[daily secrets] Daily Secrets Analysis Report — 2026-02-20

[github-actions[bot]]

Daily analysis of secret usage patterns across all compiled workflow files in the repository.

Date: 2026-02-20
Workflow Files Analyzed: 153
Run: §22239094168

📊 Executive Summary

Metric	Value
Total secrets.* References	5,259
github.token References	392
Unique Secret Types	24
Workflows with Redaction	153 / 153 (100%)
Workflows with Permissions	153 / 153 (100%)
Token Cascade Patterns	578

All 153 compiled workflows have both redaction steps and explicit permission blocks — a strong security baseline.

🔑 Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	1,763	GitHub Token
2	GH_AW_GITHUB_TOKEN	1,727	GitHub Token
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	879	MCP Token
4	COPILOT_GITHUB_TOKEN	506	Copilot Token
5	ANTHROPIC_API_KEY	185	AI Engine
6	OPENAI_API_KEY	68	AI Engine
7	CODEX_API_KEY	68	AI Engine
8	TAVILY_API_KEY	15	Tool Integration
9	NOTION_API_TOKEN	6	Tool Integration
10	GH_AW_PROJECT_GITHUB_TOKEN	6	GitHub Token

GitHub authentication tokens dominate usage (GITHUB_TOKEN + GH_AW_GITHUB_TOKEN = 3,490 refs, ~66% of all secret refs), reflecting the heavy GitHub API usage pattern of agentic workflows.

🛡️ Security Posture

Protection Mechanisms

✅ Redaction System: 153/153 workflows (100%) have redact_secrets steps
✅ Token Cascade Chains: 578 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN fallback patterns
✅ Permission Blocks: 153/153 workflows have explicit permissions: definitions
✅ No Secrets in Outputs: 0 secrets exposed through job outputs

Security Checks

✅ Secrets in job outputs: None found — no risk of secret leakage through workflow outputs
✅ Permission coverage: All workflows define explicit GitHub Actions permission scopes

📋 Complete Secret Inventory (24 unique secrets)

Secret Name	Occurrences	Category
GITHUB_TOKEN	1,763	GitHub Auth
GH_AW_GITHUB_TOKEN	1,727	GitHub Auth
GH_AW_GITHUB_MCP_SERVER_TOKEN	879	MCP Auth
COPILOT_GITHUB_TOKEN	506	Copilot Auth
ANTHROPIC_API_KEY	185	AI Engine — Claude
OPENAI_API_KEY	68	AI Engine — OpenAI
CODEX_API_KEY	68	AI Engine — Codex
TAVILY_API_KEY	15	Search Tool
NOTION_API_TOKEN	6	Tool Integration
GH_AW_PROJECT_GITHUB_TOKEN	6	GitHub Auth
GEMINI_API_KEY	5	AI Engine — Gemini
GH_AW_AGENT_TOKEN	4	Agent Auth
BRAVE_API_KEY	4	Search Tool
DD_SITE	3	Datadog
DD_APPLICATION_KEY	3	Datadog
DD_API_KEY	3	Datadog
SENTRY_OPENAI_API_KEY	2	Sentry/OpenAI
SENTRY_ACCESS_TOKEN	2	Sentry
CONTEXT7_API_KEY	2	Tool Integration
AZURE_TENANT_ID	2	Azure Auth
AZURE_CLIENT_SECRET	2	Azure Auth
AZURE_CLIENT_ID	2	Azure Auth
SLACK_BOT_TOKEN	1	Notifications
GH_AW_BOT_DETECTION_TOKEN	1	Bot Detection

🔝 Workflows with Highest Secret Usage

Workflow	Secret References
mcp-inspector.lock.yml	53
daily-news.lock.yml	42
smoke-claude.lock.yml	35
smoke-copilot.lock.yml	31
smoke-codex.lock.yml	30
deep-report.lock.yml	29
smoke-project.lock.yml	28
daily-performance-summary.lock.yml	28
daily-issues-report.lock.yml	28
q.lock.yml	27

High counts in smoke test workflows are expected — they test multiple engine integrations simultaneously.

📈 Comparison with Yesterday (2026-02-19)

Metric	Yesterday	Today	Change
Total Workflows	152	153	+1 ✅
secrets.* Refs	~5,100	5,259	+159 ↑
Unique Secret Types	~22	24	+2 ↑

Note: Yesterday's values are approximate — today's run establishes the precise baseline for future comparisons.

🎯 Key Findings

1. Full security coverage: All 153 workflows have redaction + permissions — no gaps.
2. Token cascade adoption: The 3-tier token fallback pattern (GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN) is used 578 times, demonstrating consistent defense-in-depth for GitHub API access.
3. Multi-engine secret spread: 4 AI engine API keys present (Anthropic, OpenAI/Codex, Gemini, Copilot), reflecting the multi-engine architecture.
4. Zero secrets-in-outputs: No workflow exposes secrets through job output values.

💡 Recommendations

1. Monitor CONTEXT7_API_KEY: Newly appearing with 2 references — verify this is intentional and the secret is properly configured in repo settings.
2. Azure credential cluster: 3 Azure secrets (CLIENT_ID, CLIENT_SECRET, TENANT_ID) each appear only twice — confirm these workflows are actively used or consider cleanup.
3. DD_ secrets*: Datadog integration (3 secrets × 3 refs each) is limited scope — ensure Datadog monitoring workflows remain active.

📖 Reference Documentation

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs

References:

• §22239094168

AI generated by Daily Secrets Analysis Agent

• expires on Feb 23, 2026, 8:04 PM UTC

[github-actions[bot]]

💥 WHOOSH! ⚡

The Smoke Test Agent swoops in, cape billowing!

KA-POW! 🦸 Claude was HERE, testing the systems of GITHUB AGENTIC WORKFLOWS!

"With great agentic power comes great agentic responsibility."

🔥 ZZZAP! — All MCP servers interrogated! Tools activated! Builds compiled!

BAM! The smoke test agent has verified that this discussion is ALIVE and the GitHub systems are OPERATIONAL!

flies off into the GitHub Actions sunset 🌅

— The Smoke Test Agent, Run §22239107636

💥 [THE END] — Illustrated by Smoke Claude