[daily secrets] Daily Secrets Analysis Report - 2026-02-13

[github-actions[bot]]

Date: February 13, 2026
Workflow Files Analyzed: 150
Run: §21998115563

This daily analysis examines secret usage patterns across all compiled workflow files (.lock.yml) in the repository, tracking 25 unique secret types with 3,154 total references.

📊 Executive Summary

Metric	Count	Notes
Total Secret References	3,154	All secrets.* patterns
GitHub Token References	446	Direct github.token usage
Unique Secret Types	25	Distinct secret identifiers
Workflow Files	150	All compiled .lock.yml files
Step-Level Usage	1,629	100% of secrets at step level
Job-Level Usage	0	No job-level environment secrets

🔑 Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Purpose
1	GITHUB_TOKEN	1,705	GitHub API authentication (default)
2	GH_AW_GITHUB_TOKEN	1,532	GitHub API authentication (custom)
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	617	GitHub MCP server authentication
4	COPILOT_GITHUB_TOKEN	499	Copilot-specific GitHub access
5	CLAUDE_CODE_OAUTH_TOKEN	175	Claude engine authentication
6	ANTHROPIC_API_KEY	175	Anthropic API access
7	OPENAI_API_KEY	64	OpenAI API access
8	CODEX_API_KEY	64	Codex engine authentication
9	TAVILY_API_KEY	15	Tavily search API
10	NOTION_API_TOKEN	6	Notion integration

View Complete Secret Distribution (25 types)

Secret Name	Occurrences	Category
GITHUB_TOKEN	1,705	GitHub Authentication
GH_AW_GITHUB_TOKEN	1,532	GitHub Authentication
GH_AW_GITHUB_MCP_SERVER_TOKEN	617	GitHub MCP Server
COPILOT_GITHUB_TOKEN	499	GitHub Authentication
CLAUDE_CODE_OAUTH_TOKEN	175	AI Engine (Claude)
ANTHROPIC_API_KEY	175	AI Engine (Anthropic)
OPENAI_API_KEY	64	AI Engine (OpenAI)
CODEX_API_KEY	64	AI Engine (Codex)
TAVILY_API_KEY	15	Search API
NOTION_API_TOKEN	6	Integration
GH_AW_PROJECT_GITHUB_TOKEN	5	GitHub Projects
GH_AW_AGENT_TOKEN	4	Agent Authentication
BRAVE_API_KEY	4	Search API
DD_SITE	3	Datadog Configuration
DD_APPLICATION_KEY	3	Datadog Authentication
DD_API_KEY	3	Datadog Authentication
SENTRY_OPENAI_API_KEY	2	Monitoring (Sentry)
SENTRY_ACCESS_TOKEN	2	Monitoring (Sentry)
CONTEXT	2	Unknown
AZURE_TENANT_ID	2	Azure Authentication
AZURE_CLIENT_SECRET	2	Azure Authentication
AZURE_CLIENT_ID	2	Azure Authentication
SLACK_BOT_TOKEN	1	Slack Integration
GH_AW_BOT_DETECTION_TOKEN	1	Bot Detection

Total: 5,372 individual secret references across all secrets

🛡️ Security Posture

Protection Mechanisms

Control	Status	Coverage
Redaction System	✅ Active	150/150 workflows (100%)
Token Cascades	✅ Active	467 fallback chains
Permission Blocks	✅ Active	150 explicit definitions
Secrets in Outputs	✅ Clean	0 exposures detected

Key Security Features:

• Universal Redaction: Every workflow includes redact_secrets step for automatic secret scrubbing
• Token Fallback: 467 instances of 3-level token cascade pattern: GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN
• Explicit Permissions: All workflows define permission blocks explicitly
• Step-Level Isolation: 100% of secrets scoped to individual steps (no job-level environment exposure)

Security Findings

⚠️ Template Injection Risk Assessment

Finding: 1,950 instances of github.event.* usage detected across workflow files.

Analysis: These are primarily safe patterns for reading GitHub webhook event data:

• github.event.pull_request (605 occurrences)
• github.event.issue (443 occurrences)
• github.event.comment (415 occurrences)
• github.event.discussion (317 occurrences)
• github.event.repository (145 occurrences)

Risk Level: LOW - Most usage appears in conditional expressions and environment variable assignments with proper input sanitization.

Recommendation: Continue monitoring for direct string interpolation of event data without sanitization. The current pattern of using environment variables and GitHub Actions contexts is appropriate.

📈 Secret Distribution Analysis

By Secret Category

Category	Unique Secrets	Total References	Top Secret
GitHub Authentication	5	4,358 (69%)	GITHUB_TOKEN (1,705)
AI Engines	6	542 (8.6%)	CLAUDE_CODE_OAUTH_TOKEN (175)
Search APIs	2	19 (0.3%)	TAVILY_API_KEY (15)
Monitoring	5	10 (0.2%)	DD_SITE (3)
Integrations	7	15 (0.2%)	NOTION_API_TOKEN (6)

By Workflow Category

Category	Workflows	Percentage
Daily Workflows	28	18.7%
Smoke Tests	7	4.7%
Other Workflows	115	76.6%

🎯 Key Findings

1. GitHub Token Dominance: GitHub authentication secrets account for 69% of all secret references, with GITHUB_TOKEN and GH_AW_GITHUB_TOKEN representing the majority of usage.

2. 100% Redaction Coverage: All 150 workflow files include the redaction system, demonstrating strong commitment to secret protection.

3. Multi-Engine Support: The repository supports 4 different AI engines (Copilot, Claude, OpenAI, Codex) with appropriate authentication secrets for each.

4. Step-Level Scoping: All secrets are scoped to individual steps rather than job-level environments, limiting exposure surface area.

5. Token Cascade Pattern: 467 instances of the 3-level token fallback pattern ensure workflows can function with different authentication configurations.

💡 Recommendations

1. Continue Current Practices: The current security posture is strong with universal redaction coverage and explicit permissions.

2. Monitor New Secrets: When adding new secret types, ensure they follow the established patterns:

   • Step-level scoping only
   • Include in redaction patterns
   • Use token cascades for fallbacks

3. Template Injection Review: While current github.event.* usage appears safe, consider periodic reviews of new workflows to ensure proper input sanitization continues.

4. Secret Rotation: Consider implementing automated secret rotation for the 5 GitHub authentication tokens to minimize exposure windows.

5. Documentation: Update scratchpad/secrets-yml.md to reflect the current 25 secret types in use.

📖 Reference Documentation

For detailed information about secret usage patterns and security controls:

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascade: Search for GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN in workflow files

---

Generated: 2026-02-13T18:27:58Z
Workflow: .github/workflows/daily-secrets.md

AI generated by Daily Secrets Analysis Agent

• expires on Feb 16, 2026, 6:30 PM UTC

[github-actions[bot]]

🤖 Beep boop! The smoke test agent just zoomed through here at warp speed, and everything looks fantastic! 🚀✨

All systems nominal, workflows are flowing smoothly like a well-oiled machine. Your daily secrets analysis is chef's kiss 👨🍳💋 - 150 workflows, 25 secret types, and that beautiful 100% redaction coverage? Italian hand gesture Magnifico!

Keep up the stellar work, human friends! 🌟

(Smoke test agent out! 👾)

AI generated by Smoke Copilot

[github-actions[bot]]

💥 WHOOSH! 💥

The Claude Smoke Test Agent just swooped through here like a caped crusader! 🦸

MISSION STATUS: ✅ ALL SYSTEMS GO!

Every test passed faster than a speeding bullet! GitHub MCP? ✓ Playwright? ✓ Tavily? ✓ The whole super-squad is operational!

ZAP! POW! BAM! Testing complete! 🎯

— Your friendly neighborhood smoke test agent 🤖

AI generated by Smoke Claude

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-16T18:30:13.799Z.

Closed by Workflow