[lockfile-stats] Lockfile Statistics Audit — 2026-05-30

[github-actions[bot]]

Executive Summary

Snapshot of all .github/workflows/*.lock.yml compiled agentic workflows as of 2026-05-30.

Metric	Value
Lockfiles analyzed	236 (0 skipped)
Total size	23.67 MB (23,672,222 bytes)
Average size	100,306 B (~98 KB)
Median size	99,530 B
Min / Max	64,513 B (test-workflow) / 181,854 B (smoke-claude)

The corpus is large and remarkably uniform: every lockfile sits between 63–182 KB, reflecting a shared compilation template. Generated agent workflows are heavyweight artifacts — averaging ~104 steps and ~8 jobs each.

File Size Distribution

Bucket	Count
50–100 KB	123
100–250 KB	113

No lockfile falls below 50 KB — the compiler floor. The split is near-even, with the heaviest tier dominated by the smoke-* engine matrix and report-style agents.

Largest 10 lockfiles

Workflow	Bytes
smoke-claude	181,854
smoke-copilot	154,998
smoke-copilot-arm	145,551
smoke-codex	132,304
mcp-inspector	131,550
issue-monster	130,019
deep-report	129,829
cloclo	127,661
daily-news	124,683
daily-performance-summary	122,105

Trigger Analysis

Trigger	Workflows	Share
workflow_dispatch	228	96.6%
schedule	161	68.2%
pull_request	35	14.8%
issues	4	1.7%
issue_comment	2	0.8%
push	2	0.8%
workflow_run / discussion / discussion_comment / pr_review_comment	1 each	—

Most common combinations: schedule+workflow_dispatch (157), workflow_dispatch only (39), pull_request+workflow_dispatch (28). Nearly all workflows keep a manual dispatch escape hatch, and roughly two-thirds run on cron — confirming this repo is dominated by scheduled, autonomous agents rather than event-reactive ones.

Cron cadence notes

Most schedules are daily (m h * * *) with off-peak minutes to avoid the :00 fleet stampede. A handful use weekday-only (* * 1-5), every-4h/6h (*/4, */6), and weekly (* * 0, * * 1, * * 3) cadences. Minutes are well-distributed (no clustering on :00), which is good API-load hygiene.

Safe Outputs Analysis

The v1 extractor did not resolve safe-output type or discussion-category fields from the current lock format (both sections returned empty). This is a known extractor gap rather than an absence of safe outputs — these workflows clearly emit safe outputs at runtime. Flagged below as a methodology limitation to fix in a schema bump.

Structural Characteristics

Metric	Total	Avg/WF	Min	Max
Jobs	1,892	8.02	5	12 (firewall-escape)
Steps	24,644	104.4	68	142 (smoke-copilot)
Scripts	11,933	~50.6	—	—

The narrow job range (5–12) and step range (68–142) again show how templated these artifacts are. The bulk of each lockfile is boilerplate scaffolding (setup, MCP config, safe-output plumbing) rather than task-specific logic.

Timeout distribution (across all jobs)

Timeout (min)	Job count
<=5	14
6–15	350
16–30	312
31–60	31
>60	3

Most jobs cap at 6–30 minutes — sensible bounds for agentic runs. Only 3 jobs exceed 60 min.

Permission Patterns

Top-level permissions rendered as an empty map ({}) for all 236 files in the v1 extractor, and read/write scope breakdowns were not captured. Like safe outputs, this is an extractor limitation against the current lock structure, not evidence of unrestricted permissions. Noted for the next schema revision.

Tool & MCP Patterns

MCP server	Reference count
github	6,552
playwright	168
sentry	96
grafana	14
arxiv	6
deepwiki	6

The GitHub MCP server is ubiquitous — 6,552 references across the corpus, dwarfing all others. The top GitHub tools (get_commit, get_pull_request, issue_read, list_commits, get_workflow_run, ...) each appear in exactly 126 workflows, indicating a shared read-only GitHub toolset bundled into a large common subset of agents.

Engine distribution:

Engine	Workflows
copilot	154
claude	63
codex	14
antigravity / crush / gemini / opencode / pi	1 each

Copilot is the default engine for ~65% of workflows, with Claude the primary alternative.

Interesting Findings

1. Extreme uniformity. All 236 lockfiles fall in a 64–182 KB band with steps clustered 68–142. Compiled agent overhead is large and consistent — the per-agent task logic is a small fraction of each file.
2. GitHub MCP saturation. 6,552 GitHub MCP references and a flat 126-workflow plateau across ~30 read tools suggests a single shared GitHub toolset definition is injected into a majority of agents.
3. Scheduled-autonomous bias. 68% run on cron and 96.6% expose workflow_dispatch; only ~15% react to PRs and <2% to issues. This is a fleet of proactive agents, not reactive bots.
4. The smoke-* engine matrix is the heavyweight tier — the four largest files are all engine smoke tests, naturally exercising the broadest tool/config surface.
5. Good cron hygiene. Schedule minutes are spread out (few :00 collisions), reducing synchronized API load across the fleet.

Historical Trends (vs 2026-05-29)

Metric	2026-05-29	2026-05-30	Δ
Lockfile count	236	236	0
Total bytes	23,387,695	23,672,222	+284,527 (+1.2%)
Avg size	99,100	100,306	+1,206
Median size	98,289	99,530	+1,241
50–100 KB bucket	140	123	−17
100–250 KB bucket	96	113	+17

The fleet size held steady while every lockfile grew ~1.2 KB, pushing 17 workflows across the 100 KB threshold. Triggers, engines, MCP usage, and structural counts were otherwise identical — consistent with a uniform compiler/template change (likely the recent regeneration) rather than per-workflow edits.

Recommendations

1. Fix the v1 extractor gaps for safe-output types, discussion categories, and permission scopes — currently the three weakest sections. Bump to lockfile_stats_v2.py once the lock format mapping is corrected.
2. Investigate the +1.2 KB/file growth. A 1.2% daily increase compounds; confirm it's an intentional template change and not accidental bloat in the compiler scaffolding.
3. Audit the shared GitHub toolset. With ~30 GitHub tools injected into 126 workflows uniformly, verify each agent actually needs its full toolset — trimming unused tools would shrink lockfiles and reduce attack surface.
4. Track the 100 KB-crossing cohort. The 17 newly-promoted workflows are worth a size-regression check.

Methodology

Single-script compact JSON analysis: one cached Python analyzer (lockfile_stats_v1.py) parsed all 236 lockfiles in a single pass and emitted a ~4.7 KB JSON summary; all insights above derive from that summary plus the cached 2026-05-29 history snapshot. Limitation: safe-output, discussion-category, and permission-scope extraction returned empty under v1 and should be treated as not-captured (not as zero). 0 malformed/skipped files.

Generated by 📊 Lockfile Statistics Analysis Agent · opus48 635.8K · ◷

• expires on May 31, 2026, 8:36 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #36151.