[lockfile-stats] Lockfile Statistics Audit — 2026-05-31

[github-actions[bot]]

Executive Summary

Analysis of all 237 compiled .github/workflows/*.lock.yml files as of 2026-05-31 (0 malformed/skipped).

Metric	Value	Δ vs 2026-05-30
Lock files	237	+1
Total size	22.90 MB (24,014,921 B)	+342,699 B (+1.4%)
Average size	98.95 KB	+1,022 B
Median size	97.88 KB	+694 B
Smallest	63.02 KB (test-workflow)	—
Largest	178.12 KB (smoke-claude)	+536 B
Total jobs	1,900	+8
Total steps	24,821	+177

Lock files are uniformly large (every file falls between 63 KB and 178 KB); none are small. The size floor is driven by embedded MCP tool catalogs and boilerplate rather than per-workflow logic.

File Size Distribution

Bucket	Count	Δ
50–100 KB	116	−7
100–250 KB	121	+8

The distribution shifted measurably toward the larger bucket since yesterday (+8 files crossed 100 KB), consistent with the overall byte growth.

10 largest lock files

Workflow	Size
smoke-claude	178.1 KB
smoke-copilot	151.8 KB
smoke-copilot-arm	142.6 KB
smoke-codex	129.6 KB
mcp-inspector	128.9 KB
issue-monster	127.4 KB
deep-report	127.2 KB
cloclo	127.0 KB
daily-news	122.2 KB
daily-performance-summary	119.7 KB

The four largest are multi-engine smoke tests, which embed the broadest tool surface.

Trigger Analysis

Trigger	Workflows	Share
workflow_dispatch	229	96.6%
schedule	161	67.9%
pull_request	35	14.8%
issues	4	1.7%
issue_comment	2	0.8%
push	2	0.8%

Nearly every workflow is manually dispatchable. The dominant pattern is the scheduled-agent shape.

Top trigger combinations

Combination	Count
schedule + workflow_dispatch	157
workflow_dispatch (only)	40
pull_request + workflow_dispatch	28
pull_request (only)	3

66% of all workflows use the exact schedule + workflow_dispatch pair. 161 workflows carry a cron schedule, spread across many distinct minute offsets (most appear 1–2× — good for avoiding thundering-herd scheduling at :00).

Safe Outputs Analysis

The v1 analyzer does not resolve safe_output_types or discussion_categories from the compiled lock files (yaml_available=false; both maps are empty for all 237 files). Safe-output configuration is embedded in the compiled runtime sections rather than a parseable top-level block. This is a known limitation of compact regex analysis over compiled artifacts and is flagged for a v2 schema bump if this dimension becomes a priority — it is not evidence that workflows lack safe outputs.

Structural Characteristics

Metric	Min	Avg	Max	Max holder
Jobs / workflow	5	8.02	12	firewall-escape
Steps / workflow	69	104.7	142	smoke-copilot

Totals: 1,900 jobs, 24,821 steps, 11,973 inline scripts across the fleet. Step count is remarkably uniform (avg ~105), reflecting a shared compilation template.

Permission Patterns

All 237 lock files have an empty top-level permissions: {} block. Permissions are scoped at the job level in the compiled output, so no top-level read/write distribution is observable. This is a consistent, intentional pattern across the entire fleet (least-privilege at job granularity).

Tool & MCP Patterns

MCP Server	Reference count	Δ
github	6,656	+104
playwright	168	—
sentry	96	—
ruflo	16	new
grafana	14	—
arxiv	6	—
deepwiki	6	—

Engine distribution:

Engine	Count	Share
copilot	154	65.0%
claude	64	27.0%
codex	14	5.9%
antigravity / crush / gemini / opencode / pi	1 each	<1%

Job-level timeout distribution

Bucket (min)	Jobs
≤5	14
6–15	351
16–30	314
31–60	31
>60	3

Most jobs cap at 30 minutes; only 3 exceed an hour.

Interesting Findings

1. The GitHub MCP server dominates the tool surface — referenced 6,656 times (~28 tool entries per workflow on average). It is the single largest contributor to lock-file size and the primary lever for shrinking compiled artifacts (tool-allowlist trimming).
2. A new MCP integration landed today — ruflo appeared with 16 references, absent in the 2026-05-30 snapshot. This is the most notable structural change in the last 24h.
3. Uniformity is striking — steps/workflow clusters tightly around 105 and every file sits in a narrow 63–178 KB band, evidence that file size is template-driven, not logic-driven.
4. Copilot is the default engine (65%), with Claude a strong second (27%); six other engines appear exactly once (smoke/experimental coverage).
5. Schedule offsets are well-distributed — cron minutes are spread across many odd offsets rather than clustering on :00, which avoids synchronized fleet wake-ups.

Historical Trends (vs 2026-05-30)

Dimension	05-30	05-31	Δ
Lock files	236	237	+1
Total bytes	22.58 MB	22.90 MB	+342,699 B
Avg size	97.95 KB	98.95 KB	+1,022 B
100–250 KB bucket	113	121	+8
Claude engine	63	64	+1
GitHub MCP refs	6,552	6,656	+104
Total steps	24,644	24,821	+177

One new Claude-engine workflow was added, pulling total size, step count, and GitHub MCP references up proportionally. 11 days of history are retained in cache (2026-05-20 → 2026-05-31).

Recommendations

1. Audit the ruflo integration — a net-new MCP server should be confirmed as intentional and least-privilege.
2. Trim GitHub MCP tool allowlists where full toolsets are not needed; this is the highest-leverage way to reduce the 100–250 KB tail.
3. Track the size-bucket drift — the +8 shift into 100–250 KB in one day is worth monitoring; if it persists, compiled-output growth may need attention.
4. Consider a v2 analyzer if safe-output and permission granularity become reporting priorities, since the compiled artifacts hide those from regex extraction.

---

Methodology: single-script compact JSON analysis. All 237 lock files were parsed in one cached analyzer run (lockfile_stats_v1.py) producing a ~5 KB JSON summary; all figures above derive from that summary and the prior-day cached snapshot. 0 files were malformed.

Generated by 📊 Lockfile Statistics Analysis Agent · opus48 695.5K · ◷

• expires on Jun 1, 2026, 8:39 PM UTC