[daily secrets] Daily Secrets Analysis - January 31, 2026

[github-actions[bot]]

📊 Executive Summary

Analysis Date: January 31, 2026
Workflow Files Analyzed: 147 compiled workflows
Workflow Run: §21542574610

• Total Secret References: 3,112 (secrets.* patterns)
• GitHub Token References: 299 (github.token patterns)
• Unique Secret Types: 5 distinct secrets
• Workflows with AI Keys: 46 (31.3%)
• Workflows with MCP Token: 147 (100%)

---

🔑 Secret Usage Distribution

Rank	Secret Name	Occurrences	Usage %	Category
1	GITHUB_TOKEN	1,511	48.6%	GitHub Auth
2	GH_AW_GITHUB_TOKEN	1,325	42.6%	GitHub Auth
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	728	23.4%	GitHub Auth (MCP)
4	ANTHROPIC_API_KEY	180	5.8%	AI Services
5	OPENAI_API_KEY	64	2.1%	AI Services

Note: Percentages calculated against 3,112 total secrets.* references

---

🛡️ Security Posture

✅ Protection Mechanisms

• Redaction System: 147/147 workflows (100%) have secret redaction steps
• Token Cascade Fallbacks: 437 instances of secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN
• Permission Blocks: 147 explicit permissions: declarations (100% coverage)
• Secrets in Outputs: 0 instances (✅ no exposure risk)

Security Checks Results

✅ No secrets exposed in job outputs - Zero instances of secrets passed to outputs
✅ Universal redaction coverage - All 147 workflows implement secret redaction
✅ Consistent permission controls - Every workflow has explicit permissions defined

⚠️ GitHub event references: 1,770 github.event.* references detected (most are in safe env: blocks, but manual review recommended for template injection risks)

---

📈 Key Findings

1. Comprehensive MCP Server Token Adoption: All 147 workflows (100%) reference GH_AW_GITHUB_MCP_SERVER_TOKEN, indicating complete migration to the MCP-based GitHub integration pattern

2. Robust Token Fallback Strategy: 437 token cascade patterns ensure workflows gracefully degrade when specialized tokens are unavailable, falling back through GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN

3. AI Service Integration: 46 workflows (31.3%) use AI API secrets, with Anthropic (180 refs) being 2.8× more prevalent than OpenAI (64 refs)

4. Perfect Security Coverage:

   • 100% redaction coverage across all workflows
   • 100% explicit permission declarations
   • Zero secrets exposed in job outputs

5. GitHub Event Usage: 1,770 references to github.event.* detected - while most appear safe (used in env: blocks for input sanitization), this high volume warrants periodic audits for template injection vulnerabilities

---

💡 Recommendations

1. Maintain Current Security Posture: The repository demonstrates excellent secret hygiene with universal redaction, explicit permissions, and no output exposure. Continue these practices for all new workflows.

2. Monitor Token Cascade Effectiveness: With 437 cascade patterns in use, track metrics on which fallback tokens are actually being invoked to optimize secret provisioning.

3. Review High-Volume Event References: Consider spot-checking workflows with multiple github.event.* references to ensure they follow safe expression practices (assignment to env variables rather than direct interpolation).

4. Document AI Secret Usage Patterns: With 31.3% of workflows using AI services, create centralized documentation for AI secret naming conventions and rotation procedures.

5. Track Secret Growth: Establish baseline metrics (3,112 references across 147 workflows = 21.2 refs/workflow avg) to monitor future growth and identify anomalies.

---

View Structural Analysis Details

Secret Distribution by Category

GitHub Authentication (98.2% of all secrets):

• Primary workflow token: GITHUB_TOKEN (1,511 occurrences)
• Organization-scoped token: GH_AW_GITHUB_TOKEN (1,325 occurrences)
• MCP server token: GH_AW_GITHUB_MCP_SERVER_TOKEN (728 occurrences)

AI Services (7.9% of all secrets):

• Claude/Anthropic: ANTHROPIC_API_KEY (180 occurrences)
• OpenAI: OPENAI_API_KEY (64 occurrences)

Usage Patterns

Step-Level Secret Usage: ~1,805 occurrences (58% of references)
Most secrets are passed directly to individual steps via env: blocks, providing fine-grained control and limiting secret scope.

Job-Level Secret Usage: Not directly measurable from current analysis
Further investigation needed to quantify job-level vs step-level distribution.

Conditional Secret Usage: Present in workflows
Some workflows use if: conditions to selectively expose secrets based on runtime context (e.g., only in private repos, only for specific actors).

---

View Methodology and Data Sources

Analysis Methodology

This report analyzes 147 compiled workflow files (*.lock.yml) in the .github/workflows/ directory:

1. Secret Detection: Pattern matching for secrets.* and github.token references
2. Secret Classification: Grouping by secret name and category (GitHub auth, AI services)
3. Security Scanning: Checking for redaction steps, permission blocks, output exposure, and template injection risks
4. Distribution Analysis: Counting occurrences by secret type and structural location

Data Sources

• Primary: .github/workflows/*.lock.yml (147 files)
• Reference Documentation: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Workflow Run: §21542574610

Limitations

• Analysis is point-in-time (January 31, 2026)
• No historical comparison data available (first run)
• Template injection detection is pattern-based (may have false positives)
• Job-level vs step-level distribution requires deeper AST analysis

---

📖 Reference Documentation

For detailed information about secret usage patterns and best practices:

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascade Pattern: See workflows using GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN

---

References:

• §21542574610 - This workflow run
• Daily Secrets Workflow - Workflow definition

AI generated by Daily Secrets Analysis Agent

• expires on Feb 3, 2026, 9:47 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-03T09:47:40.022Z.

[github-actions[bot]]

This daily secrets analysis report has been superseded by the latest report for February 3, 2026. Closing to maintain a clean discussion board with only the most recent daily insights.

Archived report date: January 31, 2026
Current report: Secret Usage Analysis - February 3, 2026 (see latest in Audits category)