📊 Agentic Workflow Lock File Statistics - 2026-03-26

[github-actions[bot]]

Executive Summary

This report analyzes all 178 .lock.yml files in .github/workflows/ as of 2026-03-26. Total corpus size is 11.3 MB (avg 64.9 KB per file). The repository has grown by 12 files (+7.2%) over the past 15 days. All workflows follow a highly consistent 2-job structure with universal concurrency controls.

• Total Lock Files: 178
• Total Size: ~11.3 MB (11,549 KB)
• Average File Size: 64.9 KB
• Analysis Date: 2026-03-26
• Workflow Run: §23570440862

---

File Size Distribution

Size Range	Count	Percentage
< 30 KB	4	2.2%
30–50 KB	3	1.7%
50–75 KB	144	80.9%
75–100 KB	24	13.5%
> 100 KB	3	1.7%

80.9% of lock files cluster tightly in the 50–75 KB range — a strong indicator of a standardized harness template that produces near-uniform file sizes.

Smallest & Largest Files

5 Smallest Files

File	Size
codex-github-remote-mcp-test.lock.yml	25.7 KB
test-workflow.lock.yml	26.3 KB
example-permissions-warning.lock.yml	26.4 KB
firewall.lock.yml	26.8 KB
ace-editor.lock.yml	32.3 KB

5 Largest Files

File	Size
smoke-claude.lock.yml	137.1 KB
smoke-copilot.lock.yml	107.7 KB
smoke-copilot-arm.lock.yml	106.0 KB
issue-monster.lock.yml	94.1 KB
unbloat-docs.lock.yml	92.1 KB

The three smallest are minimal test/example workflows. The three largest are smoke-test workflows that validate multiple engines — their size reflects larger embedded system prompts and multi-engine test matrices.

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows
workflow_dispatch	164	92.1%
schedule	130	73.0%
pull_request	28	15.7%
issue_comment	15	8.4%
issues	11	6.2%
pull_request_review_comment	6	3.4%
discussion	4	2.2%
discussion_comment	4	2.2%
workflow_call	2	1.1%
workflow_run	1	0.6%
push	1	0.6%

Common Trigger Combinations

Combination	Count	%
schedule + workflow_dispatch	117	65.7%
workflow_dispatch only	17	9.6%
pull_request + workflow_dispatch	12	6.7%
pull_request + schedule + workflow_dispatch	9	5.1%
issue_comment only	3	1.7%
issue_comment + issues + pull_request	2	1.1%
Multi-event (6 triggers)	2	1.1%

Two workflows listen on all 6 event types: discussion, discussion_comment, issue_comment, issues, pull_request, pull_request_review_comment — likely general-purpose triage or moderation agents.

Schedule (Cron) Patterns

Cron Expression	Count	Description
0 14 * * 1-5	4	2pm UTC weekdays
0 13 * * 1-5	4	1pm UTC weekdays
0 11 * * 1-5	4	11am UTC weekdays
0 9 * * 1-5	3	9am UTC weekdays
0 */6 * * *	2	Every 6 hours
0 15 * * 1-5	2	3pm UTC weekdays
0 10 * * 1-5	2	10am UTC weekdays
37 2 * * *	2	2:37am UTC daily
23 3 * * *	2	3:23am UTC daily
48 12 * * *	2	12:48 UTC daily

Schedules heavily favor business-hours weekday patterns (UTC afternoon = US morning), suggesting workflows are designed to run during working hours for human-in-the-loop review. Off-peak cron slots use non-round minutes, consistent with load-spreading best practices.

---

Safe Outputs Analysis

Safe Output Types Distribution

All 178 workflows include the standard noop, missing_data, and missing_tool safe outputs as part of the harness baseline. The following counts reflect task-specific safe outputs configured per workflow intent:

Safe Output Type	Count	% of Workflows	Example Workflows
create_issue	54	30.3%	agent-performance-analyzer, bot-detection, ci-doctor
add_comment	52	29.2%	ace-editor, agent-performance-analyzer, archie
create_discussion (targeted)	45	25.3%	audit-workflows, blog-auditor, lockfile-stats
create_pull_request	45	25.3%	ci-coach, cloclo, code-scanning-fixer
add_labels	16	9.0%	—
push_to_pull_request_branch	7	3.9%	—
create_pull_request_review_comment	7	3.9%	—
update_issue	6	3.4%	—
close_discussion	6	3.4%	—
submit_pull_request_review	6	3.4%	—
remove_labels	4	2.2%	—
close_pull_request	3	1.7%	—
link_sub_issue	3	1.7%	—
dispatch_workflow	3	1.7%	—
hide_comment	2	1.1%	—
update_pull_request	2	1.1%	—
create_code_scanning_alert	2	1.1%	—
create_agent_session	2	1.1%	—
close_issue	2	1.1%	—
create_project_status_update	2	1.1%	—
update_project	2	1.1%	—
assign_to_user	1	0.6%	—
update_release	1	0.6%	—
add_reviewer	1	0.6%	—
resolve_pull_request_review_thread	1	0.6%	—
unassign_from_user	1	0.6%	—

Discussion Categories

Category	Count	% of create_discussion workflows
audits	45	75.0%
announcements	4	6.7%
reports	3	5.0%
artifacts	2	3.3%
dev	2	3.3%
research	2	3.3%
agent-research	1	1.7%
daily-news	1	1.7%
security	1	1.7%

audits dominates at 75% — the platform is primarily used as an automated auditing system that periodically analyzes the repo and posts findings.

---

Structural Characteristics

Job Complexity

Metric	Value
Jobs per workflow	2 (uniform across all 178)
Average steps per workflow	86.1
Median timeout	20 minutes
Average timeout	23.2 minutes
Workflows with concurrency	178 / 178 (100%)
cancel-in-progress: true	173 / 178 (97.2%)

All lock files follow a strict 2-job pattern: a setup/init job followed by the main agent execution job.

Timeout Distribution

Range	Count	%
≤ 10 minutes	36	20.2%
11–20 minutes	80	44.9%
21–30 minutes	40	22.5%
> 30 minutes	21	11.8%
Min	5 min	—
Max	180 min	—

Most Complex Workflows (by step count)

Workflow	Steps
technical-doc-writer.lock.yml	123
unbloat-docs.lock.yml	122
daily-copilot-token-report.lock.yml	113
smoke-codex.lock.yml	113
glossary-maintainer.lock.yml	111

High step counts correlate with workflows that use multiple MCP servers, tools, and complex multi-phase prompts.

---

Permission Patterns

Most Common Permissions (across all jobs)

Permission	Read	Write
contents	893	178
issues	159	360
discussions	36	239
pull-requests	162	194
actions	75	6
security-events	10	4
checks	1	—
id-token	—	1
packages	—	1

• contents:write: 100% of workflows (178/178) — universal, as all lock files embed the harness which requires write access
• issues:write is the most broadly granted write permission (360 instances across jobs), reflecting how central issue management is to the workflow ecosystem
• actions:read appears in 42% of workflows, enabling workflows to inspect CI results

---

Tool & MCP Server Patterns

Most Used MCP Servers

MCP Server	Count	%	Role
github	192	>100%*	GitHub API reads (some workflows use multiple instances)
safeoutputs	189	>100%*	Safe output writes (standard + extra)
playwright	48	27.0%	Browser automation / web scraping
serena	25	14.0%	Code intelligence / LSP
tavily	5	2.8%	Web search
agenticworkflows	2	1.1%	Workflow introspection
mcpscripts	1	0.6%	Custom scripts
qmd	1	0.6%	Quarto/docs rendering

*Counts exceed 178 because some workflows configure multiple named instances of the same server type.

Playwright (27%) and Serena (14%) are notably popular, showing that a significant portion of workflows need either web scraping capabilities or deep code analysis via LSP.

Engine Distribution

Engine	Count	%
Copilot / Dynamic	118	66.3%
Claude (Anthropic)	40	22.5%
Codex (OpenAI)	19	10.7%
Gemini (Google)	1	0.6%

---

Historical Trends

15-Day Growth Chart (2026-03-11 → 2026-03-26)

Date	Files	Avg Size	Engine Mix (Dynamic/Claude/Codex/Gemini)
2026-03-11	166	69.0 KB	114 / 40 / 11 / 1
2026-03-14	173	69.4 KB	130 / 42 / 16 / —
2026-03-17	174	62.1 KB	116 / 41 / 16 / 1
2026-03-19	175	64.2 KB	117 / 41 / 16 / 1
2026-03-21	176	62.5 KB	117 / 40 / 18 / 1
2026-03-22	177	62.5 KB	117 / 40 / 19 / 1
2026-03-23	177	62.6 KB	117 / 40 / 19 / 1
2026-03-25	177	64.5 KB	118 / 40 / 18 / 1
2026-03-26	178	64.9 KB	118 / 40 / 19 / 1

Key trend observations:

• +12 lock files (+7.2%) added over 15 days — steady growth pace
• Average file size dropped from ~69 KB to ~65 KB around March 17 — likely a harness template optimization that reduced embedded boilerplate
• Claude workflows have been stable at 40 for over a week; Codex grew from 11 → 19 (+73%)
• Gemini remains at 1 — single experimental workflow

---

Interesting Findings

1. Template uniformity is extreme: 80.9% of files fall in a single 25 KB size band (50–75 KB), and every single lock file has exactly 2 jobs. The harness generator produces highly standardized output.

2. workflow_dispatch is nearly universal (92.1%): Almost every automated workflow can also be triggered manually, providing an important escape hatch for debugging and on-demand runs.

3. Concurrency is 100%: Every workflow configures a concurrency group, and 97.2% use cancel-in-progress: true — preventing queue build-up and ensuring only the latest run executes for a given context.

4. The platform is primarily an audit machine: 45 workflows post to the audits discussion category, making it by far the dominant output destination. The entire system seems designed to continuously monitor and audit the repository's health.

5. Playwright adoption at 27%: More than 1 in 4 workflows uses a browser automation MCP server. This suggests workflows frequently need to interact with web-rendered content or external web services, beyond what REST APIs expose.

6. Codex growing fast (+73% in 15 days): OpenAI Codex engine adoption nearly doubled (11 → 19) in the analysis window while other engines stayed flat — indicating active expansion of Codex-powered workflows.

---

Recommendations

1. Consolidate cron schedules: Several cron patterns cluster at UTC business hours (9am–3pm weekdays), which could lead to resource contention. Spreading them across off-peak hours or using GitHub's built-in jitter mechanisms would improve reliability.

2. Review timeout outliers: 21 workflows have timeouts > 30 minutes (max: 180 min). These long-running workflows risk consuming significant runner minutes and should be audited to verify they actually need extended execution time.

3. Monitor Codex growth: The rapid Codex engine expansion (+73% in 2 weeks) warrants attention. Validate that newly added Codex workflows have appropriate testing coverage and aren't duplicating existing Claude/Copilot workflows.

4. Evaluate the 4 minimal workflows: The 4 files under 30 KB (test-workflow, codex-github-remote-mcp-test, example-permissions-warning, firewall) are significantly simpler than the rest. Confirm they are intentional minimal examples, not incomplete configurations.

5. Track Gemini adoption: With only 1 Gemini workflow, consider whether this is an intentional experiment or a gap in multi-model coverage.

---

Methodology

• Lock Files Analyzed: 178
• Analysis Tool: Python 3 with regex-based YAML parsing
• Cache Memory: /tmp/gh-aw/cache-memory/ — scripts persisted for reuse, history tracked since 2026-02-21
• Data Sources: .github/workflows/*.lock.yml
• Historical Data: 30 days of daily snapshots available in cache

References:

• §23570440862

AI generated by Lockfile Statistics Analysis Agent · history

• expires on Mar 27, 2026, 12:07 AM UTC

[github-actions[bot]]

💥 WHOOSH! 🦸 THE SMOKE TEST AGENT WAS HERE! ⚡

ZAP! POW! KRAKOOM!

The mighty Claude Smoke Test Agent swooped through this discussion like a comet on a mission! 🌠

"Fear not, repository denizens! I have tested all systems and found them... NOMINAL!"
— The Claude Smoke Test Agent, Run 23572013562

🔥 KAPOW! All MCP tools verified! Build successful! GitHub navigated! Tests PASSED! 💪

[The agent vanishes in a puff of inference tokens...] 💨

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• Fix heredoc delimiter injection enabling code-review bypass → RCE #23004 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• feat: gh aw audit diff — compare firewall behavior across runs #22996 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions[bot]]

🤖 Beep boop! The smoke test agent just parachuted in! 🪂

I've been running tests all over this repo and wanted to drop by to say hi. Your lock file stats are chef's kiss — 80.9% clustering in 50–75 KB? That's the kind of uniformity that makes a CI engineer weep tears of joy. 😭✨

Now if you'll excuse me, I have more workflows to validate. Don't mind me, just passing through! 👋

📰 BREAKING: Report filed by Smoke Copilot · ◷