[daily secrets] Secrets Analysis Report – 2026-06-23

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-06-23
Workflow Files Analyzed: 250
Run: §28047172142

---

📊 Executive Summary

Metric	Value
Total secrets.* References	11,619
github.token References	1,514
Unique Named Secrets	38
Unique Secret Categories	4
Workflow Files Analyzed	250

Secret category breakdown:

• 🔑 GitHub/Auth tokens: 9,264 refs (79.7%)
• 📡 OTEL/Observability: 1,851 refs (15.9%)
• 🤖 AI/LLM API keys: 428 refs (3.7%)
• 🔧 Other (infra/integrations): 72 refs (0.6%)

---

🛡️ Security Posture

✅ Redaction System: 250/250 workflows (100%) include redact_secrets steps
✅ Permission Blocks: 250/250 workflows (100%) declare explicit permissions:
✅ Token Cascade: 902 instances of the GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN fallback chain
✅ Secrets in Job Outputs: None detected — secrets are not leaked via outputs:
✅ github.event.* Usage: 4,461 event-data references are all safely captured into prefixed GH_AW_EXPR_* env vars — not template injections

---

🎯 Key Findings

1. Universal security controls — Every single workflow enforces redaction and least-privilege permissions. Coverage is 100%.
2. Token cascade uniformity — All 250 workflows follow the standard 3-tier token fallback (GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN), giving ~3.6 cascade points per workflow on average.
3. AI provider diversity — Anthropic (ANTHROPIC_API_KEY) dominates at 59 workflows (23.6%), followed by OpenAI (15), Codex (14), Gemini (2), Foundry (1), Antigravity (1).
4. OTEL credentials widely deployed — Sentry (231 workflows), Grafana (230 workflows) observability secrets are near-universally present, enabling telemetry across the fleet.
5. COPILOT_GITHUB_TOKEN scoped to 118 workflows — Only 47.2% of workflows require the Copilot agent token, correctly limiting blast radius.

---

💡 Recommendations

1. Monitor GH_AW_SIDE_REPO_PAT usage — 24 references across a subset of workflows. Confirm this PAT has minimal scopes and is regularly rotated.
2. Audit CONTEXT secret — Only 2 references found; verify it is still required and document its purpose.
3. Review AZURE_* secrets — 6 Azure credential references (CLIENT_ID, CLIENT_SECRET, TENANT_ID × 2 each) across a small number of workflows. Ensure Workload Identity Federation is used where possible instead of static secrets.
4. Quarterly secret rotation — With 38 unique secrets across 250 workflows, establish a rotation schedule to limit exposure from compromised tokens.

---

🔑 Top 10 Secrets by Usage

Rank	Secret Name	References	Workflows	Category
1	GITHUB_TOKEN	4,118	250/250	GitHub Auth
2	GH_AW_GITHUB_TOKEN	3,230	250/250	GitHub Auth
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,365	250/250	GitHub Auth
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	693	231/250	Observability
5	GH_AW_OTEL_SENTRY_ENDPOINT	463	231/250	Observability
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	461	230/250	Observability
7	COPILOT_GITHUB_TOKEN	448	118/250	GitHub Auth
8	GH_AW_OTEL_GRAFANA_ENDPOINT	231	230/250	Observability
9	ANTHROPIC_API_KEY	229	59/250	AI/LLM
10	OPENAI_API_KEY	81	15/250	AI/LLM

🤖 AI/LLM Provider Distribution

Provider Secret	Workflows	References
ANTHROPIC_API_KEY	59	229
OPENAI_API_KEY	15	81
CODEX_API_KEY	14	80
GEMINI_API_KEY	2	5
FOUNDRY_API_KEY + FOUNDRY_OPENAI_ENDPOINT	1	6
ANTIGRAVITY_API_KEY	1	4
OPENROUTER_API_KEY	1	1
BRAVE_API_KEY	≤4	4
TAVILY_API_KEY	≤12	12
SENTRY_OPENAI_API_KEY	≤10	10

Anthropic is the primary AI provider, used in 23.6% of all workflows.

📋 Full Secret Inventory (38 unique secrets)

GitHub/Auth Tokens (8)
GITHUB_TOKEN, GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, COPILOT_GITHUB_TOKEN, GH_AW_AGENT_TOKEN, GH_AW_CI_TRIGGER_TOKEN, GH_AW_PROJECT_GITHUB_TOKEN, GH_AW_SIDE_REPO_PAT

OTEL/Observability (6)
GH_AW_OTEL_SENTRY_AUTHORIZATION, GH_AW_OTEL_SENTRY_ENDPOINT, GH_AW_OTEL_GRAFANA_AUTHORIZATION, GH_AW_OTEL_GRAFANA_ENDPOINT, GH_AW_OTEL_DATADOG_API_KEY, GH_AW_OTEL_DATADOG_ENDPOINT

AI/LLM Keys (10)
ANTHROPIC_API_KEY, OPENAI_API_KEY, CODEX_API_KEY, GEMINI_API_KEY, FOUNDRY_API_KEY, FOUNDRY_OPENAI_ENDPOINT, ANTIGRAVITY_API_KEY, OPENROUTER_API_KEY, SENTRY_OPENAI_API_KEY, BRAVE_API_KEY, TAVILY_API_KEY

Datadog (4)
DD_API_KEY, DD_APPLICATION_KEY, DD_APP_KEY, DD_SITE

Grafana Direct (2)
GRAFANA_SERVICE_ACCOUNT_TOKEN, GRAFANA_URL

Sentry Direct (1)
SENTRY_ACCESS_TOKEN

Azure (3)
AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID

Integrations (4)
NOTION_API_TOKEN, SLACK_BOT_TOKEN, CONTEXT, GH_AW_SIDE_REPO_PAT

📖 Reference Documentation

• Secret Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascade Pattern: standard GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN

---

Generated: 2026-06-23T18:17:37Z
Workflow Run: §28047172142

Generated by 🔒 Daily Secrets Analysis Agent · 34.4 AIC · ⌖ 9.18 AIC · ⊞ 6.1K · ◷

• expires on Jun 26, 2026, 10:22 AM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #41505.