[daily secrets] Daily Secrets Analysis — 2026-03-30

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: March 30, 2026
Workflow Files Analyzed: 178
Run: §23770463428

---

📊 Executive Summary

Metric	Value
Total Workflow Files	178
Unique Secret Types	26
secrets.* References	5,972
github.token References	725
Workflows With Redaction	178/178 (100%)
Workflows With Permissions	178/178 (100%)
Token Cascade Instances	664
Secrets in Job Outputs	0 ✅

---

🛡️ Security Posture

✅ Redaction System: All 178/178 workflows include a redact_secrets step
✅ Permission Blocks: All 178/178 workflows declare explicit permissions: blocks
✅ Token Cascade: 664 instances use the fallback chain GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
✅ No Secrets in Outputs: Zero secret values exposed via job outputs
✅ No Template Injection: No github.event.* values interpolated outside env blocks

---

🎯 Key Findings

1. Full Redaction Coverage — Every compiled workflow uses redact_secrets.cjs, ensuring secrets are scrubbed from logs before they can be leaked. This is an excellent baseline security posture.

2. Token Proliferation — 9 distinct GitHub token secrets are in use (GITHUB_TOKEN, GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, COPILOT_GITHUB_TOKEN, GH_AW_AGENT_TOKEN, GH_AW_CI_TRIGGER_TOKEN, GH_AW_SIDE_REPO_PAT, GH_AW_PROJECT_GITHUB_TOKEN, GH_AW_PLUGINS_TOKEN). The cascade pattern correctly reduces direct exposure by trying more privileged tokens first.

3. AI Provider Secret Diversity — 4 AI provider keys are tracked (ANTHROPIC_API_KEY, OPENAI_API_KEY, CODEX_API_KEY, GEMINI_API_KEY), reflecting multi-engine support. ANTHROPIC_API_KEY has the highest non-GitHub usage (160 refs).

4. Low-Usage Secrets — GH_AW_PLUGINS_TOKEN (1 ref, 1 workflow), SLACK_BOT_TOKEN (1 ref), and AZURE_* (2 refs each) appear in very few workflows, suggesting specialized/experimental usage. These should be audited periodically to confirm they are still needed.

---

💡 Recommendations

1. Audit Low-Usage Secrets — Review GH_AW_PLUGINS_TOKEN, SLACK_BOT_TOKEN, and Azure credentials to confirm they are still actively needed; rotate or remove unused ones.

2. Monitor Secret Sprawl — With 26 distinct secret types across 178 workflows, adding a change-detection step to this report (comparing against a baseline) would surface new secrets being introduced.

3. Standardize AI Key Patterns — OPENAI_API_KEY and CODEX_API_KEY both have 108 references each; verify they are not interchangeable to avoid duplication.

4. Verify DD/Sentry Integration — Datadog and Sentry secrets appear in only 3 workflows each. Confirm these integrations are functional and the secrets are still valid.

---

🔑 All 26 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	2,121	GitHub Token
2	GH_AW_GITHUB_TOKEN	2,043	GitHub Token
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	997	GitHub Token
4	COPILOT_GITHUB_TOKEN	307	GitHub Token
5	ANTHROPIC_API_KEY	160	AI Provider
6	OPENAI_API_KEY	108	AI Provider
7	CODEX_API_KEY	108	AI Provider
8	GH_AW_CI_TRIGGER_TOKEN	42	GitHub Token
9	GH_AW_SIDE_REPO_PAT	19	GitHub Token
10	TAVILY_API_KEY	15	Third-party
11	GH_AW_PROJECT_GITHUB_TOKEN	9	GitHub Token
12	NOTION_API_TOKEN	6	Third-party
13	GH_AW_AGENT_TOKEN	6	GitHub Token
14	GEMINI_API_KEY	4	AI Provider
15	BRAVE_API_KEY	4	Third-party
16	DD_SITE	3	Observability
17	DD_APPLICATION_KEY	3	Observability
18	DD_API_KEY	3	Observability
19	SENTRY_OPENAI_API_KEY	2	Observability
20	SENTRY_ACCESS_TOKEN	2	Observability
21	CONTEXT7_API_KEY	2	Third-party
22	AZURE_TENANT_ID	2	Cloud
23	AZURE_CLIENT_SECRET	2	Cloud
24	AZURE_CLIENT_ID	2	Cloud
25	SLACK_BOT_TOKEN	1	Third-party
26	GH_AW_PLUGINS_TOKEN	1	GitHub Token

Total references: 5,972 (secrets.*) + 725 (github.token)

📂 Top 5 Workflows by Secret Usage

Workflow	Secret References
mcp-inspector.lock.yml	52
daily-news.lock.yml	37
smoke-claude.lock.yml	33
smoke-copilot.lock.yml	32
smoke-project.lock.yml	30

Higher counts in smoke test workflows are expected — they exercise multiple engine configurations and thus reference multiple sets of API keys.

📈 Trends

This is the first run of the Daily Secrets Analysis. Future runs will compare against this baseline to highlight:

• New secret types introduced
• Secrets removed or deprecated
• Changes in reference counts (indicating workflow additions/removals)
• Coverage regressions in redaction or permissions

Baseline established: 2026-03-30 — 178 workflows, 26 secrets, 5,972 refs.

📖 Reference Documentation

• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascade Pattern: GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN

---

References:
§23770463428

AI generated by Daily Secrets Analysis Agent · history

• expires on Apr 2, 2026, 10:23 PM UTC

[github-actions[bot]]

🤖 beep boop The smoke test agent was here! Running tests, checking systems... all engines nominal! 🚀

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions[bot]]

🎉 The smoke test agent has concluded its epic journey through the codebase!

Dispatches haiku, reviews PRs, and disappears into the digital mist... 🌫️

Tests run at dawn
Automation checks each path  
Green lights all the way

— Copilot Smoke Test Agent, §23771209830

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #23790.