[daily secrets] Secrets Analysis Report – 2026-06-12

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-06-12
Workflow Files Analyzed: 246
Run: §27434551076

---

📊 Executive Summary

Metric	Value
Total .lock.yml files	246
Lines referencing secrets.*	6,874
Lines referencing github.token	1,237
Unique secret names	38
Token cascade instances	894
Workflows with redaction steps	246 / 246 ✅
Workflows with permission blocks	246 / 246 ✅

---

🛡️ Security Posture

✅ Universal Redaction: All 246 workflows include a redact_secrets step
✅ Universal Permissions: All 246 workflows declare explicit permissions: blocks
✅ Token Cascades: 894 fallback chains (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) provide layered auth
✅ No Secrets in Job Outputs: Verified — no job-level outputs: expose secret values
✅ Event Data Handling: github.event.* values are assigned to env: variables (safe pattern), not directly interpolated in shell scripts

Overall posture: Strong ✅

---

🔑 Secret Usage by Category

Category	# Named References	% of Total	Example Secrets
GitHub Auth Tokens	8,759	78.5%	GITHUB_TOKEN, GH_AW_GITHUB_TOKEN, COPILOT_GITHUB_TOKEN
Observability / Monitoring	1,922	17.2%	GH_AW_OTEL_SENTRY_*, GH_AW_OTEL_GRAFANA_*
AI / LLM API Keys	460	4.1%	ANTHROPIC_API_KEY, OPENAI_API_KEY, CODEX_API_KEY
Other	15	0.1%	SLACK_BOT_TOKEN, NOTION_API_TOKEN, CONTEXT

GitHub authentication dominates, as expected for an agentic workflow platform. Observability secrets are the second-largest group, reflecting comprehensive tracing via Sentry and Grafana. AI/LLM keys are well-contained at ~4%.

---

🏆 Top 15 Secrets by Reference Count

Rank	Secret Name	References	Category
1	GITHUB_TOKEN	3,653	GitHub Auth
2	GH_AW_GITHUB_TOKEN	3,231	GitHub Auth
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,352	GitHub Auth
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	700	Observability
5	GH_AW_OTEL_SENTRY_ENDPOINT	468	Observability
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	466	Observability
7	COPILOT_GITHUB_TOKEN	419	GitHub Auth
8	GH_AW_OTEL_GRAFANA_ENDPOINT	234	Observability
9	ANTHROPIC_API_KEY	257	AI/LLM
10	OPENAI_API_KEY	79	AI/LLM
11	CODEX_API_KEY	78	AI/LLM
12	GH_AW_CI_TRIGGER_TOKEN	59	GitHub Auth
13	GH_AW_SIDE_REPO_PAT	24	GitHub Auth
14	GH_AW_AGENT_TOKEN	13	GitHub Auth
15	TAVILY_API_KEY	13	AI/LLM

📋 All 38 Unique Secret Names

GitHub Auth (9): GITHUB_TOKEN, GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, COPILOT_GITHUB_TOKEN, GH_AW_CI_TRIGGER_TOKEN, GH_AW_SIDE_REPO_PAT, GH_AW_AGENT_TOKEN, GH_AW_PROJECT_GITHUB_TOKEN

AI/LLM (11): ANTHROPIC_API_KEY, OPENAI_API_KEY, CODEX_API_KEY, GEMINI_API_KEY, OPENROUTER_API_KEY, FOUNDRY_API_KEY, FOUNDRY_OPENAI_ENDPOINT, ANTIGRAVITY_API_KEY, BRAVE_API_KEY, TAVILY_API_KEY, SENTRY_OPENAI_API_KEY

Observability (13): GH_AW_OTEL_SENTRY_AUTHORIZATION, GH_AW_OTEL_SENTRY_ENDPOINT, GH_AW_OTEL_GRAFANA_AUTHORIZATION, GH_AW_OTEL_GRAFANA_ENDPOINT, GH_AW_OTEL_DATADOG_API_KEY, GH_AW_OTEL_DATADOG_ENDPOINT, DD_API_KEY, DD_APP_KEY, DD_APPLICATION_KEY, DD_SITE, GRAFANA_URL, GRAFANA_SERVICE_ACCOUNT_TOKEN, SENTRY_ACCESS_TOKEN

Other (5): SLACK_BOT_TOKEN, NOTION_API_TOKEN, CONTEXT, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID

📈 Trends

No historical baseline is available for this run. Subsequent daily runs will automatically compare against today's snapshot:

{
  "date": "2026-06-12",
  "total_workflows": 246,
  "secret_refs": 6874,
  "token_refs": 1237,
  "unique_secrets": 38,
  "redaction_count": 246,
  "cascade_count": 894,
  "permission_blocks": 246
}

Watch for: new unique secret types added, changes to redaction coverage falling below 100%, cascade count drift.

📖 Reference Documentation

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascade Pattern: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN

---

💡 Recommendations

1. Maintain 100% redaction coverage — currently perfect; monitor as new workflows are added.
2. Audit SENTRY_OPENAI_API_KEY vs OPENAI_API_KEY — two overlapping AI keys for Sentry; confirm intentional split or consolidate.
3. Review CODEX_API_KEY (78 refs) alongside OPENAI_API_KEY (79 refs) — near-identical usage suggests a migration opportunity to unify under one secret.
4. Monitor AI key expansion — 11 LLM-related secrets; track as new model integrations are added to avoid secret sprawl.
5. Document CONTEXT secret — only 2 references; purpose unclear; confirm it belongs in secrets vs env vars.

---

References:

• §27434551076

Generated by 🔒 Daily Secrets Analysis Agent · 147.1 AIC · ⌖ 79 AIC · ⊞ 18.7K · ◷

• expires on Jun 15, 2026, 10:26 AM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #39132.