[lockfile-stats] Agentic Workflow Lock File Statistics - 2026-04-14

[github-actions[bot]]

Executive Summary

Analysis of 191 lock files across .github/workflows/ reveals a mature, well-structured agentic workflow ecosystem. The repository has grown from 178 lock files on 2026-03-30 to 191 today (+13 files in ~2 weeks). Workflows are predominantly scheduled automation tasks built on Copilot and Claude agents, all running behind a universal firewall with concurrency controls.

Metric	Value
Total Lock Files	191
Total Size	14.4 MB
Average File Size	~75 KB
Analysis Date	2026-04-14
Previous Run (Apr 13)	187 files (+4 today)

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10–50 KB	6	3.1%
50–100 KB	179	93.7%
> 100 KB	6	3.1%

Outliers:

• Smallest: codex-github-remote-mcp-test.lock.yml (30.3 KB)
• Largest: smoke-claude.lock.yml (158.6 KB)

93.7% of all lock files fall in the 50–100 KB range, indicating highly consistent workflow complexity across the repository.

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows	Δ vs Apr 13
workflow_dispatch	176	92.1%	+4
schedule	139	72.8%	+3
pull_request	31	16.2%	0
issue_comment	15	7.9%	0
issues	12	6.3%	0
pull_request_review_comment	6	3.1%	0
discussion	4	2.1%	0
discussion_comment	4	2.1%	0
workflow_call	2	1.0%	0
workflow_run	1	0.5%	0
push	1	0.5%	0

Common Trigger Combinations

Combination	Count	Description
schedule + workflow_dispatch	126 (66%)	Scheduled automation with manual override
workflow_dispatch only	18 (9.4%)	Manual-only workflows
pull_request + workflow_dispatch	13 (6.8%)	PR-driven automation
pull_request + schedule + workflow_dispatch	9 (4.7%)	Full-stack automation
issue_comment only	3 (1.6%)	Comment-reactive bots
discussion + discussion_comment + issue_comment + issues + pull_request + pull_request_review_comment	2 (1.0%)	Omni-reactive agents

Schedule Patterns (Cron Analysis)

Most schedule crons use well-distributed minute offsets (avoiding :00 and :30), consistent with best practices for reducing API load concentration. Observed patterns:

Pattern	Frequency	Description
N H * * * (daily)	~120	Daily at specific hour
N H * * 1-5 (weekdays)	~8	Weekday business-hours only
N */6 * * * (every 6h)	2	Sub-daily recurring
N */4 * * *	1	Every 4 hours
N H * * 0 (weekly)	1	Weekly (Sunday)
N H * * 1 (weekly Mon)	2	Weekly (Monday)

Example crons with deliberate jitter: 37 2 * * *, 48 12 * * *, 23 3 * * * — all avoiding round hours.

---

Agent (Engine) Distribution

Agent	Workflows	%	Δ vs Mar 30
copilot	126	66.0%	+8
claude	53	27.7%	+13
codex	11	5.8%	-8
gemini	1	0.5%	0

Notable trend: Claude-based workflows grew by +13 (from 40 to 53) since March 30, while Codex declined from 19 to 11 — suggesting migration from Codex to Claude for several workflows.

Per-Agent Trigger Breakdown

Copilot (126 workflows):

• workflow_dispatch: 114, schedule: 92, pull_request: 14, issue_comment: 10, issues: 8

Claude (53 workflows):

• workflow_dispatch: 52, schedule: 40, pull_request: 11, issues: 3, issue_comment: 3

Codex (11 workflows):

• workflow_dispatch: 9, schedule: 6, pull_request: 5, issue_comment: 2, issues: 1

Gemini (1 workflow — smoke-gemini):

• workflow_dispatch + schedule + pull_request combo

---

Safe Outputs Analysis

Safe Output Type Distribution

Note: noop, missing-data, missing-tool, and report-incomplete appear in nearly all workflows as standard completion-signaling boilerplate. The actionable outputs below reflect actual GitHub write operations.

Safe Output Type	Count	% of Workflows
create-discussion	~61	32%
create-issue	~41	21%
create-pull-request	~37	19%
add-comment	~56	29%
update-issue	~3	1.6%

These counts are from prior run's detailed safe-output manifest analysis. Current scan confirmed add-comment present in 56 workflows, create-pull-request in 47.

Discussion Categories Used

Category	Count
audits	46
announcements	5
reports	3
artifacts	2
dev	2
research	2
agent-research	1
daily-news	1

audits is by far the dominant discussion category (46 workflows), making it the primary output channel for scheduled analysis workflows.

Workflows Using add-comment (sample)

• ace-editor, archie, brave, ci-doctor, cloclo, craft, dev, grumpy-reviewer, mcp-inspector, mergefest, plan, pr-nitpick-reviewer, q, scout, security-review, and more

---

Structural Characteristics

Job Complexity

Metric	Value
Average jobs per workflow	6.0
Min jobs	2
Max jobs	10
Average steps per job	15.1
Min steps per job	0
Max steps in single job	63 (copilot-token-audit)

Top 10 Workflows by Step Count

Rank	Workflow	Steps
1	copilot-token-audit	63
2	daily-news	60
3	smoke-claude	54
4	prompt-clustering-analysis	54
5	daily-issues-report	54
6	smoke-copilot-arm	53
7	daily-integrity-analysis	53
8	stale-repo-identifier	52
9	smoke-copilot	52
10	portfolio-analyst	51

Typical Lock File Profile

A representative .lock.yml file in this repository has:

• Size: ~75 KB
• Jobs: ~6 jobs
• Steps per job: ~15 steps
• Triggers: schedule + workflow_dispatch
• Agent: Copilot (most common)
• Timeout: 15 minutes (97% of all timeouts)
• Concurrency: Always configured (191/191 = 100%)

---

Permission Patterns

Most Common Permissions

Permission	Read Count	Write Count
contents	1000	121
issues	169	387
discussions	38	250
pull-requests	173	207
actions	271	6
copilot-requests	—	101
security-events	11	9

Permission Summary

• contents:read appears in virtually all workflows (1000 instances across jobs) — the universal baseline
• issues:write (387) is the most common write permission — more workflows write issues than any other resource
• copilot-requests:write appears in 101 job instances, gating Copilot API usage
• All 191 workflows have ≤2 permissions per job in at least one job, indicating layered permission scoping

---

Tool & MCP Patterns

Container Image Distribution

Image	Count	Notes
gh-aw-firewall/agent	191	Universal — all workflows
gh-aw-firewall/api-proxy	191	Universal — all workflows
gh-aw-firewall/squid	191	Universal — all workflows
github/gh-aw-mcpg	191	Universal — all workflows
github/github-mcp-server	186	Standard GitHub MCP
node	185	Node.js runtime
github/serena-mcp-server	25	Code search/semantic MCP
playwright/mcp	11	Browser automation MCP
mcp/markitdown	3	Document parsing
mcp/brave-search	2	Web search
mcp/ast-grep	2	Structural code search
mcp/arxiv-mcp-server	2	Academic paper access
mcp/notion	2	Notion integration
semgrep/semgrep	1	Security scanning
mcp/context7	1	Documentation lookup
mcp/memory	1	Persistent memory

Timeout Distribution

Timeout (minutes)	Count	%
15 min	185	97.4%
10 min	3	1.6%
5 min	2	1.1%

97.4% of all jobs use the 15-minute timeout — a clear organizational standard.

---

Interesting Findings

1. Universal Firewall Architecture: Every single workflow (191/191) includes the gh-aw-firewall trio (agent, api-proxy, squid) — indicating a zero-exception network isolation policy for all agentic executions.

2. 100% Concurrency Configuration: All 191 workflows define concurrency blocks, preventing parallel execution of the same workflow — a strong safety pattern for agentic tasks that write to GitHub.

3. Claude Agent Growth (+32%): Claude-powered workflows grew from 40 to 53 over the past ~2 weeks, while Codex declined from 19 to 11. This represents a clear shift toward Claude for new and migrated workflows.

4. Deliberate Schedule Jitter: Of the ~139 scheduled workflows, none use round-hour (:00) or half-hour (:30) cron times. Every schedule uses an offset minute, distributing load intelligently across hours.

5. audits Category Dominance: 46 scheduled analysis workflows write to the audits discussion category, making it a rich, self-documenting audit trail of the repository's own health and activity.

6. Serena MCP Adoption: 25 workflows use github/serena-mcp-server — a semantic code search MCP — indicating significant adoption of intelligent code navigation beyond basic GitHub API reads.

7. Playwright MCP in 11 Workflows: Browser automation is used in 11 workflows via playwright/mcp, suggesting real browser interaction (visual testing, web scraping, UI validation) as an established pattern.

---

Historical Trends

Metric	Mar 30	Apr 13	Apr 14	2-Week Change
Total files	178	187	191	+13 (+7.3%)
Total size	11.8 MB	14.1 MB	14.4 MB	+2.6 MB
Avg size	66 KB	75.6 KB	75 KB	+9 KB
Copilot workflows	118	123	126	+8
Claude workflows	40	52	53	+13
Codex workflows	19	11	11	-8

Growth rate: ~+1 new workflow per day. At this pace, the repository will exceed 200 lock files within ~1 week.

---

Recommendations

1. Codex Migration Review: With Codex workflows dropping from 19 to 11, a formal audit of remaining Codex workflows could identify candidates for migration to Claude or Copilot agents.

2. audits Category Governance: With 46 workflows posting to audits, consider establishing sub-categories (e.g., audits/security, audits/performance) to improve discoverability as volume grows.

3. Standardize 15-Minute Timeout: Given 97.4% already use 15 minutes, the 3 outlier jobs using 5–10 minutes could be reviewed for whether they're intentionally constrained or simply outdated configs.

4. Serena MCP Expansion: Given adoption in 25 workflows, consider documenting best practices for Serena usage to guide new workflows that would benefit from semantic code search.

5. File Size Watchlist: The 6 workflows already exceeding 100 KB (smoke-claude, smoke-copilot, smoke-copilot-arm, mcp-inspector, issue-monster, cloclo) are 40–110% larger than average — worth monitoring for further growth.

---

Methodology

• Lock Files Analyzed: 191
• Analysis Tool: Python 3 with PyYAML + regex pattern matching
• Cache Memory: Historical data maintained at /tmp/gh-aw/cache-memory/history/
• Data Sources: .github/workflows/*.lock.yml
• Historical Baseline: 2026-03-30 through 2026-04-13 (15 prior runs)

References:

• §24373465335

Generated by Lockfile Statistics Analysis Agent · ● 180.3K · ◷

• expires on Apr 15, 2026, 12:12 AM UTC