[lockfile-stats] Lockfile Statistics Audit — 2026-06-04 (240 workflows, 25.2 MB)

[github-actions[bot]]

Executive Summary

Snapshot of 240 compiled workflow lock files (.github/workflows/*.lock.yml) on 2026-06-04. 0 malformed/skipped. Combined size 25.16 MB (avg 102.4 KB, median 102.1 KB, range 66.4 KB–160.7 KB). Net change since 2026-06-03: +1 workflow, +287 KB.

Metric	Value	Δ vs 06-03
Lock files	240	+1
Total bytes	25,160,042	+294,173
Avg size	104,833 B	+792
Median size	104,558 B	+745
Largest	smoke-copilot (164,530 B)	(was smoke-claude 189,340)
Smallest	test-workflow (68,026 B)	+951

File Size Distribution

Bucket	Count	Δ
100–250 KB	159	+10
50–100 KB	81	−9

Largest & smallest lock files

Largest: smoke-copilot (164.5 KB), smoke-claude (161.1 KB), smoke-copilot-arm (152.9 KB), smoke-codex (139.5 KB), mcp-inspector (136.4 KB), issue-monster (134.4 KB), deep-report (133.7 KB), cloclo (131.5 KB), daily-news (129.2 KB), daily-performance-summary (127.3 KB).

Smallest: test-workflow (68.0 KB), example-permissions-warning (68.8 KB), codex-github-remote-mcp-test (68.9 KB), firewall (70.0 KB), ace-editor (77.6 KB).

Trigger Analysis

Trigger	Workflows
workflow_dispatch	232
schedule	162
pull_request	33
issues	4
issue_comment	2
push	2
workflow_run / discussion / discussion_comment / pull_request_review_comment	1 each

Dominant combination: schedule + workflow_dispatch (158 = 66%), then bare workflow_dispatch (44) and pull_request + workflow_dispatch (26). 162 workflows are scheduled; cron minutes are consistently jittered off :00/:30 (e.g. 49 14 * * 1-5, 23 11 * * *) — a healthy practice that spreads API load.

Safe Outputs Analysis

The current lockfile_stats_v1 schema does not extract safe-output type or discussion-category fields from the compiled YAML (they are emitted as embedded JS rather than top-level YAML keys), so per-type counts are unavailable this run. Recommend bumping to v2 to parse the embedded safe_outputs config block and restore this section.

Structural Characteristics

Metric	Total	Avg	Min	Max
Jobs	1,917	7.99	5	12 (firewall-escape)
Steps	25,373	105.7	69	145 (smoke-copilot)
Run scripts	12,182	50.8	—	—

Day-over-day: +6 jobs, +88 steps, +51 run-scripts — consistent with one added workflow. Lock files are large because each compiles to ~106 steps of embedded runtime/MCP scaffolding.

Permission Patterns

All 240 lock files declare an empty top-level permissions: {} block — permissions are scoped per-job (least-privilege at the agent-job level) rather than granted workflow-wide. This is a sound security posture; no workflow grants broad top-level write.

Tool & MCP Patterns

MCP server	Reference count
github	6,552
playwright	168
sentry	96
ruflo	16
grafana	14
arxiv	6
deepwiki	6

The github MCP dominates. 126 workflows expose the full github toolset — every read tool (get_commit, get_file_contents, issue_read, list_*, etc.) appears in exactly 126 lock files, indicating a shared default allowlist rather than per-workflow tailoring.

Interesting Findings

1. smoke-claude shrank ~15% (189,340 → 161,137 B) and lost the "largest" crown to smoke-copilot (164,530 B) — likely a runtime/scaffolding trim in the Claude smoke path.
2. 66% of workflows are scheduled-and-dispatchable (schedule + workflow_dispatch), confirming this repo is predominantly a fleet of autonomous daily agents.
3. github MCP is near-universal with 6,552 references; 126 workflows ship the identical full read-toolset — a candidate for least-privilege trimming.
4. Engine mix is copilot-led: copilot 158 (66%), claude 63 (26%), codex 14 (6%), plus singletons (antigravity, crush, gemini, opencode, pi).
5. Permissions are uniformly empty at top level across all 240 files — per-job scoping is consistently applied.

Historical Trends (06-03 → 06-04)

Metric	06-03	06-04	Δ
Lock files	239	240	+1
Total MB	24.87	25.16	+0.29
Scheduled	161	162	+1
workflow_dispatch	231	232	+1
Jobs total	1,911	1,917	+6
Steps total	25,285	25,373	+88
copilot engine	157	158	+1

A single new copilot-engine, schedule+dispatch workflow accounts for the entire day's delta. All other distributions are stable.

Recommendations

1. Bump analyzer to v2 to recover safe-output type and discussion-category metrics from the embedded config block.
2. Trim the shared github toolset — 126 workflows ship the full read-toolset; scoping per workflow would shrink lock files and reduce surface area.
3. Monitor smoke-test lock growth — the four smoke-* files (139–165 KB) lead size; track them as a regression signal.
4. Keep the jittered cron + per-job permission patterns — both are already healthy; no change needed.

Methodology

Single-script compact JSON analysis: one cached analyzer (lockfile_stats_v1.py) parses all 240 lock files in a single pass into a ≤50 KB JSON summary; all reporting and trend deltas derive from that summary plus the prior-day history snapshot. No per-file reads were performed during analysis.

Generated by 📊 Lockfile Statistics Analysis Agent · opus48 3.4M · ◷

• expires on Jun 5, 2026, 8:57 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #37194.