[daily secrets] Daily Secrets Analysis — 2026-04-19

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-04-19
Workflow Files Analyzed: 196
Run: §24640463470

---

📊 Executive Summary

Metric	Value
Total secrets.* references	4,377
github.token references	789
Unique secret types	29
Workflows with redaction	196 / 196 (100%)
Workflows with permission blocks	196 / 196 (100%)
Token cascade usages	736
Secrets exposed in outputs	0 ✅

All 196 compiled workflow files were scanned. Security fundamentals are fully applied across the board.

---

🛡️ Security Posture

Check	Result
Redaction steps	✅ 196/196 workflows include redact_secrets.cjs
Permission blocks	✅ 196/196 workflows have explicit permissions:
Secrets in job outputs	✅ None found
Token cascade fallback	✅ 736 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN

The token cascade pattern provides layered authentication resilience — workflows gracefully fall back from MCP-specific tokens to general GitHub tokens.

---

🎯 Key Findings

1. Universal Coverage: All 196 workflows have both redaction and explicit permission blocks — no gaps.
2. GitHub Token Dominance: GITHUB_TOKEN (2,495 refs, 196 workflows) and GH_AW_GITHUB_TOKEN (2,406 refs, 196 workflows) are present in every workflow, primarily via the token cascade pattern.
3. MCP Server Token: GH_AW_GITHUB_MCP_SERVER_TOKEN appears 1,100 times, acting as the preferred high-privilege token in the cascade chain.
4. AI Engine Secrets: Copilot (81 workflows), Anthropic (55), OpenAI/Codex (11 each), Gemini (4) — coverage reflects engine diversity.
5. Observability Secrets: OTEL endpoint/headers (159+53 refs) and DataDog/Sentry credentials appear in a small number of specialized workflows.
6. No Secret Leakage: Zero secrets found in job output definitions — all secrets stay within env blocks passed to steps.

---

💡 Recommendations

1. Monitor CONTEXT secret (2 refs): This non-standard name (secrets.CONTEXT) should be reviewed — verify it is intentionally named and not an alias for a more sensitive value.
2. Review GH_AW_PLUGINS_TOKEN (1 ref): Single-use secrets with low coverage deserve periodic audit to confirm they are still needed.
3. Verify AZURE credentials (2 refs each for CLIENT_ID/SECRET/TENANT_ID): Azure credentials appear in only 1 workflow; confirm rotation cadence aligns with policy.
4. Consider secret inventory documentation: With 29 unique secret types, a machine-readable secret registry would help track purpose, rotation schedule, and workflow dependencies.

---

🔑 All Secrets by Usage Count

Rank	Secret Name	References	Workflows
1	GITHUB_TOKEN	2,495	196
2	GH_AW_GITHUB_TOKEN	2,406	196
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,100	196
4	COPILOT_GITHUB_TOKEN	316	81
5	ANTHROPIC_API_KEY	220	55
6	GH_AW_OTEL_ENDPOINT	159	—
7	OPENAI_API_KEY	60	11
8	CODEX_API_KEY	60	11
9	GH_AW_OTEL_HEADERS	53	—
10	GH_AW_CI_TRIGGER_TOKEN	45	—
11	GH_AW_SIDE_REPO_PAT	19	—
12	GH_AW_AGENT_TOKEN	15	—
13	TAVILY_API_KEY	13	—
14	GH_AW_PROJECT_GITHUB_TOKEN	7	—
15	NOTION_API_TOKEN	6	—
16	GEMINI_API_KEY	4	—
17	BRAVE_API_KEY	4	—
18	DD_SITE	3	—
19	DD_APPLICATION_KEY	3	—
20	DD_API_KEY	3	—
21	SENTRY_OPENAI_API_KEY	2	—
22	SENTRY_API_KEY	2	—
23	SENTRY_ACCESS_TOKEN	2	—
24	CONTEXT	2	—
25	AZURE_TENANT_ID	2	—
26	AZURE_CLIENT_SECRET	2	—
27	AZURE_CLIENT_ID	2	—
28	SLACK_BOT_TOKEN	1	—
29	GH_AW_PLUGINS_TOKEN	1	—

🔐 Token Cascade Pattern

The standard token cascade pattern used across 736 instances:

GITHUB_MCP_SERVER_TOKEN: $\{\{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

This provides fallback authentication:

1. Prefer GH_AW_GITHUB_MCP_SERVER_TOKEN (dedicated MCP token)
2. Fall back to GH_AW_GITHUB_TOKEN (general GitHub PAT)
3. Last resort: GITHUB_TOKEN (built-in Actions token)

📖 Reference Documentation

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Workflow Files: .github/workflows/*.lock.yml (196 files)

---

Generated: 2026-04-19T22:17:54Z
Workflow Run: §24640463470

Generated by Daily Secrets Analysis Agent · ● 426.9K · ◷

• expires on Apr 22, 2026, 10:20 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #27449.