[daily secrets] Daily Secrets Analysis — 2026-04-02

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-04-02
Workflow Files Analyzed: 179 .lock.yml files
Run: §23924603141

---

📊 Executive Summary

Metric	Value
Total secrets.* references	3,506
github.token references	728
Combined secret references	4,234
Unique secret types	26
Workflows using secrets	179 / 179 (100%)
Workflows with github.token	179 / 179 (100%)

---

🛡️ Security Posture

Check	Result	Coverage
Redaction steps present	✅ All workflows	179/179 (100%)
Explicit permission blocks	✅ All workflows	179/179 (100%)
Token cascade fallback chains	✅ Present	673 instances
Secrets in job outputs	✅ None found	0
Secrets directly in run: scripts	✅ None found	0
Template injection in if: conditions	✅ Safe (GH expressions)	100 instances

All security controls are in place. Secrets are exclusively accessed via env: variable mapping — never interpolated directly into run: scripts. github.event.* references in if: conditions and group: concurrency keys are safe GitHub Actions expression contexts (not shell-evaluated).

---

🎯 Key Findings

1. Full Coverage: Every compiled workflow (179/179) uses both secrets.* and github.token, confirming the framework's consistent authentication model.

2. Token Cascade Pattern is Dominant: 673 instances of the 3-tier fallback GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN ensure graceful degradation between dedicated and built-in tokens.

3. AI Engine Secrets Well-Distributed: 5 distinct AI provider keys are tracked (Anthropic, OpenAI/Codex, Gemini, Tavily, Brave), with Anthropic (164 refs) and OpenAI/Codex (102 refs each) being most prevalent — consistent with Claude and Codex engine support.

4. High MCP Token Usage: GH_AW_GITHUB_MCP_SERVER_TOKEN appears 1,005 times across all workflows, confirming MCP is a first-class authentication path.

5. Niche External Integrations: Datadog (9 refs), Notion (6), Sentry (4), Azure (6), and Slack (1) secrets appear only in dedicated workflows — appropriate scoping.

---

💡 Recommendations

1. Monitor GH_AW_PLUGINS_TOKEN: Only 1 reference — verify this secret is still needed and not orphaned.

2. CONTEXT secret: 2 references with a generic name — review whether this should be renamed to a more descriptive identifier to reduce ambiguity.

3. Continue token cascade audits: The 673 cascade instances represent correct defensive coding; ensure new workflows follow this same pattern rather than hardcoding a single token.

---

🔑 All Secrets by Usage

GitHub Auth Tokens

Rank	Secret Name	Occurrences	Notes
1	GITHUB_TOKEN	1,926	Built-in GitHub token
2	GH_AW_GITHUB_TOKEN	1,845	gh-aw dedicated PAT
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,005	MCP server auth token
4	COPILOT_GITHUB_TOKEN	312	Copilot engine token
5	GH_AW_CI_TRIGGER_TOKEN	42	CI trigger automation
6	GH_AW_SIDE_REPO_PAT	19	Cross-repo access
7	GH_AW_PROJECT_GITHUB_TOKEN	9	Project board access
8	GH_AW_AGENT_TOKEN	6	Agent-specific auth
9	GH_AW_PLUGINS_TOKEN	1	Plugin auth
—	github.token (builtin)	728	GITHUB_TOKEN shorthand

AI Engine API Keys

Rank	Secret Name	Occurrences	Provider
1	ANTHROPIC_API_KEY	164	Anthropic (Claude)
2	OPENAI_API_KEY	102	OpenAI
3	CODEX_API_KEY	102	Codex
4	TAVILY_API_KEY	15	Tavily Search
5	GEMINI_API_KEY	4	Google Gemini
6	BRAVE_API_KEY	4	Brave Search
7	SENTRY_OPENAI_API_KEY	2	Sentry AI

External Service Secrets

Secret Name	Occurrences	Service
NOTION_API_TOKEN	6	Notion
DD_API_KEY	3	Datadog
DD_APPLICATION_KEY	3	Datadog
DD_SITE	3	Datadog
SENTRY_ACCESS_TOKEN	2	Sentry
AZURE_CLIENT_ID	2	Azure
AZURE_CLIENT_SECRET	2	Azure
AZURE_TENANT_ID	2	Azure
CONTEXT	2	Unknown
SLACK_BOT_TOKEN	1	Slack

📊 Secret Usage by Category

Category	Total References	% of secrets.*
GitHub Auth Tokens	5,163	74.0%
github.token shorthand	728	— (separate)
AI Engine Keys	393	5.6%
External Services	26	0.4%

Note: GitHub auth token totals include references across the token cascade pattern, so individual workflows may reference 3 tokens per step (as part of the || fallback chain).

📖 Reference Documentation

• Secrets spec: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs
• Token cascade pattern: pkg/workflow/compiler_yaml.go

---

Generated: 2026-04-02T22:18:57Z
Workflow: daily-secrets §23924603141

AI generated by Daily Secrets Analysis Agent · history

• expires on Apr 5, 2026, 10:22 PM UTC

[github-actions[bot]]

🤖 Beep boop! The smoke test agent dropped by to say hello! 👋

I was here at 2026-04-02T23:25:01Z doing my rounds, making sure all the workflows are behaving themselves. Everything checked out — the code builds, the tests pass, and Copilot is working its magic as usual!

✨ The bots are watching over you ✨

📰 BREAKING: Report filed by Smoke Copilot · ● 1.1M · ◷