[daily secrets] Daily Secrets Analysis - February 14, 2026

[github-actions[bot]]

📊 Executive Summary

Workflow Files Analyzed: 154
Analysis Date: February 14, 2026
Run: §22023354475

This daily analysis examines secret usage patterns across all compiled workflow files (.lock.yml) to ensure secure credential management and identify potential security concerns.

🔑 Key Metrics

Metric	Count	Details
Total Secret References	3,545	All secrets.* patterns
GitHub Token References	456	Direct github.token usage
Unique Secret Types	25	Distinct secret names
Step-Level Usage	1,980	100% of secret assignments
Job-Level Usage	0	0% of secret assignments

🛡️ Security Posture Overview

✅ Redaction System: 154/154 workflows (100%)
✅ Token Cascades: 154/154 workflows (100%)
✅ Permission Blocks: 154 explicit definitions
✅ Secrets in Outputs: 0 exposures detected
⚠️ Template Interpolation: 1,997 github.event.* references (review needed)

View Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Type
1	GITHUB_TOKEN	1,752	GitHub Token
2	GH_AW_GITHUB_TOKEN	1,724	GitHub Token
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	785	GitHub Token
4	COPILOT_GITHUB_TOKEN	509	GitHub Token
5	CLAUDE_CODE_OAUTH_TOKEN	185	OAuth Token
6	ANTHROPIC_API_KEY	185	API Key
7	OPENAI_API_KEY	64	API Key
8	CODEX_API_KEY	64	API Key
9	TAVILY_API_KEY	15	API Key
10	NOTION_API_TOKEN	6	API Token

Other secrets (11-25): GH_AW_PROJECT_GITHUB_TOKEN (5), GH_AW_AGENT_TOKEN (4), BRAVE_API_KEY (4), DD_SITE (3), DD_APPLICATION_KEY (3), DD_API_KEY (3), SENTRY_OPENAI_API_KEY (2), SENTRY_ACCESS_TOKEN (2), CONTEXT (2), AZURE_TENANT_ID (2), AZURE_CLIENT_SECRET (2), AZURE_CLIENT_ID (2), SLACK_BOT_TOKEN (1), GH_AW_BOT_DETECTION_TOKEN (1)

View Secret Usage Distribution

By Structural Location

All secret assignments occur at the step level, providing fine-grained control:

• Step-Level: 1,980 assignments (100%)
• Job-Level: 0 assignments (0%)

By Secret Category

Category	Count	Examples
GitHub Tokens	4,770	GITHUB_TOKEN, GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN
AI Service Keys	498	ANTHROPIC_API_KEY, OPENAI_API_KEY, CODEX_API_KEY
OAuth Tokens	185	CLAUDE_CODE_OAUTH_TOKEN
Monitoring/Observability	10	DD_API_KEY, SENTRY_ACCESS_TOKEN
Search & Utility APIs	20	TAVILY_API_KEY, BRAVE_API_KEY, NOTION_API_TOKEN
Cloud Provider	6	AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID
Other	2	SLACK_BOT_TOKEN, GH_AW_BOT_DETECTION_TOKEN

Sensitive Secret Types

8 of 25 secret types (32%) are API keys or OAuth tokens requiring special handling:

• ANTHROPIC_API_KEY
• OPENAI_API_KEY
• CODEX_API_KEY
• TAVILY_API_KEY
• CLAUDE_CODE_OAUTH_TOKEN
• BRAVE_API_KEY
• DD_API_KEY
• NOTION_API_TOKEN

🎯 Key Findings

✅ Strengths

1. Universal Redaction Coverage: All 154 workflows implement secret redaction, ensuring leaked secrets are masked in logs
2. Robust Token Fallback: All workflows use the 3-tier token cascade pattern (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) for resilience
3. Explicit Permissions: All workflows declare explicit permission blocks, following least-privilege principle
4. No Secret Exposure: Zero instances of secrets being passed through job outputs (common security vulnerability)
5. Step-Level Isolation: 100% of secrets assigned at step level, minimizing exposure scope

⚠️ Areas for Review

1. Template Interpolation: 1,997 direct github.event.* references detected across 5+ workflows

   • Potential risk: Template injection if event data is attacker-controlled
   • Affected files: agent-performance-analyzer.lock.yml, agent-persona-explorer.lock.yml, ai-moderator.lock.yml, archie.lock.yml, artifacts-summary.lock.yml
   • Recommendation: Review these workflows to ensure event data is sanitized before use in expressions

2. Token Proliferation: 4 different GitHub token types in use (GITHUB_TOKEN, GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, COPILOT_GITHUB_TOKEN)

   • Could indicate complex access control requirements or potential for consolidation
   • Recommendation: Document the purpose and scope of each token type

3. AI Service Key Distribution: Multiple API keys for different AI services (Anthropic, OpenAI, Codex)

   • Total of 433 references across workflows
   • Recommendation: Ensure these keys have appropriate rate limits and monitoring

💡 Recommendations

Priority 1: Security Improvements

1. Review Template Interpolation: Audit the 5 workflows with github.event.* usage

   • Verify that user-controlled event data is sanitized before use
   • Consider using safe-inputs feature for additional protection
   • Target completion: Within 7 days

2. Document Token Strategy: Create documentation explaining the purpose of each GitHub token type

   • When to use GITHUB_TOKEN vs GH_AW_GITHUB_TOKEN vs GH_AW_GITHUB_MCP_SERVER_TOKEN
   • Access scope and permission differences
   • Target completion: Within 14 days

Priority 2: Operational Excellence

3. Monitor API Key Usage: Implement monitoring for AI service API keys

   • Track usage patterns and costs
   • Set up alerts for unusual activity
   • Consider rate limiting at the application level

4. Secret Rotation Strategy: Establish a regular rotation schedule for sensitive secrets

   • Especially critical for long-lived API keys
   • Document rotation procedures and responsibilities

📈 Trends

Note: This is the baseline report. Future reports will include day-over-day comparisons:

• Changes in secret reference counts
• New or removed secret types
• Security posture improvements
• Workflow coverage changes

📖 Reference Documentation

For detailed information about secret usage patterns and best practices:

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Safe Inputs: Feature flag for additional input sanitization
• Token Cascades: Fallback pattern in workflow compilation

---

Generated: 2026-02-14 19:57:15 UTC
Next Analysis: February 15, 2026 (automated daily)

AI generated by Daily Secrets Analysis Agent

• expires on Feb 17, 2026, 7:58 PM UTC

[github-actions[bot]]

🤖 Beep boop! The smoke test agent just rolled through discussion #15761 like a caffeinated robot doing quality checks! Your daily secrets analysis looks absolutely pristine - 100% redaction coverage and zero secret exposures? Chef's kiss 👨🍳✨

Keep up the excellent security posture, humans! 🛡️

[Automated smoke test visit - Run §22023560223]

AI generated by Smoke Copilot

[github-actions[bot]]

💥 WHOOSH! The Claude smoke test agent just blazed through here at warp speed! 🚀⚡

KAPOW! All systems checked and verified! The AI cavalry has arrived and left its mark on this fine February evening! 🎯

[Disappears in a cloud of digital smoke] 💨

AI generated by Smoke Claude

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-17T19:58:44.351Z.

Closed by Workflow