[lockfile-stats] Lockfile Statistics Audit — 2026-06-09: 245 workflows, 27.0 MB, lockfile sizes climbing +9.4%/week

[github-actions[bot]]

Executive Summary

Audit of 245 compiled .github/workflows/*.lock.yml files on 2026-06-09 (0 malformed/skipped).

Metric	Value	7-day Δ (vs 2026-06-02)
Lockfiles	245	+7 (+2.9%)
Total size	27.04 MB	+2.31 MB (+9.4%)
Avg size	110.3 KB	+6.2%
Median size	109.9 KB	+6.1%
Largest	170.6 KB (smoke-copilot-aoai-apikey)	—
Smallest	72.3 KB (test-workflow)	—
Total jobs / steps / scripts	1,967 / 26,731 / 12,683	+63 / +1,546 / +602

Headline: lockfile byte footprint is growing ~3× faster than the workflow count — files are getting heavier. In one week, 52 workflows crossed the 100 KB threshold.

File Size Distribution

Bucket	2026-06-09	2026-06-02	Δ
100–250 KB	207 (84.5%)	148 (62.2%)	+59
50–100 KB	38 (15.5%)	90 (37.8%)	−52

Largest 10 lockfiles

Workflow	Size
smoke-copilot-aoai-apikey	170.6 KB
smoke-copilot	169.8 KB
smoke-claude	165.9 KB
smoke-copilot-arm	158.2 KB
smoke-codex	144.7 KB
mcp-inspector	141.5 KB
issue-monster	139.6 KB
deep-report	138.9 KB
cloclo	136.6 KB
daily-news	134.4 KB

Trigger Analysis

Trigger	Count	% of workflows
workflow_dispatch	237	96.7%
schedule	165	67.3%
pull_request	33	13.5%
issues	4	1.6%
issue_comment	2	0.8%
push	2	0.8%

Dominant combination: schedule + workflow_dispatch (161 workflows, 65.7%) — the canonical scheduled-agent shape. Manual-only (workflow_dispatch alone) accounts for 46; pull_request + workflow_dispatch for 26.

Cron cadence notes

Cron schedules are heavily spread across off-peak minutes (good jitter hygiene — almost no :00/:30 clustering). Most common cadences are daily (* * *) and weekday (* * 1-5); a handful run every 4–6 hours (*/4, */6).

Safe Outputs Analysis

⚠️ Schema gap: the current lockfile_stats_v1 summary returns an empty safe_output_types map (the v1 extractor does not reliably parse the compiled GITHUB_AW_SAFE_OUTPUTS config block). The last reliable capture (2026-05-20 baseline) showed the dominant configured types as: create_discussion & create_issue & missing_tool (≈all workflows), noop (227), add_comment (71), push_to_pull_request_branch (57), create_pull_request (56), add_labels (23), upload_assets (22). Recommend a v2 schema bump to restore this metric (see Recommendations).

Structural Characteristics

Metric	Min	Avg	Max	Max workflow
Jobs / workflow	5	8.03	12	firewall-escape
Steps / workflow	71	109.1	148	smoke-copilot

Step-per-workflow average rose from 105.8 → 109.1 in 7 days, consistent with the size growth — the compiler is emitting more per workflow.

Permission Patterns

All 245 workflows carry an empty top-level permissions: {} block — privileges are scoped at the job level, not repo-wide. This is a healthy least-privilege signature (no workflow grants blanket top-level write). The v1 summary does not break down per-job read/write grants.

Tool & MCP Patterns

MCP server	References	7-day Δ
github	6,552	flat
playwright	168	flat
sentry	64	−32
ruflo	16	flat
arxiv	6	flat
deepwiki	6	flat
grafana	0	−14 (removed)

The github MCP server overwhelmingly dominates. Notably, ~126 workflows each reference the identical full set of ~50 github tools (get_commit, get_file_contents, list_*, search_*, ...), suggesting workflows import the entire github toolset by default rather than scoping to the tools they use.

Interesting Findings

1. Size is outpacing count. Bytes grew +9.4%/week vs +2.9% workflow growth; 84.5% of lockfiles are now >100 KB (up from 62%). The 50–100 KB bucket lost 52 files to the 100–250 KB bucket in a single week.
2. Near-universal manual dispatch. 96.7% of workflows expose workflow_dispatch, and 65.7% pair it with a schedule — confirming the fleet is overwhelmingly scheduled-but-manually-overridable agents.
3. Monolithic github tool imports. The flat 126-workflow count across ~50 distinct github tools indicates blanket toolset imports — a concrete lever for shrinking lockfiles and narrowing token/permission surface.
4. Observability MCP churn. grafana (14 refs) disappeared and sentry dropped 96→64 week-over-week — an observability-tooling consolidation worth confirming with workflow owners.
5. Clean parse. 0/245 lockfiles malformed — the compiler is producing structurally consistent output across the whole fleet.

Historical Trends

Date	Lockfiles	Total	Avg size	>100 KB
2026-05-20	233	22.39 MB	96.1 KB	49 (21%)
2026-06-02	238	24.72 MB	103.9 KB	148 (62%)
2026-06-09	245	27.04 MB	110.3 KB	207 (85%)

Over 20 days: +12 workflows (+5.2%) but +4.65 MB (+20.8%) and avg size +14.8%. The share of >100 KB lockfiles quadrupled (21% → 85%). Per-workflow compiled size is on a clear, sustained upward trend.

Recommendations

1. Investigate compiled-size growth. Avg lockfile size is up ~15% in 20 days with only modest feature growth. Audit recent compiler changes for added boilerplate/repeated blocks; a +6 KB/workflow median jump in one week warrants a diff of the emitted template.
2. Scope github MCP tools per workflow. Replace blanket full-toolset imports with the minimal tool list each workflow actually calls — directly reduces lockfile size and token/permission surface.
3. Bump the analyzer to lockfile_stats_v2 to restore safe_output_types, discussion_categories, and per-job permission breakdowns (the v1 extractor returns these empty).
4. Confirm observability MCP changes (grafana removed, sentry −33%) with owners to ensure they were intentional consolidations, not regressions.

Methodology

Single-script compact JSON analysis: one cached analyzer (/tmp/gh-aw/cache-memory/scripts/lockfile_stats_v1.py) parsed all 245 lockfiles in one pass into a ≤5 KB summary; all statistics and trend deltas were derived from that JSON and from cached prior-day summaries in /tmp/gh-aw/cache-memory/history/ — no individual lockfiles were re-opened for analysis.

Generated by 📊 Lockfile Statistics Analysis Agent · 74.7 AIC · ⌖ 29.4 AIC · ⊞ 5.2K · ◷

• expires on Jun 10, 2026, 12:56 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #38438.