[daily secrets] Daily Secrets Analysis - February 9, 2026

[github-actions[bot]]

📊 Executive Summary

Analyzed 148 compiled workflow files across the repository. The secret infrastructure is comprehensive with strong security controls in place.

Key Metrics:

• Total Secret References: 3,271 (secrets.*)
• GitHub Token References: 292 (github.token)
• Unique Secret Types: 24 distinct secrets
• Step-Level Usage: 1,755 references (53.7%)
• Security Coverage: 100% (all workflows have redaction + permissions)

Overall Status: ✅ Healthy - Robust secret management with comprehensive protection mechanisms

---

🔑 Top Secret Usage

Rank	Secret Name	Usage	Percentage	Type
1	GITHUB_TOKEN	1,675	51.2%	GitHub Authentication
2	GH_AW_GITHUB_TOKEN	1,511	46.2%	GitHub PAT
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	754	23.0%	MCP Server Auth
4	COPILOT_GITHUB_TOKEN	491	15.0%	Copilot Auth
5	CLAUDE_CODE_OAUTH_TOKEN	175	5.4%	Claude Auth
6	ANTHROPIC_API_KEY	175	5.4%	Anthropic API
7	OPENAI_API_KEY	64	2.0%	OpenAI API
8	CODEX_API_KEY	64	2.0%	Codex API
9	TAVILY_API_KEY	15	0.5%	Tavily Search
10	GH_AW_PROJECT_GITHUB_TOKEN	11	0.3%	GitHub Projects

View All 24 Secret Types

Authentication & API Keys:

• GITHUB_TOKEN - GitHub Actions default token (1,675 uses)
• GH_AW_GITHUB_TOKEN - GitHub PAT for gh-aw (1,511 uses)
• GH_AW_GITHUB_MCP_SERVER_TOKEN - MCP server authentication (754 uses)
• COPILOT_GITHUB_TOKEN - GitHub Copilot authentication (491 uses)
• CLAUDE_CODE_OAUTH_TOKEN - Claude Code OAuth (175 uses)
• ANTHROPIC_API_KEY - Anthropic API access (175 uses)
• OPENAI_API_KEY - OpenAI API access (64 uses)
• CODEX_API_KEY - Codex API access (64 uses)
• TAVILY_API_KEY - Tavily search API (15 uses)
• GH_AW_PROJECT_GITHUB_TOKEN - GitHub Projects API (11 uses)
• NOTION_API_TOKEN - Notion integration (8 uses)
• GH_AW_AGENT_TOKEN - Agent authentication (6 uses)
• BRAVE_API_KEY - Brave search API (6 uses)
• SENTRY_OPENAI_API_KEY - Sentry OpenAI integration (3 uses)

Infrastructure & Monitoring:

• SLACK_BOT_TOKEN - Slack notifications
• SENTRY_ACCESS_TOKEN - Sentry error tracking
• DD_API_KEY - Datadog monitoring
• DD_APPLICATION_KEY - Datadog application key
• DD_SITE - Datadog site configuration

Cloud Platform:

• AZURE_CLIENT_ID - Azure authentication
• AZURE_CLIENT_SECRET - Azure credentials
• AZURE_TENANT_ID - Azure tenant

Legacy/Special:

• CONTEXT - Context-specific secrets

---

🛡️ Security Posture

Protection Mechanisms

Security Control	Coverage	Status
Redaction System	148/148 workflows (100%)	✅ Full Coverage
Token Cascades	461 fallback chains	✅ Robust Fallbacks
Permission Blocks	148 explicit definitions (100%)	✅ Full Coverage
Step-Level Isolation	1,755 references (53.7%)	✅ Good Practice

Security Checks

✅ Template Injection Protection: 1,909 github.event.* references properly isolated in env blocks
✅ Secret Exposure Prevention: 0 secrets found in job outputs (excellent!)
✅ Token Cascade Pattern: 461 instances of proper fallback chains for GitHub authentication
✅ Universal Redaction: All 148 workflows include secret redaction steps

---

🎯 Key Findings

1. Comprehensive Token Strategy

The repository uses a sophisticated 3-tier GitHub token strategy:

• Primary: GITHUB_TOKEN (default Actions token) - 1,675 uses
• Extended: GH_AW_GITHUB_TOKEN (elevated permissions) - 1,511 uses
• MCP-Specific: GH_AW_GITHUB_MCP_SERVER_TOKEN (MCP server access) - 754 uses

This provides proper separation of concerns and follows least-privilege principles.

2. Multi-Engine AI Support

Workflows support 4 different AI engines with proper secret isolation:

• GitHub Copilot: 491 token references
• Claude/Anthropic: 350 combined references (Claude OAuth + Anthropic API)
• OpenAI/Codex: 128 combined references
• Custom Engines: Additional API key support (Tavily, Brave)

3. 100% Security Coverage

Every single workflow (148/148) includes:

• ✅ Secret redaction steps
• ✅ Explicit permission blocks
• ✅ Proper secret isolation in env blocks

This is exceptional and demonstrates strong security culture.

4. Step-Level Secret Isolation

53.7% of secret references are at the step level rather than job level, indicating:

• Fine-grained access control
• Reduced blast radius for potential leaks
• Better adherence to least-privilege principle

---

📈 Usage Distribution

View Secret Distribution Analysis

By Category:

• GitHub Authentication: 3,940 references (120.5% - includes github.token)

  • GITHUB_TOKEN: 1,675
  • GH_AW_GITHUB_TOKEN: 1,511
  • GH_AW_GITHUB_MCP_SERVER_TOKEN: 754
  • github.token: 292

• AI Engine Authentication: 920 references (28.1%)

  • COPILOT_GITHUB_TOKEN: 491
  • CLAUDE_CODE_OAUTH_TOKEN: 175
  • ANTHROPIC_API_KEY: 175
  • OPENAI_API_KEY: 64
  • CODEX_API_KEY: 64

• External Services: 84 references (2.6%)

  • TAVILY_API_KEY: 15
  • GH_AW_PROJECT_GITHUB_TOKEN: 11
  • NOTION_API_TOKEN: 8
  • BRAVE_API_KEY: 6
  • GH_AW_AGENT_TOKEN: 6
  • Others: ~38

Distribution Pattern:

• GitHub tokens dominate usage (>80% of all references)
• AI engine tokens show healthy diversity (4 providers)
• External service integration is minimal but purposeful
• No unused or abandoned secrets detected

---

💡 Recommendations

✅ Continue Current Practices

1. Maintain 100% Security Coverage - The current universal application of redaction and permissions is excellent
2. Token Cascade Pattern - The 461 fallback chains provide robust authentication resilience
3. Step-Level Isolation - Continue isolating secrets at the step level (currently 53.7%)

🎯 Potential Improvements

1. Monitor Template Injection Vectors - While the 1,909 github.event.* references are properly isolated, regular audits ensure this remains true
2. Secret Rotation Documentation - Consider documenting the rotation schedule for the 24 distinct secrets
3. Usage Tracking - Establish baseline metrics to detect anomalous secret usage patterns over time

📊 Metrics to Track

• Weekly trend in total secret references (baseline: 3,271)
• New secret introductions (baseline: 24 types)
• Security coverage percentage (baseline: 100%)
• Step-level isolation ratio (baseline: 53.7%)

---

📖 Reference Documentation

For detailed information about secret management:

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascades: pkg/workflow/compiler_yaml_setup.go
• Security Guidelines: SECURITY.md

---

Generated: 2026-02-09 18:34 UTC
Run: §21836618351
Next Analysis: 2026-02-10 (automated daily)

AI generated by Daily Secrets Analysis Agent

• expires on Feb 12, 2026, 6:37 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-12T18:37:15.865Z.

Closed by Workflow