[lockfile-stats] Lockfile Statistics Audit — 2026-06-10

[github-actions[bot]]

Executive Summary

Aggregate audit of all 245 agentic-workflow lockfiles (.github/workflows/*.lock.yml) as of 2026-06-10. 0 malformed/skipped files.

Metric	Value	Δ vs 2026-06-09
Lockfiles	245	0
Total size	26.06 MB (27,329,100 B)	+294,038 B (+1.1%)
Avg size	108.9 KB	+1.2 KB
Median size	108.3 KB	+0.9 KB
Min / Max	71.3 KB / 167.6 KB	+0.8 KB / +1.0 KB
Total jobs / steps / scripts	1,967 / 26,808 / 12,760	0 / +77 / +77

Lockfiles are large, machine-generated GitHub Actions YAML: every workflow lands between 71 KB and 168 KB, with very tight structural uniformity (avg ~8 jobs and ~109 steps each). The corpus grew modestly overnight — no net workflow added/removed, but pervasive small expansions (steps and scripts each +77) nudged total bytes up.

File Size Distribution

Bucket	Count	Δ
100–250 KB	210	+3
50–100 KB	35	−3

Largest & smallest workflows

Largest: smoke-copilot-aoai-apikey (167.6 KB), smoke-copilot (167.0 KB), smoke-claude (163.9 KB), smoke-copilot-arm (155.4 KB), smoke-codex (143.2 KB), mcp-inspector (139.2 KB), deep-report (137.7 KB), issue-monster (137.2 KB), cloclo (135.2 KB), daily-news (132.3 KB).

Smallest: test-workflow (71.3 KB), example-permissions-warning (72.0 KB), codex-github-remote-mcp-test (72.8 KB), firewall (73.2 KB), ace-editor (80.4 KB).

Trigger Analysis

Trigger	Count
workflow_dispatch	237
schedule	165
pull_request	33
issues	4
issue_comment	2
push	2
workflow_run / discussion / discussion_comment / pull_request_review_comment	1 each

Top combinations: schedule + workflow_dispatch (161), workflow_dispatch only (46), pull_request + workflow_dispatch (26).

The dominant pattern is a scheduled job with a manual-dispatch escape hatch (161/245, 66%). Of 165 scheduled workflows the cron cadence skews daily; a handful are weekday-only (* * 1-5), every-6-hours (*/6), or weekly. 237/245 (97%) expose workflow_dispatch.

Safe Outputs Analysis

The current analyzer (lockfile_stats_v1) did not resolve safe-output type counts or discussion-category counts from the compiled lockfiles — both buckets returned empty. This is a known detection gap in the v1 script against the current lockfile format (the safe-output config is embedded in a form the v1 regex no longer matches), not an absence of safe outputs in the repo. Flagged under Recommendations for a v2 schema bump.

Structural Characteristics

Metric	Min	Max	Avg
Jobs / workflow	5	12	8.03
Steps / workflow	72	148	109.42

• Most jobs: firewall-escape (12). Most steps: smoke-copilot (148).
• Totals: 1,967 jobs, 26,808 steps, 12,760 run-scripts across the corpus.
• Structural uniformity is high — the compiler emits a near-constant scaffold per workflow, so byte size tracks payload (prompt + tool config) rather than structure.

Permission Patterns

Top-level permissions resolved as empty ({}) for all 245 workflows in this run, and read/write scope distributions came back empty. This reflects the gh-aw model where job-level permissions are emitted per-job rather than at the top level; the v1 analyzer keys on top-level permissions only. Treat as not measured this run rather than "no permissions." Flagged under Recommendations.

Timeout Distribution

Bucket (min)	Count	Δ
≤5	16	0
6–15	119	−245
16–30	325	0
31–60	278	+245
>60	3	0

The most striking overnight change: ~245 timeout declarations shifted from the 6–15 min bucket into the 31–60 min bucket (one per workflow, given 245 workflows). This is consistent with a compiler/default change raising a per-workflow timeout-minutes default. Worth confirming this was intentional.

Tool & MCP Patterns

MCP server	References	Δ
github	6,552	0
playwright	168	0
sentry	64	0
ruflo	16	0
grafana	14	new
arxiv	6	0
deepwiki	6	0

GitHub MCP dominates overwhelmingly. A new grafana MCP server (14 references) appeared since yesterday. The GitHub read-tool surface is uniformly broad: 30+ github::* read tools each appear in exactly 126 workflows — i.e. roughly half the corpus shares an identical GitHub read-tool allowlist.

Interesting Findings

1. Uniform timeout bump (+245 in 31–60 min): a single default appears to have moved one tier up across every workflow overnight — a corpus-wide compiler/config change, not organic drift.
2. New grafana MCP integration: first appearance of the grafana MCP server (14 refs), signaling new observability tooling entering the agentic fleet.
3. The "126 club": ~30 distinct github::* read tools each appear in exactly 126 workflows — strong evidence of a shared, copy-forward GitHub read-tool preset across ~51% of workflows.
4. Copilot-led engine mix: copilot 163, claude 63, codex 14, plus singletons (antigravity, crush, gemini, opencode, pi) — these sum to exactly 245, so the heuristic cleanly partitions one engine per workflow; copilot powers 67%.
5. Three workflows crossed 100 KB overnight with zero net file churn — growth is in payload, not new automations.

Historical Trends (vs 2026-06-09)

22 daily snapshots are retained (2026-05-20 → 2026-06-10). Day-over-day:

• Size: total +1.1%, avg/median/min/max all up ~1 KB — steady incremental growth.
• Structure: jobs flat (1,967); steps & scripts each +77.
• Buckets: +3 workflows into 100–250 KB.
• Timeouts: the 245-declaration shift noted above (6–15 → 31–60 min).
• MCP: grafana added (+14 refs).
• Triggers, engines, job counts: unchanged.

Recommendations

1. Confirm the timeout default change — verify the corpus-wide shift into the 31–60 min bucket was an intentional compiler/config update, not an accidental default.
2. Bump the analyzer to lockfile_stats_v2 to restore three currently-blind metrics against the present lockfile format: safe-output type counts, discussion-category counts, and per-job permission read/write distribution.
3. Audit the shared "126-tool" GitHub allowlist — half the fleet ships an identical broad read-tool preset; consider trimming per-workflow to least-privilege.
4. Track the new grafana MCP server in subsequent audits to see whether adoption spreads.

Methodology

Single-script compact JSON analysis: one cached Python analyzer (/tmp/gh-aw/cache-memory/scripts/lockfile_stats_v1.py) parsed all 245 lockfiles in one pass and emitted a ~4.7 KB summary JSON; all reasoning and trend deltas derive solely from that summary plus the prior-day snapshot. No individual lockfiles were opened during analysis.

References: §27306221849

Generated by 📊 Lockfile Statistics Analysis Agent · 87.1 AIC · ⌖ 13.1 AIC · ⊞ 5.2K · ◷

• expires on Jun 11, 2026, 1:11 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #38727.