.2K · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #26503.