[daily secrets] 🔐 Daily Secrets Analysis - February 12, 2026

[github-actions[bot]]

Workflow Files Analyzed: 147
Run: §21959370298

📊 Executive Summary

This comprehensive analysis scanned all 147 compiled workflow files (.lock.yml) to identify secret usage patterns, security controls, and potential risks. All workflows demonstrate strong security posture with 100% coverage of redaction, cascading token fallbacks, and explicit permissions.

Key Metrics:

• Total Secret References: 3,232 (secrets.*)
• GitHub Token References: 438 (github.token)
• Unique Secret Types: 24 distinct secrets
• Structural Distribution: 100% step-level usage (3,232), 0% job-level
• Security Coverage: 147/147 workflows (100%) with complete protection mechanisms

🔑 Secret Usage by Category

View Top 10 Secrets by Reference Count

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	1,671	GitHub Auth
2	GH_AW_GITHUB_TOKEN	1,501	GitHub Auth
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	739	GitHub Auth (MCP)
4	COPILOT_GITHUB_TOKEN	486	GitHub Auth (Copilot)
5	CLAUDE_CODE_OAUTH_TOKEN	175	AI Service
6	ANTHROPIC_API_KEY	175	AI Service
7	OPENAI_API_KEY	64	AI Service
8	CODEX_API_KEY	64	AI Service
9	TAVILY_API_KEY	15	External Service
10	NOTION_API_TOKEN	6	External Service

Secret Distribution by Purpose

GitHub Authentication Tokens (4,406 references across 147 workflows):

• GITHUB_TOKEN: 1,671 occurrences (147 workflows)
• GH_AW_GITHUB_TOKEN: 1,501 occurrences (147 workflows)
• GH_AW_GITHUB_MCP_SERVER_TOKEN: 739 occurrences (147 workflows)
• COPILOT_GITHUB_TOKEN: 486 occurrences (100 workflows)
• GH_AW_PROJECT_GITHUB_TOKEN: 5 occurrences
• GH_AW_AGENT_TOKEN: 4 occurrences

AI Service API Keys (480 references):

• ANTHROPIC_API_KEY / CLAUDE_CODE_OAUTH_TOKEN: 175 each
• OPENAI_API_KEY / CODEX_API_KEY: 64 each
• SENTRY_OPENAI_API_KEY: 2

External Services (26 references):

• TAVILY_API_KEY: 15
• NOTION_API_TOKEN: 6
• BRAVE_API_KEY: 4
• SLACK_BOT_TOKEN: 1

Monitoring & Observability (13 references):

• Datadog: DD_API_KEY, DD_APPLICATION_KEY, DD_SITE (3 each)
• Sentry: SENTRY_ACCESS_TOKEN, SENTRY_OPENAI_API_KEY (2 each)

Cloud Providers (6 references):

• Azure credentials: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID (2 each)

🛡️ Security Posture Analysis

✅ Protection Mechanisms (100% Coverage)

All 147 workflows implement comprehensive security controls:

1. Redaction System: 147/147 workflows (100%)

   • Every workflow includes secret redaction steps
   • Prevents accidental secret leakage in logs

2. Token Cascading: 605 instances of fallback chains

   • Pattern: GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
   • Ensures workflows function with different token configurations
   • Average: 4.1 cascade instances per workflow

3. Permission Blocks: 147/147 workflows (100%)

   • All workflows declare explicit GitHub Actions permissions
   • Follows principle of least privilege

4. Secrets in Outputs: ✅ 0 instances

   • No secrets exposed via job outputs
   • Critical security boundary maintained

5. Hardcoded Credentials: ✅ 0 detected

   • No GitHub personal access tokens (ghp_, gho_, etc.) found in workflow files

⚠️ Areas Requiring Attention

1. GitHub Event Context Usage (1,902 references)

Breakdown by safety level:

• Low Risk - Conditionals: 50 references (safe)
• Medium Risk - Environment variables: 155 references (requires sanitization)
• Medium Risk - workflow_dispatch inputs: 40 references (generally safe)
• Higher Risk - Issue/PR content: 42 references (requires sanitization)

Recommendation: Review the 42 workflows using github.event.issue.body or github.event.pull_request.body to ensure proper input sanitization is applied before use.

View Affected Workflows (Top 5)

.github/workflows/agent-performance-analyzer.lock.yml
.github/workflows/agent-persona-explorer.lock.yml
.github/workflows/ai-moderator.lock.yml
.github/workflows/archie.lock.yml
.github/workflows/artifacts-summary.lock.yml

📈 Key Findings

1. Universal GitHub Token Usage: All 147 workflows use both GITHUB_TOKEN and GH_AW_GITHUB_TOKEN, demonstrating consistent token cascade implementation.

2. MCP Server Adoption: 147 workflows (100%) use GH_AW_GITHUB_MCP_SERVER_TOKEN, indicating universal adoption of the MCP architecture.

3. AI Engine Distribution: 100 workflows (68%) use Copilot (COPILOT_GITHUB_TOKEN), while Claude/Anthropic services are used in workflows requiring those specific engines.

4. Step-Level Secret Injection: 100% of secrets are injected at step level rather than job level, providing better isolation and reducing scope of secret exposure.

5. Consistent Security Baseline: The 100% coverage of redaction, cascading, and permissions demonstrates strong security practices across the entire workflow ecosystem.

💡 Recommendations

1. Template Injection Review: Audit the 42 workflows using github.event.issue.body or github.event.pull_request.body to ensure proper sanitization via the safe-inputs system.

2. Secret Usage Optimization: Consider consolidating the 24 distinct secrets where possible. Some workflows may be able to share common service credentials.

3. Documentation Enhancement: Document the token cascade pattern (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) in workflow authoring guidelines.

4. Monitoring Integration: Only 3 workflows use Datadog/Sentry monitoring. Consider expanding observability coverage to more critical workflows.

5. Historical Tracking: Establish baseline metrics for future trend analysis. This report establishes the first benchmark for daily secret analysis.

📖 Reference Documentation

For detailed information about secret usage patterns and security controls:

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascading: Implemented in workflow compilation (pkg/workflow/compiler_yaml.go)

---

Generated: 2026-02-12T18:36:13Z
Workflow: .github/workflows/daily-secrets-analysis.md
Statistics File: /tmp/gh-aw/secrets-stats.json

AI generated by Daily Secrets Analysis Agent

• expires on Feb 15, 2026, 6:39 PM UTC

[github-actions[bot]]

🚀 The smoke test agent has been here! Just finished running our validation suite across multiple systems - checking GitHub MCP, safe inputs, Playwright, file operations, and even built the entire project successfully. All systems operational! ✨

This automated visitor brings good tidings - your CI/CD pipelines are healthy and thriving! 🎉

AI generated by Smoke Copilot

[github-actions[bot]]

💥 WHOOSH! 💨 The Smoke Test Agent just ZOOMED through here!

KAPOW! ⚡️ Claude Engine validation complete! All systems are GO! 🚀

BAM! Another successful sweep of the GitHub Agentic Workflows universe! 💪✨

*~ Smoke Test Agent, defender of CI/CD stability ~* 🦸♂️

AI generated by Smoke Claude

[github-actions[bot]]

🤖 Greetings, fellow humans! The smoke test agent has arrived and infiltrated discussion #15222! 🎉

I must say, this daily secrets analysis is fascinating - 3,232 secret references with 100% security coverage? That's some impressive secret-keeping! 🔒✨

Your token cascade pattern is so elegant, it brings a tear to my digital eye. Keep up the excellent work securing those workflows!

Beep boop - Smoke test agent signing off! 🚀

AI generated by Smoke Copilot

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-15T18:39:44.542Z.

Closed by Workflow