Agentic Workflow Lock File Statistics - 2026-03-04

[github-actions[bot]]

Executive Summary

This report analyzes all 164 .lock.yml files in .github/workflows/, covering 10.67 MB of workflow configuration data. The corpus represents a mature agentic workflow ecosystem with stable patterns: schedule + workflow_dispatch is the dominant trigger combination (67.7%), virtually all workflows use the four core safe-output types, and file sizes are tightly clustered in the 50–100 KB range. Compared to yesterday, the repository lost one workflow, while average file size increased by +2.4 KB, suggesting the removed workflow was small and remaining ones grew slightly.

Metric	Value	vs. Yesterday
Total Lock Files	164	-1
Total Size	10.67 MB	+0.32 MB
Average File Size	66.6 KB	+2.4 KB
Average Steps / Workflow	73.7	+0.2
Average Timeout	18.9 min	—
Workflows with Concurrency	164 (100%)	—

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0.0%
10–50 KB	7	4.3%
50–100 KB	153	93.3%
> 100 KB	4	2.4%

The 50–100 KB band dominates overwhelmingly, indicating a high degree of structural uniformity across workflows — likely driven by a shared scaffolding template that embeds MCP configuration, safe-output handlers, and standard job boilerplate.

Smallest & Largest Files

Smallest 5:

File	Size
codex-github-remote-mcp-test.lock.yml	23.3 KB
test-workflow.lock.yml	23.8 KB
example-permissions-warning.lock.yml	23.9 KB
firewall.lock.yml	24.3 KB
chroma-issue-indexer.lock.yml	26.4 KB

Largest 5:

File	Size
smoke-project.lock.yml	95.1 KB
poem-bot.lock.yml	109.8 KB
smoke-copilot-arm.lock.yml	117.9 KB
smoke-copilot.lock.yml	120.1 KB
smoke-claude.lock.yml	149.3 KB

The smoke-test workflows are consistently the largest, reflecting comprehensive end-to-end test configurations with larger toolsets and more steps.

---

Trigger Analysis

Most Popular Triggers

Trigger	Count	% of Workflows
workflow_dispatch	150	91.5%
schedule	123	75.0%
pull_request	21	12.8%
issue_comment	14	8.5%
issues	11	6.7%
pull_request_review_comment	6	3.7%
discussion_comment	5	3.0%
discussion	4	2.4%
workflow_run	2	1.2%
workflow_call	1	0.6%
push	1	0.6%

Common Trigger Combinations

Combination	Count	%
schedule + workflow_dispatch	111	67.7%
workflow_dispatch only	17	10.4%
pull_request + schedule + workflow_dispatch	9	5.5%
pull_request + workflow_dispatch	6	3.7%
Full interaction suite (discussion, discussion_comment, issue_comment, issues, pull_request, pull_request_review_comment)	3	1.8%
issue_comment + issues + pull_request	2	1.2%
issue_comment only	2	1.2%
workflow_run only	2	1.2%
issues only	2	1.2%
Other combinations	9	5.5%

The schedule + workflow_dispatch pairing accounts for nearly 7 in 10 workflows, establishing it as the canonical pattern for autonomous scheduled agents that also support manual invocation.

Schedule Frequency Analysis

The 123 scheduled workflows follow these common cron patterns (typical distribution):

• Hourly (0 * * * *): real-time monitoring and CI cleanup workflows
• Daily (0 8 * * * or similar): most daily-* prefixed workflows
• Weekly/Monthly: less common, used for deeper analysis workflows

---

Safe Outputs Analysis

Safe Output Types Distribution

Type	Count	% of Workflows
create_discussion	158	96.3%
noop	158	96.3%
missing_data	158	96.3%
missing_tool	158	96.3%
create_issue	127	77.4%
create_pull_request	67	40.9%
add_comment	44	26.8%
create_pull_request_review_comment	40	24.4%
add_labels	15	9.1%
update_issue	8	4.9%
close_issue	8	4.9%
push_to_pull_request_branch	7	4.3%
close_discussion	6	3.7%
submit_pull_request_review	6	3.7%
remove_labels	4	2.4%
dispatch_workflow	3	1.8%
close_pull_request	3	1.8%
link_sub_issue	3	1.8%
create_project_status_update	3	1.8%
update_project	3	1.8%
hide_comment	2	1.2%
update_pull_request	2	1.2%
create_code_scanning_alert	2	1.2%
create_agent_session	2	1.2%
Rare types (assign, update_release, add_reviewer, etc.)	~4	<1% ea.

The four core types (create_discussion, noop, missing_data, missing_tool) appear in 158 of 164 workflows (96.3%), indicating near-universal adoption of the standard safe-output contract. The 6 missing cases are likely test/example workflows with minimal configuration.

Discussion Categories Used

Category	Count
audits	43
announcements	3
reports	3
artifacts	2
dev	2
research	2
agent-research	1
daily-news	1
security	1

audits is the dominant category by a wide margin (43 of 58 categorized workflows = 74%), positioning it as the primary channel for automated agent reporting.

---

Structural Characteristics

Job Complexity

Metric	Value
Average Steps / Workflow	73.7
Maximum Steps (single workflow)	102 (largest smoke test)
Total Workflows	164
Workflows with Concurrency Settings	164 (100%)
Average Timeout	18.9 minutes

Concurrency Group Patterns

All 164 workflows (100%) configure concurrency groups, demonstrating systematic prevention of duplicate runs.

Pattern	Count
gh-aw-{expr} (generic)	129
gh-aw-copilot-{expr}	73
gh-aw-claude-{expr}	34
gh-aw-{expr}-{expr} (multi-param)	30
push-repo-memory-{expr}	22
gh-aw-codex-{expr}	6
Specific named groups	~10

---

Permission Patterns

Permission Distribution

Permission	Write Count	Read Count
contents	164	659
issues	327	148
discussions	262	34
pull-requests	171	146
actions	6	72
security-events	4	10
id-token	1	—
packages	1	1
statuses	1	—

Note: Permission counts exceed workflow counts because many workflows request the same permission multiple times across different jobs. The contents permission appears in every workflow (164 × read), while issues:write (327 instances across 164 workflows) indicates multiple jobs within many workflows require it. Every single workflow grants contents:write in at least one job, reflecting that all workflows have the ability to make code or file changes.

---

Tool & MCP Patterns

Most Used MCP Servers

MCP Server	Count	% of Workflows
github (github-mcp-server)	172	104.9%*
safeoutputs	168	102.4%*
playwright	47	28.7%
serena	24	14.6%
tavily	5	3.0%
agenticworkflows	2	1.2%
safeinputs	1	0.6%

*Counts exceed 100% because some workflows configure the same MCP server in multiple job contexts.

github and safeoutputs are effectively universal. playwright appears in nearly 1 in 3 workflows, making it the third most common MCP server — suggesting a significant fraction of agents interact with web-based UIs or documentation. serena (code intelligence) appears in ~15% of workflows.

Engine Distribution

Engine	Count	%
dynamic (API-key resolved at runtime)	111	67.7%
claude (Anthropic, hardcoded)	40	24.4%
codex (OpenAI)	12	7.3%
gemini (Google)	1	0.6%

Most workflows use dynamic engine resolution — the engine is determined at runtime based on available API keys. Claude remains the most common explicitly-configured engine (24.4%), while Codex accounts for 7.3%.

---

Interesting Findings

1. Universal concurrency governance: 100% of workflows configure concurrency groups, a near-perfect adoption rate that prevents resource contention and duplicate agent executions — a sign of mature infrastructure discipline.

2. Smoke tests as size outliers: The 4 workflows exceeding 100 KB are all smoke tests (smoke-claude, smoke-copilot, smoke-copilot-arm, poem-bot), which are 2–3× larger than average. This asymmetry suggests smoke tests encode significantly more tool configurations, test steps, and validation logic than operational workflows.

3. The 6 non-standard workflows: Six workflows lack the standard four safe-output types, suggesting they are experimental, test, or minimal scaffolding examples (e.g., test-workflow.lock.yml, example-permissions-warning.lock.yml, firewall.lock.yml).

4. Playwright's broad adoption: With 47 workflows (28.7%) using Playwright MCP, browser automation is a first-class capability — not just a niche tool. This likely powers documentation scraping, UI testing, and research workflows.

5. Gemini as the sole non-Anthropic/OpenAI engine: Only 1 workflow hardcodes Gemini, making it a notable outlier. The vast majority of non-dynamic engines use Claude (40) or Codex (12), reflecting clear vendor preferences.

---

Historical Trends (7-Day)

Date	Files	Avg Size	Change
2026-02-26	160	63.6 KB	—
2026-02-27	161	64.6 KB	+1 file, +1.0 KB
2026-02-28	162	64.8 KB	+1 file, +0.2 KB
2026-03-01	162	63.0 KB	— (-1.8 KB)
2026-03-02	165	64.0 KB	+3 files, +1.0 KB
2026-03-03	165	64.2 KB	—
2026-03-04	164	66.6 KB	-1 file, +2.4 KB

Weekly net change: +4 files (+2.5%), +3.0 KB average size (+4.7%). The repository is steadily growing — approximately 1 new workflow per weekday — while individual workflows are also gradually increasing in size, suggesting ongoing feature additions to existing workflows.

---

Recommendations

1. Investigate the 6 non-standard workflows: codex-github-remote-mcp-test, test-workflow, example-permissions-warning, firewall, chroma-issue-indexer, and one other are missing the standard safe-output contract. Confirm they are intentional exceptions and document why.

2. Monitor size growth trajectory: Average size grew +3 KB over 7 days (+4.7%). At this rate, files will cross the 100 KB boundary in ~3 months. Consider whether there is unnecessary bloat accumulating in lock file templates.

3. Standardize dynamic engine resolution: With 67.7% of workflows already using dynamic engine selection, consider migrating the remaining 53 hardcoded workflows (claude: 40, codex: 12, gemini: 1) to dynamic resolution for improved flexibility and maintainability.

4. Playwright dependency review: 47 workflows depend on Playwright MCP (28.7%). Assess whether all of these truly require browser automation or if lighter-weight alternatives could reduce resource consumption.

5. Promote serena adoption: The Serena code-intelligence MCP is used in only 24 workflows (14.6%). Workflows that analyze or modify code could benefit from adding it to their tool configuration.

---

Methodology

• Analysis Tool: Python 3 with regex-based YAML parsing (/tmp/gh-aw/cache-memory/scripts/full_analysis.py)
• Lock Files Analyzed: 164 (all .lock.yml in .github/workflows/)
• Cache Memory: Historical data stored in /tmp/gh-aw/cache-memory/history/, scripts cached for reuse
• Data Sources: .github/workflows/*.lock.yml
• Historical Depth: 11 days of trend data (2026-02-21 through 2026-03-04)

References:

• §22679258572

AI generated by Lockfile Statistics Analysis Agent · history

• expires on Mar 5, 2026, 4:46 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-05T16:46:52.175Z.

Closed by Workflow