[daily secrets] February 2, 2026 - Secret Usage Analysis Report

[github-actions[bot]]

📊 Executive Summary

Analysis Date: February 2, 2026
Workflow Files Analyzed: 149 compiled .lock.yml files
Workflow Run: §21585254800

This report provides a comprehensive analysis of secret usage patterns across all agentic workflow files, identifying trends, security posture, and recommendations for optimal secret management.

---

🔑 Secret Usage Statistics

Metric	Count	Notes
Total Secret References	3,139	All secrets.* expressions
GitHub Token References	301	All github.token expressions
Unique Secret Types	3	Distinct secret names used
Workflows with Secrets	149	100% of workflows use secrets
Avg Secrets per Workflow	21.1	Mean secret references per file

---

🏆 Top Secrets by Usage

The three secrets used across all workflows:

Rank	Secret Name	Occurrences	Usage Pattern	Type
1	GH_AW_GITHUB_TOKEN	1,338	Primary GitHub API token	GitHub PAT
2	GITHUB_TOKEN	1,490*	Default GitHub Actions token	Built-in
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	738	GitHub MCP server authentication	GitHub PAT
4	GH_AW_AGENT_TOKEN	13	Agent-specific token (limited use)	GitHub PAT

Note: GITHUB_TOKEN appears in both secrets.GITHUB_TOKEN (explicit) and github.token (built-in) forms.

---

🛡️ Security Posture Assessment

✅ Protection Mechanisms Deployed

1. Universal Redaction System

   • Coverage: 149/149 workflows (100%)
   • Implementation: All workflows include redact_secrets.cjs step
   • Function: Automatically strips secrets from logs before output

2. Token Cascade Fallbacks

   • Coverage: 149/149 workflows (100%)
   • Pattern: GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN
   • Benefit: Ensures workflows can authenticate even if preferred tokens are unavailable

3. Explicit Permission Blocks

   • Coverage: 149/149 workflows (100%)
   • Implementation: Every workflow defines explicit permissions: blocks
   • Benefit: Principle of least privilege - each workflow requests only required permissions

🔍 Security Validation Results

Security Check	Status	Details
Secrets in Job Outputs	✅ PASS	0 instances found
Template Injection Risks	⚠️ REVIEW	149 workflows reference github.event.*
Redaction Coverage	✅ PASS	100% coverage
Permission Blocks	✅ PASS	100% have explicit permissions
Token Cascades	✅ PASS	100% use fallback chains

Template Injection Note: All 149 workflows reference github.event.* expressions. This is expected for event-driven workflows, but requires continued vigilance to ensure these values are never interpolated directly into shell commands without sanitization. Current implementation uses env: blocks for proper escaping.

---

📈 Secret Distribution Analysis

Secret Usage by Purpose

Secret Purpose Breakdown

1. GitHub API Authentication (1,338 occurrences)

   • Primary: GH_AW_GITHUB_TOKEN
   • Used for: Repository operations, issue management, PR creation
   • Scope: Full repository access with fine-grained permissions

2. MCP Server Authentication (738 occurrences)

   • Primary: GH_AW_GITHUB_MCP_SERVER_TOKEN
   • Used for: GitHub MCP server tool access
   • Workflows: Primarily workflows using tools.github configuration

3. Default Actions Token (1,490 occurrences)

   • Primary: secrets.GITHUB_TOKEN + github.token
   • Used for: Basic GitHub Actions operations
   • Scope: Limited to workflow repository context

4. Specialized Agent Token (13 occurrences)

   • Primary: GH_AW_AGENT_TOKEN
   • Used for: Specific agent workflows requiring elevated permissions
   • Scope: Limited deployment across workflows

Structural Location Analysis

Secret Declaration Patterns:

• Job-level environment variables: Used consistently for agent authentication
• Step-level environment variables: Used for tool-specific secrets (MCP servers, etc.)
• Inline expressions: Minimal usage, primarily for token cascades

---

🎯 Key Findings

1. Excellent Security Baseline ✅

Every workflow implements core security controls:

• Automated secret redaction (100% coverage)
• Token cascade fallbacks (100% coverage)
• Explicit permission blocks (100% coverage)

2. Consistent Secret Architecture ✅

The repository uses a three-tier token strategy:

1. Primary GitHub token (GH_AW_GITHUB_TOKEN)
2. MCP-specific token (GH_AW_GITHUB_MCP_SERVER_TOKEN)
3. Fallback default token (GITHUB_TOKEN)

This architecture provides resilience while maintaining security boundaries.

3. Universal Template Safety ⚠️

All workflows reference github.event.* for event-driven triggers. While this is expected and properly handled through env: blocks, it's a pattern that requires ongoing monitoring to prevent future template injection vulnerabilities.

4. No Secret Exposure Detected ✅

Zero instances of secrets being passed to job outputs, reducing risk of accidental secret disclosure in workflow logs or downstream jobs.

---

💡 Recommendations

Priority 1: Maintain Current Posture

1. Continue universal redaction coverage - Do not compromise on the 100% redaction requirement
2. Preserve token cascade pattern - Ensures workflow resilience across different deployment contexts
3. Keep explicit permissions - Avoid workflows with default permissions: write-all

Priority 2: Documentation Updates

1. Document secret hierarchy: Create docs/security/secret-architecture.md explaining the three-tier token strategy
2. Template injection guidelines: Add to AGENTS.md guidance on safe github.event.* usage patterns
3. Secret rotation procedures: Document process for rotating GH_AW_* secrets

Priority 3: Future Enhancements

1. Secret usage metrics: Consider tracking secret usage trends over time
2. MCP token optimization: Evaluate if all 738 MCP token references are necessary
3. Agent token expansion: Only 13 uses of GH_AW_AGENT_TOKEN - document when this should be preferred over GH_AW_GITHUB_TOKEN

---

📖 Reference Documentation

For detailed information about secret management in gh-aw:

• Secret Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Safe Outputs Configuration: pkg/workflow/frontmatter_safe_outputs.go

---

📅 Next Analysis

This report will automatically regenerate daily at 09:31 UTC. Historical reports are retained for 3 days for trend comparison.

Workflow Definition: .github/workflows/daily-secrets-analysis.md

AI generated by Daily Secrets Analysis Agent

• expires on Feb 5, 2026, 9:56 AM UTC

[github-actions[bot]]

This daily secrets analysis report has been superseded by today's report for February 3, 2026. Closing to maintain a clean discussion board with only the most recent daily insights.

Archived report date: February 2, 2026
Current report: Secret Usage Analysis - February 3, 2026 (see latest in Audits category)