[daily secrets] 2026-05-30 — Secrets Analysis Report

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-05-30
Workflow Files Analyzed: 236
Run: §26690890823

📊 Executive Summary

Metric	Value
Total secrets.* References	6,128
github.token References	1,150
Unique Secret Types	37
Workflows with Redaction	236 / 236 ✅
Token Cascade Patterns	854
Permission Blocks	236 / 236 ✅

🛡️ Security Posture

✅ Redaction System: All 236 workflows have redact_secrets steps
✅ Permission Blocks: All 236 workflows define explicit permissions
✅ Token Cascades: 854 instances of fallback chains (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) — expected pattern
✅ No Secrets in Job Outputs: No secrets exposed through job-level output declarations
✅ Expression Isolation: All github.event.* values are captured via GH_AW_EXPR_* env vars (safe pattern)

🎯 Key Findings

1. Full Redaction Coverage: 100% of compiled workflows include the redact_secrets step — no gaps in secret masking.
2. Dominant Secrets: GH_AW_GITHUB_TOKEN (3,062) and GITHUB_TOKEN (2,996) account for ~98% of all secret references, consistent with expected auth patterns.
3. AI Engine Secrets: ANTHROPIC_API_KEY (257), OPENAI_API_KEY (79), CODEX_API_KEY (78), GEMINI_API_KEY (5), and OPENROUTER_API_KEY (1) reflect the multi-engine architecture.
4. Observability Secrets: OTEL/Grafana/Sentry/Datadog secrets (1,869 combined refs) reflect comprehensive telemetry integration across workflows.

💡 Recommendations

1. CONTEXT secret: 2 occurrences of a secret named CONTEXT — unusual name, worth verifying this is intentional and not a misconfiguration.
2. CODEX_API_KEY vs OPENAI_API_KEY: Both present (78 vs 79 refs) — confirm whether both are needed or if consolidation is possible.
3. GH_AW_SIDE_REPO_PAT: Low usage (20 refs) — verify it remains necessary and follows least-privilege principles.

🔑 Top 20 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GH_AW_GITHUB_TOKEN	3,062	GitHub Auth
2	GITHUB_TOKEN	2,996	GitHub Auth
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,294	GitHub Auth (MCP)
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	697	Observability
5	GH_AW_OTEL_SENTRY_ENDPOINT	466	Observability
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	464	Observability
7	COPILOT_GITHUB_TOKEN	399	GitHub Auth (Copilot)
8	ANTHROPIC_API_KEY	257	AI Engine
9	GH_AW_OTEL_GRAFANA_ENDPOINT	233	Observability
10	OPENAI_API_KEY	79	AI Engine
11	CODEX_API_KEY	78	AI Engine
12	GH_AW_CI_TRIGGER_TOKEN	57	CI/CD
13	GH_AW_SIDE_REPO_PAT	20	GitHub Auth
14	TAVILY_API_KEY	13	External Tool
15	GH_AW_AGENT_TOKEN	12	GitHub Auth
16	SENTRY_OPENAI_API_KEY	10	Observability
17	SENTRY_ACCESS_TOKEN	10	Observability
18	DD_APP_KEY	10	Observability (DD)
19	DD_APPLICATION_KEY	10	Observability (DD)
20	DD_API_KEY	8	Observability (DD)

📋 All 37 Unique Secret Types

ANTHROPIC_API_KEY, ANTIGRAVITY_API_KEY, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, BRAVE_API_KEY, CODEX_API_KEY, CONTEXT, COPILOT_GITHUB_TOKEN, DD_API_KEY, DD_APP_KEY, DD_APPLICATION_KEY, DD_SITE, GEMINI_API_KEY, GH_AW_AGENT_TOKEN, GH_AW_CI_TRIGGER_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, GH_AW_GITHUB_TOKEN, GH_AW_OTEL_DATADOG_API_KEY, GH_AW_OTEL_DATADOG_ENDPOINT, GH_AW_OTEL_GRAFANA_AUTHORIZATION, GH_AW_OTEL_GRAFANA_ENDPOINT, GH_AW_OTEL_SENTRY_AUTHORIZATION, GH_AW_OTEL_SENTRY_ENDPOINT, GH_AW_PROJECT_GITHUB_TOKEN, GH_AW_SIDE_REPO_PAT, GITHUB_TOKEN, GRAFANA_SERVICE_ACCOUNT_TOKEN, GRAFANA_URL, NOTION_API_TOKEN, OPENAI_API_KEY, OPENROUTER_API_KEY, SENTRY_ACCESS_TOKEN, SENTRY_OPENAI_API_KEY, SLACK_BOT_TOKEN, TAVILY_API_KEY

📖 Reference Documentation

• Secrets Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs

---

Generated: Sat May 30 17:58:16 UTC 2026
Workflow Run: §26690890823

Generated by 🔒 Daily Secrets Analysis Agent · sonnet46 871.3K · ◷

• expires on Jun 2, 2026, 6:00 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #36147.