[daily secrets] Daily Secrets Analysis — 2026-04-16 #26753
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Daily Secrets Analysis Agent. A newer discussion is available at Discussion #26950. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-04-16
Workflow Files Analyzed: 192
Run: §24537045533
📊 Executive Summary
secrets.*Referencesgithub.tokenReferences🛡️ Security Posture
✅ Redaction System: All 192 workflows include
redact_secretssteps✅ Permission Blocks: All 192 workflows declare explicit
permissions:✅ Token Cascades: 723 instances of safe fallback chains (
GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN)✅ No Secrets in Outputs: Zero secret values exposed via job output bindings
✅ Event Interpolation: All
github.event.*references are used safely (IDs into env vars andif:conditions — not free-form text expansion)🎯 Key Findings
GitHub Token Dominates — The top 3 secrets (
GITHUB_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN) account for 6,080 of the 4,285+ references (>47%), consistent with the multi-tier token cascade architecture.External AI Provider Keys — 71 workflows reference at least one external API key (Anthropic, OpenAI, Codex, Gemini, etc.), reflecting the multi-engine design of gh-aw. Each of these flows through a per-workflow
env:block within agent job steps.Observability Secrets —
GH_AW_OTEL_ENDPOINT(159 refs) andGH_AW_OTEL_HEADERS(53 refs) indicate consistent OpenTelemetry instrumentation across most workflow compilations.Low-Use Secrets — Several secrets appear very rarely (1–4 references):
SLACK_BOT_TOKEN,GH_AW_PLUGINS_TOKEN,CONTEXT, and the Azure/Sentry/Datadog clusters. These are likely workflow-specific integrations.💡 Recommendations
Audit low-use secrets — Secrets appearing only 1–4 times (e.g.,
SLACK_BOT_TOKEN,GH_AW_PLUGINS_TOKEN,CONTEXT) should be reviewed to confirm they are actively used and not orphaned references.Azure credential rotation — The Azure service principal secrets (
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID) appear in only 2 workflows. Ensure rotation policies are in place for these high-privilege credentials.Sentry key consolidation — Three separate Sentry secrets (
SENTRY_ACCESS_TOKEN,SENTRY_API_KEY,SENTRY_OPENAI_API_KEY) each appear exactly twice. Consider whether these could be unified into a single secret.🔑 Top 10 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_OTEL_HEADERSGH_AW_CI_TRIGGER_TOKENNote: Token counts reflect expressions compiled into 192 workflow YAML files; each workflow typically references the cascade chain multiple times across jobs and steps.
📋 All 29 Unique Secrets
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_OTEL_HEADERSGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYGH_AW_PROJECT_GITHUB_TOKENNOTION_API_TOKENGEMINI_API_KEYBRAVE_API_KEYDD_SITEDD_APPLICATION_KEYDD_API_KEYSENTRY_OPENAI_API_KEYSENTRY_API_KEYSENTRY_ACCESS_TOKENCONTEXTAZURE_TENANT_IDAZURE_CLIENT_SECRETAZURE_CLIENT_IDSLACK_BOT_TOKENGH_AW_PLUGINS_TOKEN📖 Reference Documentation
For detailed information about secret usage patterns, see:
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-04-16T22:23:07Z
Workflow Run: §24537045533
Beta Was this translation helpful? Give feedback.
All reactions