[lockfile-stats] Lockfile Statistics Audit — 2026-06-08

[github-actions[bot]]

Executive Summary

Analysis of 247 compiled workflow lockfiles (.github/workflows/*.lock.yml) as of 2026-06-08. 0 files were malformed/skipped.

Metric	Value	Δ vs 2026-06-07
Lockfiles	247	+2
Total size	27.74 MB (27,740,372 B)	+703 KB (+2.6%)
Average size	112.3 KB	+1.9 KB
Median size	111.8 KB	+1.9 KB
Min / Max	73.6 KB / 172.9 KB	+1.4 / +2.3 KB

The corpus grew by 2 workflows and ~0.7 MB in one day. Lockfiles are large and uniform (every file is 50–250 KB), reflecting the substantial boilerplate the compiler injects per workflow.

File Size Distribution

Bucket	Count	Δ
100–250 KB	214	+6
50–100 KB	33	-4

Four workflows crossed from the 50–100 KB band into 100–250 KB, consistent with the corpus-wide size creep.

Largest & smallest lockfiles

Largest: smoke-copilot-aoai-apikey (172.9 KB), smoke-copilot (172.1 KB), smoke-claude (168.1 KB), smoke-copilot-arm (160.1 KB), smoke-codex (147.0 KB), mcp-inspector (143.5 KB), issue-monster (141.9 KB), deep-report (141.2 KB), cloclo (138.5 KB), daily-news (136.4 KB).

Smallest: test-workflow (73.6 KB), codex-github-remote-mcp-test (74.3 KB), example-permissions-warning (74.3 KB), firewall (75.5 KB), ace-editor (83.0 KB).

The smoke-* family dominates the top end — multi-engine smoke tests carry the most generated scaffolding.

Trigger Analysis

Trigger	Count
workflow_dispatch	239
schedule	167
pull_request	33
issues	4
issue_comment	2
push	2
workflow_run / discussion / discussion_comment / pull_request_review_comment	1 each

Top combinations: schedule+workflow_dispatch (163), workflow_dispatch only (46), pull_request+workflow_dispatch (26).

Nearly all workflows (239/247, 97%) expose manual workflow_dispatch, and 167 are scheduled — confirming this is a primarily cron-driven agentic fleet with a manual-trigger safety valve. 30 distinct cron expressions are in use; most are unique daily times, with a cluster on weekday business hours (* * 1-5).

Safe Outputs Analysis

Safe-output type and discussion-category extraction returned empty this run. The analyzer parses lockfiles as text (PyYAML unavailable in the runtime, yaml_available: false), and the current v1 text patterns do not match how safe-output config is emitted in compiled lockfiles. This is a known analyzer limitation, not an absence of safe outputs — flagged below as a recommendation.

Structural Characteristics

Metric	Total	Per-workflow (min/avg/max)
Jobs	1,979	5 / 8.0 / 12
Steps	26,908	71 / 108.9 / 148
Scripts (run:)	12,786	—

• Most jobs: firewall-escape (12)
• Most steps: smoke-copilot (148)
• Day-over-day: +14 jobs, +193 steps, +90 scripts.

Every lockfile carries a heavy, consistent step count (avg ~109), which explains the uniform large file sizes.

Permission Patterns

Top-level permissions resolved to empty ({}) for all 247 lockfiles — permissions are scoped per-job rather than at workflow root. Per-job read/write extraction was not captured by the v1 text patterns (same YAML-parsing limitation as safe outputs).

Timeout & Engine Patterns

Timeout distribution (per job):

Range (min)	Jobs
6–15	366
16–30	330
31–60	32
<=5	16
>60	3

Most jobs cap out in a sensible 6–30 minute window; only 3 jobs exceed 60 minutes.

Engine distribution (one per workflow):

Engine	Count	Δ
copilot	164	+2
claude	64	—
codex	14	—
antigravity / crush / gemini / opencode / pi	1 each	—

Copilot powers 66% of the fleet; Claude 26%. Both new workflows today are Copilot-based.

Tool & MCP Patterns

MCP server references (by occurrence):

Server	Occurrences
github	6,656
playwright	168
sentry	96
ruflo	16
grafana	14
arxiv	6
deepwiki	6

The GitHub MCP server is ubiquitous. The most-referenced GitHub tools (128 occurrences each) are read operations: get_commit, get_file_contents, get_pull_request*, issue_read, list_commits, get_workflow_run*, and the various alert readers (code-scanning, dependabot, secret-scanning) — consistent with a read-only GitHub MCP surface.

Interesting Findings

1. Uniform bloat: No lockfile is under 73 KB and the median sits at ~112 KB; per-workflow user logic is small relative to the ~109 generated steps every file carries.
2. Manual-trigger near-universality: 239/247 (97%) expose workflow_dispatch, and 163 pair it with schedule — the dominant pattern is "scheduled + manually runnable."
3. Smoke tests are the heavyweights: the four largest files are all smoke-* multi-engine tests (160–173 KB), carrying the most scaffolding.
4. Steady daily growth: +2 workflows / +0.7 MB / +193 steps in 24h — the fleet is actively expanding while per-workflow averages stay flat (avg steps 109.0→108.9), i.e. growth is new workflows, not heavier ones.
5. Engine concentration: 92% of workflows run on just two engines (copilot + claude); six other engines appear exactly once each, likely smoke/compat coverage.

Historical Trends

Comparing 2026-06-07 → 2026-06-08:

Metric	06-07	06-08	Δ
Lockfiles	245	247	+2
Total bytes	27.04 MB	27.74 MB	+2.6%
Avg size	110.4 KB	112.3 KB	+1.8%
Jobs	1,965	1,979	+14
Steps	26,715	26,908	+193
Scripts	12,696	12,786	+90
copilot engine	162	164	+2

Trend is monotonic, low-volatility growth. Trigger mix, cron set, MCP usage, and timeout distribution were essentially stable.

Recommendations

1. Fix safe-output & permission extraction (analyzer v2): the v1 text patterns miss safe-output types, discussion categories, and per-job permissions because PyYAML is unavailable. Bump to lockfile_stats_v2.py with regex patterns matched to the compiled lockfile format, or vendor a minimal YAML parse, to restore those sections.
2. Investigate size creep: ~0.7 MB/day across 247 files is generated-scaffolding growth. If a recent compiler change added per-workflow boilerplate, consider deduplicating shared steps to keep lockfiles reviewable.
3. Audit the 3 >60-min jobs: confirm long timeouts are intentional and not masking hangs.

Methodology

Single-script compact JSON analysis: one cached Python analyzer (lockfile_stats_v1.py) parsed all 247 lockfiles in a single pass and emitted a ~4.7 KB compact JSON summary; all reasoning and trend deltas derive from that summary plus the prior-day snapshot in cache-memory. No lockfiles were opened individually for analysis.

References: §27166710157

Generated by 📊 Lockfile Statistics Analysis Agent · 72.3 AIC · ⌖ 13.2 AIC · ⊞ 5.4K · ◷

• expires on Jun 9, 2026, 1:07 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #38211.