[daily secrets] Secret Usage Analysis - February 3, 2026

[github-actions[bot]]

📊 Executive Summary

Analyzed 149 compiled workflow files for secret usage patterns and security posture.

Key Metrics:

• Total Secret References: 3,151 (secrets.*)
• GitHub Token References: 303 (github.token)
• Unique Secret Types: 23 distinct secrets
• Job-Level Usage: 0 references (0%)
• Step-Level Usage: 1,753 references (55.6%)

🔑 Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	1,541	GitHub Token
2	GH_AW_GITHUB_TOKEN	1,369	GitHub Token
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	753	GitHub Token
4	COPILOT_GITHUB_TOKEN	488	GitHub Token
5	CLAUDE_CODE_OAUTH_TOKEN	175	AI Provider
6	ANTHROPIC_API_KEY	175	AI Provider
7	OPENAI_API_KEY	71	AI Provider
8	CODEX_API_KEY	71	AI Provider
9	TAVILY_API_KEY	19	Search API
10	GH_AW_AGENT_TOKEN	12	GitHub Token

View All 23 Secrets

Complete Secret Inventory:

1. ANTHROPIC_API_KEY (175)
2. AZURE_CLIENT_ID
3. AZURE_CLIENT_SECRET
4. AZURE_TENANT_ID (3)
5. BRAVE_API_KEY (6)
6. CLAUDE_CODE_OAUTH_TOKEN (175)
7. CODEX_API_KEY (71)
8. CONTEXT7_API_KEY (3)
9. COPILOT_GITHUB_TOKEN (488)
10. DD_API_KEY (3)
11. DD_APPLICATION_KEY (3)
12. DD_SITE (3)
13. GH_AW_AGENT_TOKEN (12)
14. GH_AW_GITHUB_MCP_SERVER_TOKEN (753)
15. GH_AW_GITHUB_TOKEN (1,369)
16. GH_AW_PROJECT_GITHUB_TOKEN (10)
17. GITHUB_TOKEN (1,541)
18. NOTION_API_TOKEN (8)
19. OPENAI_API_KEY (71)
20. SENTRY_ACCESS_TOKEN (3)
21. SENTRY_OPENAI_API_KEY (3)
22. SLACK_BOT_TOKEN
23. TAVILY_API_KEY (19)

🛡️ Security Posture

Protection Mechanisms

✅ Redaction System: 149/149 workflows (100%) have redact_secrets step
✅ Token Cascades: 458 instances of secure fallback chains
✅ Permission Blocks: 149 workflows with explicit permission definitions

Security Analysis

Template Injection Risk Analysis

Finding: Detected 1,780 references to github.event.* context

Assessment: ⚠️ Medium Risk - Requires further investigation

While github.event.* is commonly used in workflows, direct expression interpolation can lead to template injection vulnerabilities if user-controlled data is not properly sanitized.

Recommendation: Audit workflows using github.event.* to ensure:

• User input is passed through environment variables (not direct expression interpolation)
• Input validation is in place for user-controlled fields
• Safe-inputs feature is enabled where applicable

Secrets in Job Outputs

✅ No issues found - Zero secrets referenced in job outputs

All workflows properly isolate secrets within step-level environment variables, preventing accidental exposure through job outputs.

📈 Usage Patterns

Secret Distribution by Category

GitHub Tokens (4,163 references - 93.9% of step-level usage):

• GITHUB_TOKEN: 1,541 (49.6% of all secrets)
• GH_AW_GITHUB_TOKEN: 1,369 (43.4%)
• GH_AW_GITHUB_MCP_SERVER_TOKEN: 753 (23.9%)
• COPILOT_GITHUB_TOKEN: 488 (15.5%)
• GH_AW_AGENT_TOKEN: 12 (0.4%)

AI Provider Keys (492 references - 15.6%):

• CLAUDE_CODE_OAUTH_TOKEN: 175
• ANTHROPIC_API_KEY: 175
• OPENAI_API_KEY: 71
• CODEX_API_KEY: 71

Third-Party APIs (39 references - 1.2%):

• TAVILY_API_KEY: 19 (search)
• NOTION_API_TOKEN: 8 (workspace)
• BRAVE_API_KEY: 6 (search)
• Monitoring/observability: 6 (Datadog, Sentry)

Structural Placement

Step-Level Dominance: 100% of tracked secret usage occurs at the step level

• Step-level: 1,753 references (55.6% of all secrets)
• Job-level: 0 references (0%)
• Other: 1,398 references (44.4%) - includes direct interpolation, conditionals, and inline usage

This pattern indicates excellent isolation practices - secrets are scoped to individual steps rather than exposed to entire jobs.

🎯 Key Findings

1. Comprehensive Redaction: All 149 workflows implement the redact_secrets step, ensuring no accidental secret leakage in logs.

2. Token Cascade Pattern: 458 instances of the secure fallback pattern (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) provide robust token availability without hardcoding.

3. GitHub Token Dominance: GitHub-related tokens account for 93.9% of secret usage, reflecting the repository's focus on GitHub automation and MCP server integration.

4. AI Engine Integration: 492 references to AI provider keys (Anthropic, OpenAI, Codex) indicate extensive AI-powered workflow capabilities.

5. Step-Level Isolation: 100% adherence to step-level secret scoping prevents accidental exposure across job boundaries.

💡 Recommendations

High Priority

1. Audit github.event.* Usage:

   • Review 1,780 instances for potential template injection risks
   • Ensure user-controlled input passes through environment variables
   • Enable safe-inputs feature for workflows accepting external data

2. Token Cascade Standardization:

   • Document the token cascade pattern in repository guidelines
   • Ensure all new workflows follow the same fallback pattern
   • Consider extracting to a reusable composite action

Medium Priority

3. Secret Name Consistency:

   • Standardize naming conventions across GitHub tokens
   • Consider consolidating similar tokens (e.g., multiple GitHub token types)

4. Third-Party API Monitoring:

   • Track usage of third-party API keys over time
   • Implement rate limiting and quota monitoring
   • Document API key rotation procedures

Low Priority

5. Permission Block Documentation:
   • All workflows have permission blocks (excellent!)
   • Document best practices for permission scoping
   • Create templates for common permission patterns

📖 Reference Documentation

For detailed information about secret usage patterns and security best practices:

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascades: actions/setup/js/setup_env.cjs

🔗 Workflow Context

• Generated: February 3, 2026 at 18:35 UTC
• Workflow Run: §21642787280
• Workflow Definition: .github/workflows/daily-secrets.md
• Total Workflows Analyzed: 149 compiled workflows

AI generated by Daily Secrets Analysis Agent

• expires on Feb 6, 2026, 6:39 PM UTC