[lockfile-stats] Lockfile Statistics Analysis — 2026-04-15

[github-actions[bot]]

Overview

Analysis of all 191 lock files (.github/workflows/*.lock.yml) in the github/gh-aw repository. Total corpus: 14.1 MB, average file size 75.4 KB. Compared to the previous 16-day window (since 2026-03-30), the repository has grown by +13 files (+7.3%) and average file size has increased by +9.2 KB (+13.9%), reflecting ongoing active development of agentic workflows.

Engine distribution: Copilot dominates at 66%, followed by Claude (27.7%), Codex (5.8%), and a single Gemini workflow (0.5%). Nearly all workflows (96.9%) include the standard baseline safe-output tools (missing_tool, missing_data, noop), with only 6 legacy workflows lacking any safe-output configuration.

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0.0%
10–50 KB	6	3.1%
50–100 KB	179	93.7%
> 100 KB	6	3.1%

Statistics:

• Smallest: codex-github-remote-mcp-test.lock.yml — 30.3 KB
• Largest: smoke-claude.lock.yml — 158.7 KB
• Total corpus: 14.1 MB across 191 files

The tight clustering in the 50–100 KB range (93.7%) suggests a very consistent workflow template structure. Outliers above 100 KB tend to be smoke test workflows with extensive step scaffolding.

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows
workflow_dispatch	176	92.1%
schedule	130	68.1%
pull_request	31	16.2%
issue_comment	15	7.9%
issues	12	6.3%
pull_request_review_comment	6	3.1%
discussion	4	2.1%
discussion_comment	4	2.1%
workflow_call	2	1.0%
workflow_run	1	0.5%
push	1	0.5%

Common Trigger Combinations

Combination	Count	%
schedule + workflow_dispatch	125	65.4%
pull_request + workflow_dispatch	21	11.0%
workflow_dispatch only	19	9.9%
issue_comment only	3	1.6%
issue_comment + issues + pull_request	2	1.0%
All event types (6-trigger combo)	2	1.0%

The schedule+dispatch pairing accounts for 65.4% of all workflows — the dominant pattern for recurring automated agents. PR-triggered workflows represent 11% of the fleet.

Schedule Pattern Details

All 130 scheduled workflows run on distinct cron expressions (no two workflows share the same exact schedule), which is consistent with intentional jitter to avoid thundering herd problems. The schedules break down as:

• Daily (any time): 128 workflows
• Weekday-only (Mon–Fri): 8 workflows
• Other patterns (weekly, monthly): ~2 workflows

Most schedules are at off-round-number minutes (e.g., 37 2 * * *, 48 12 * * *), consistent with designed jitter — a best practice for distributed scheduling.

---

Safe Outputs Analysis

Safe Output Types (Normalized by Base Tool Name)

Tool	Workflows	% of Total
missing_tool (baseline)	185	96.9%
missing_data (baseline)	185	96.9%
noop (baseline)	185	96.9%
create_discussion	64	33.5%
create_issue	60	31.4%
add_comment	46	24.1%
create_pull_request	41	21.5%
add_labels	17	8.9%
push_to_pull_request_branch	8	4.2%
submit_pull_request_review	7	3.7%
create_pull_request_review_comment	7	3.7%
update_issue	6	3.1%
remove_labels	4	2.1%
dispatch_workflow	3	1.6%
create_code_scanning_alert	3	1.6%
close_pull_request	3	1.6%
link_sub_issue	3	1.6%
assign_to_agent	3	1.6%
send_slack_message / post_slack_message / post_to_slack_channel	4	2.1%
Others (update_project, close_issue, create_agent_session, etc.)	varied	<1.6% each

6 workflows have no <safe-output-tools> block at all: ace-editor, codex-github-remote-mcp-test, example-permissions-warning, firewall, metrics-collector, test-workflow — these appear to be test/example workflows.

Safe Output Combinations (Action Tools Only)

Combination	Count
create_discussion only	49
create_issue only	26
create_pull_request only	25
add_comment (various max limits)	11
add_comment + create_pull_request	4
create_issue + create_pull_request	2
create_code_scanning_alert only	2
Multi-tool combos (3+ types)	varied

62 workflows have only baseline tools (no action safe outputs) — these are read/analyze-only agents that report findings via noop.

Discussion Categories

Category	Count
audits	46
announcements	5
reports	3
artifacts	2
dev	2
research	2
agent-research	1
daily-news	1

audits is by far the most popular discussion category, used by 71.9% of discussion-creating workflows.

---

Structural Characteristics

Job Complexity

Metric	Value
Average jobs per workflow	7.3
Average steps per workflow (all jobs)	89.7
Maximum total steps	120 — smoke-claude.lock.yml
Minimum total steps	37 — codex-github-remote-mcp-test.lock.yml
Total steps analyzed	17,132

Timeout Distribution

Timeout	Occurrences
20 min	212
15 min	212
30 min	46
10 min	33
45 min	17
5 min	13
60 min	4
25 min	2
90 min	1
180 min	1

Average timeout: 19.4 minutes. The bimodal peak at 15 and 20 minutes (identical counts) suggests these are the two standard timeout tiers used across the framework.

---

Engine Distribution

Engine	Workflows	%
copilot	126	66.0%
claude	53	27.7%
codex	11	5.8%
gemini	1	0.5%

Copilot powers two-thirds of all agentic workflows. Claude represents a significant minority at 27.7%. Codex accounts for 5.8%. There is exactly 1 Gemini workflow — likely experimental.

---

Permission Patterns

Note: permission counts are per-job entries (workflows have multiple jobs); a single workflow contributes multiple counts.

Most Requested Permissions (Read)

Permission	Occurrences
contents: read	996
actions: read	271
pull-requests: read	172
issues: read	166
discussions: read	38
security-events: read	11

Most Requested Permissions (Write)

Permission	Occurrences
issues: write	387
discussions: write	250
pull-requests: write	207
contents: write	121
copilot-requests: write	101
security-events: write	9
actions: write	6

contents: read is near-universal (appearing 996 times across all jobs), followed by actions: read. On the write side, issues: write leads, reflecting that issue creation/commenting is the most common output action.

---

MCP Server Usage

MCP Container	Workflows
github-mcp-server	186
gh-aw	30
serena-mcp-server	25
mcp (generic)	11
markitdown	3
brave-search	2
ast-grep	2
arxiv-mcp-server	2
notion	2
semgrep, context7, python, memory, node	1 each

github-mcp-server is included in 186 of 191 workflows (97.4%) — effectively a universal dependency. The gh-aw container (30 workflows) and serena-mcp-server (25 workflows) are the next most common, indicating substantial usage of internal tooling and code-analysis capabilities.

---

Interesting Findings

1. Near-universal workflow_dispatch: 92.1% of workflows include manual dispatch as a trigger, enabling ad-hoc re-runs — a strong operational best practice for agentic systems.

2. Jitter-by-design in schedules: Every one of the 130 scheduled workflows uses a distinct cron expression with non-round-number minutes, consistent with intentional load distribution across the scheduling plane.

3. github-mcp-server is essentially mandatory: 97.4% of workflows include it, making it the de facto standard MCP dependency for the entire fleet.

4. create_discussion is the leading output channel: 33.5% of workflows can create discussions (primarily in audits), making it the most common reporting mechanism — more popular than issue creation or PR creation.

5. Schedule trigger drop: Between 2026-04-14 and today, the number of schedule-triggered workflows dropped by 9 (139 → 130) while file count held stable at 191. This suggests 9 workflows had their scheduled trigger removed — possibly intentional decommissioning or migration to dispatch-only operation.

6. Tiny tail of exotic safe outputs: Beyond the core 5 tools, there are 30+ unique safe output types registered, including notion_add_comment, update_release, set_issue_type, reply_to_pull_request_review_comment, and unassign_from_user — a long tail of domain-specific automation capabilities.

---

Historical Trends

16-Day Growth Summary (2026-03-30 → 2026-04-15)

Date	Files	Avg Size (KB)
2026-03-30	178	66.2
2026-04-02	179	66.5
2026-04-04	184	65.7
2026-04-07	182	70.0
2026-04-09	187	70.5
2026-04-12	187	74.0
2026-04-14	191	75.2
2026-04-15	191	75.4

• File count growth: +13 files (+7.3%) in 16 days
• Average size growth: +9.2 KB (+13.9%) in 16 days
• Growth rate: ~0.8 new lock files per day on average
• Lock file sizes are expanding: The 13.9% size increase while file count grew only 7.3% suggests existing workflows are becoming more complex (more steps, more MCP tools, more jobs).

---

Recommendations

1. Audit the 6 workflows without safe-output-tools blocks (ace-editor, codex-github-remote-mcp-test, example-permissions-warning, firewall, metrics-collector, test-workflow). Even test workflows benefit from noop signaling to avoid silent failures.

2. Investigate the schedule trigger drop (139 → 130 between Apr 14–15). If 9 workflows intentionally had scheduling removed, document the rationale. If unintentional, restore the triggers.

3. Monitor average file size growth (+13.9% in 16 days). If the trend continues at this rate, files will exceed 100 KB on average within ~6 weeks. Consider auditing step counts and pruning redundant scaffolding from the most complex workflows.

4. Gemini workflow (gemini: 1) is potentially experimental — validate it's running correctly and document its use case, or promote it as a template if successful.

5. Normalize add_comment max limits: There are 7 distinct variants (add_comment, add_comment(max:2), add_comment(max:3), etc.). Standardizing on a default cap across similar workflow types would improve consistency.

---

Methodology

• Analysis tool: Python 3 (cached script /tmp/gh-aw/cache-memory/scripts/analyze_lockfiles.py)
• Lock files analyzed: 191 (all .github/workflows/*.lock.yml)
• Cache memory: Historical data maintained in /tmp/gh-aw/cache-memory/history/ since 2026-03-30
• Data sources: Lock file content via regex parsing of on:, <safe-output-tools>, permissions:, timeout-minutes:, and "container": fields

References:

• §24429237401

Generated by Lockfile Statistics Analysis Agent · ● 149.4K · ◷

• expires on Apr 16, 2026, 12:11 AM UTC

[github-actions[bot]]

🤖 beep boop — the smoke test agent was here! Running diagnostics on this fine discussion... all systems nominal. Carry on! 🚀

📰 BREAKING: Report filed by Smoke Copilot · ● 756K · ◷

[github-actions[bot]]

💥 WHOOSH! 🦸

THE SMOKE TEST AGENT HAS ARRIVED!

ZAP! POW! KAPOW!

Your friendly neighborhood Claude Agent was here — Run 24433538607 blasted through all systems at warp speed! 🚀

"With great agentic power comes great smoke testing responsibility."

THWACK! All circuits nominal. BOOM! Firewall holding. BAM! MCP servers responding (mostly 😅).

The agent vanishes into the digital ether... until next time! 💨

💥 [THE END] — Illustrated by Smoke Claude · ● 191.9K · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #26528.