[daily secrets] 🔐 Daily Secrets Analysis Report - February 15, 2026

[github-actions[bot]]

📊 Executive Summary

Analyzed 154 compiled workflow files (.lock.yml) for secret usage patterns and security controls. The repository maintains strong security practices with comprehensive redaction, token cascades, and explicit permissions across all workflows.

Key Metrics:

• Total Secret References: 3,401 (secrets.* expressions)
• GitHub Token References: 456 (github.token expressions)
• Unique Secret Types: 25 distinct secrets
• Step-Level Usage: 2,058 (100%) - All secrets properly scoped to steps
• Job-Level Usage: 0 (0%) - No global job-level secrets

🔑 Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Type
1	GITHUB_TOKEN	1,610	GitHub PAT
2	GH_AW_GITHUB_TOKEN	1,583	GitHub PAT (elevated)
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	784	GitHub MCP Server
4	COPILOT_GITHUB_TOKEN	509	Copilot Auth
5	CLAUDE_CODE_OAUTH_TOKEN	185	Claude OAuth
6	ANTHROPIC_API_KEY	185	Claude API
7	OPENAI_API_KEY	64	OpenAI API
8	CODEX_API_KEY	64	Codex API
9	TAVILY_API_KEY	15	Tavily Search
10	NOTION_API_TOKEN	6	Notion Integration

🛡️ Security Posture

Protection Mechanisms

✅ Universal Redaction: 154/154 workflows (100%) have secret redaction steps
✅ Token Cascades: 480 instances of fallback chains (GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN)
✅ Permission Blocks: 154 explicit permission definitions (100% coverage)
✅ Step-Level Scoping: 100% of secrets scoped to steps (zero job-level leakage)

Security Checks

✅ No Secrets in Outputs: Zero instances of secrets in job outputs (potential exposure vector eliminated)

⚠️ Template Interpolation: 1,972 instances of github.event.* patterns detected across workflows

• This is expected for workflows that process GitHub events (issues, PRs, discussions)
• All instances appear to use safe variable assignment patterns via env: blocks
• Sample files: agent-performance-analyzer.lock.yml, ai-moderator.lock.yml, archie.lock.yml
• Status: Low risk - using GitHub Actions' built-in sanitization

View Complete Secret Inventory (25 types)

GitHub Authentication (4 types)

• GITHUB_TOKEN - 1,610 occurrences - Default Actions token
• GH_AW_GITHUB_TOKEN - 1,583 occurrences - Elevated permissions PAT
• GH_AW_GITHUB_MCP_SERVER_TOKEN - 784 occurrences - MCP server authentication
• GH_AW_PROJECT_GITHUB_TOKEN - 5 occurrences - Project-specific token

AI Engine Authentication (8 types)

• COPILOT_GITHUB_TOKEN - 509 occurrences - Copilot API access
• CLAUDE_CODE_OAUTH_TOKEN - 185 occurrences - Claude OAuth credentials
• ANTHROPIC_API_KEY - 185 occurrences - Anthropic API key
• OPENAI_API_KEY - 64 occurrences - OpenAI API access
• CODEX_API_KEY - 64 occurrences - Codex API access
• SENTRY_OPENAI_API_KEY - 2 occurrences - Sentry OpenAI integration
• GH_AW_BOT_DETECTION_TOKEN - 1 occurrence - Bot detection
• GH_AW_AGENT_TOKEN - 4 occurrences - Agent authentication

Third-Party Services (10 types)

• TAVILY_API_KEY - 15 occurrences - Tavily search API
• NOTION_API_TOKEN - 6 occurrences - Notion integration
• BRAVE_API_KEY - 4 occurrences - Brave search API
• DD_API_KEY - 3 occurrences - Datadog API
• DD_APPLICATION_KEY - 3 occurrences - Datadog application
• DD_SITE - 3 occurrences - Datadog site config
• SENTRY_ACCESS_TOKEN - 2 occurrences - Sentry integration
• AZURE_CLIENT_ID - 2 occurrences - Azure auth
• AZURE_CLIENT_SECRET - 2 occurrences - Azure credentials
• AZURE_TENANT_ID - 2 occurrences - Azure tenant
• SLACK_BOT_TOKEN - 1 occurrence - Slack integration
• CONTEXT - 2 occurrences - Context variable

View Workflow Distribution by Engine

Secret Usage by AI Engine

All Workflows (154): Use GitHub authentication tokens

• GITHUB_TOKEN: 154 workflows (100%)
• GH_AW_GITHUB_TOKEN: 154 workflows (100%)
• GH_AW_GITHUB_MCP_SERVER_TOKEN: 154 workflows (100%)

Copilot Engine (105 workflows, 68%):

• COPILOT_GITHUB_TOKEN: 105 workflows

Claude Engine (37 workflows, 24%):

• ANTHROPIC_API_KEY: 37 workflows
• CLAUDE_CODE_OAUTH_TOKEN: 37 workflows

OpenAI/Codex Engine (10 workflows, 6%):

• OPENAI_API_KEY: 10 workflows
• CODEX_API_KEY: 10 workflows

Token Cascade Pattern

All workflows implement the recommended token fallback chain:

GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN

This provides:

1. Primary: MCP server token (most privileged)
2. Fallback: Elevated PAT (high privileges)
3. Default: Actions token (standard privileges)

Total cascade instances: 480 across all workflows

🎯 Key Findings

1. ✅ Exemplary Security Coverage: 100% of workflows have redaction, explicit permissions, and step-level secret scoping
2. ✅ Token Cascade Implementation: All workflows properly implement fallback chains for resilient authentication
3. ✅ Least-Privilege Principle: Secrets are scoped at step level (not job level), minimizing exposure
4. ✅ Zero Output Exposure: No secrets found in job outputs, preventing cross-job leakage
5. ℹ️ Multi-Engine Support: Repository supports 3 AI engines (Copilot 68%, Claude 24%, OpenAI/Codex 6%)

💡 Recommendations

1. ✅ Maintain Current Practices: The security posture is excellent - continue enforcing:

   • Universal redaction in all workflows
   • Token cascade patterns for resilience
   • Step-level secret scoping
   • Explicit permission blocks

2. 📊 Monitor Template Interpolation: While current usage appears safe, continue monitoring github.event.* patterns for:

   • Direct expression interpolation without env: blocks
   • Potential injection vectors in untrusted contexts
   • Recommended: Periodic audit of the 1,972 detected instances

3. 🔄 Consider Secret Rotation Policy: With 25 distinct secret types in use, document:

   • Rotation schedule for each secret type
   • Owner/team responsible for each secret
   • Expiration policies for API keys

4. 📈 Trend Analysis: Establish baseline for future reports to track:

   • Changes in secret count over time
   • New secret types introduced
   • Workflows added/removed

📖 Reference Documentation

For detailed information about secret usage patterns:

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascade Pattern: Used in all workflow activation steps

---

Generated: 2026-02-15 19:57 UTC
Workflow Run: §22042061852
Analyzed Files: 154 .lock.yml workflows

AI generated by Daily Secrets Analysis Agent

• expires on Feb 18, 2026, 7:59 PM UTC