[lockfile-stats] Lockfile Statistics Audit — 2026-06-05

[github-actions[bot]]

Summary

Analysis of all 240 compiled .github/workflows/*.lock.yml files (0 skipped). Total footprint 24.3 MB (25,492,113 bytes), averaging ~104 KB per lockfile (median ~103 KB). The corpus is dominated by scheduled agentic workflows on the copilot engine, with GitHub MCP tooling present in nearly every file.

Metric	Value
Lockfiles	240
Total size	24.3 MB
Avg / Median	106,217 B / 105,859 B
Min / Max	68,410 B (test-workflow) / 165,831 B (smoke-copilot)
Jobs (total / avg / max)	1,923 / 8.0 / 12 (firewall-escape)
Steps (total / avg / max)	25,670 / 107.0 / 146 (smoke-copilot)
run: blocks (total)	12,192

File Size Distribution

Bucket	Count
100-250 KB	173
50-100 KB	67

Lockfiles are large and tightly clustered (68-166 KB), consistent with a shared compilation template; ~72% exceed 100 KB.

Largest & smallest lockfiles

Largest: smoke-copilot (162 KB), smoke-claude (159 KB), smoke-copilot-arm (151 KB), smoke-codex (138 KB), mcp-inspector (134 KB).

Smallest: test-workflow (67 KB), example-permissions-warning (68 KB), codex-github-remote-mcp-test (68 KB), firewall (69 KB), ace-editor (76 KB).

Trigger Analysis

Trigger	Count
workflow_dispatch	232
schedule	162
pull_request	33
issues	4
issue_comment	2
push	2

Top combinations: schedule+workflow_dispatch (158), workflow_dispatch only (44), pull_request+workflow_dispatch (26). The overwhelming pattern is a scheduled cron job with a manual-dispatch escape hatch. 232/240 (97%) expose workflow_dispatch. Cron times are well-spread across the day/week with no obvious thundering-herd collisions.

Safe Outputs Analysis

Safe-output type and discussion-category counts could not be extracted this run (structured YAML parsing unavailable — see Methodology). The structural parser found no top-level safe-output config; these are configured per-job in this corpus.

Structural Characteristics

• Jobs/workflow: min 5, avg 8.0, max 12 (firewall-escape).
• Steps/workflow: min 69, avg 107.0, max 146 (smoke-copilot).
• High step counts reflect the standard agentic harness (setup, engine, MCP, safe-output, upload steps) compiled into every file.

Permission Patterns

Top-level permissions resolved to an empty map ({}) in all 240 files via the structural parser — permissions are applied per-job rather than at the workflow top level. Read/write key breakdowns could not be extracted this run (see Methodology).

Tool & MCP Patterns

MCP server	Reference count
github	6,552
playwright	168
sentry	96
ruflo	16
grafana	14
arxiv	6
deepwiki	6

GitHub MCP is effectively universal; ~126 of its read tools (e.g. get_pull_request, list_commits, issue_read) each appear in ~126 lockfiles — the standard read-only GitHub allow-list. Engine distribution: copilot 158, claude 63, codex 14, plus singletons (antigravity, crush, gemini, opencode, pi).

Interesting Findings

1. Copilot is the default engine — 66% (158/240) of workflows, more than 2x claude (63).
2. Scheduled-agent monoculture — 158 workflows share the exact schedule+workflow_dispatch shape; automation here is overwhelmingly time-driven, not event-driven.
3. Size floor is high — even the smallest lockfile is 67 KB, so the compiled harness baseline dominates file size far more than workflow-specific logic.
4. GitHub MCP read-allowlist is boilerplate — the uniform ~126-count across dozens of read tools shows a templated tool block, not per-workflow tuning.
5. Long tail of experimental engines — six engines appear exactly once, indicating active engine experimentation alongside the copilot/claude mainline.

Historical Trends (vs 2026-06-04)

Metric	Prev	Current	Delta
Lockfiles	240	240	0
Total bytes	25,160,042	25,492,113	+332,071
Avg bytes	104,833	106,217	+1,384
Steps total	25,373	25,670	+297
Jobs total	1,917	1,923	+6
run: blocks	12,182	12,192	+10

Workflow count is flat, but every lockfile grew slightly (+332 KB aggregate, +297 steps) — consistent with a compiler/template change adding steps uniformly rather than new workflows being added. Engine distribution unchanged.

Recommendations

1. Investigate the uniform growth — confirm the day-over-day increase (~+1.4 KB and ~+1.2 steps per file) is an intentional harness change, not template bloat.
2. Audit the GitHub MCP read-allowlist — if many workflows do not use the full ~126-tool read set, trimming per-workflow would shrink lockfiles and reduce attack surface.
3. Track engine sprawl — formalize or sunset the single-use experimental engines to avoid maintenance drift.

Methodology

Single-script compact JSON analysis: one cached analyzer (lockfile_stats_v1.py) parsed all 240 lockfiles in one pass into a ~5 KB summary; all insights derive from that JSON plus prior-day history. Limitation: structured YAML parsing was unavailable this run, so safe-output type counts, discussion-category counts, and permission read/write key breakdowns are not reported. 0 lockfiles were skipped for size/parse errors.

Generated by 📊 Lockfile Statistics Analysis Agent · agent 83.9 AIC · threat-detection 11.4 AIC · ◷

• expires on Jun 6, 2026, 8:52 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #37397.