[lockfile-stats] Lockfile Statistics Audit — 2026-06-11

[github-actions[bot]]

Executive Summary

Analyzed 245 compiled .github/workflows/*.lock.yml files on 2026-06-11. 0 malformed/skipped. Total footprint 27,754,612 bytes (~26.5 MB), averaging ~110.6 KB per lockfile (median ~110.1 KB). Day-over-day, the corpus grew +425,512 bytes (+1.6%) with no change in workflow count — a uniform ~1–2 KB increase across nearly every lockfile, consistent with a shared template/action regeneration (cf. recent awf-reflect/OIDC api-proxy harness change).

Metric	Value	Δ vs 2026-06-10
Lockfiles	245	0
Total bytes	27,754,612	+425,512 (+1.6%)
Avg size	113,284 B	+1,737
Median size	112,737 B	+1,821
Max size	173,502 B	+1,864
Min size	74,072 B	+1,026
Jobs total	1,969	+2
Steps total	26,825	+17
Scripts total	12,766	+6

File Size Distribution

Bucket	Count	Δ
100–250 KB	214	+4
50–100 KB	31	-4

Four workflows crossed from the 50–100 KB band into 100–250 KB this cycle. Lockfiles are large because they are fully-expanded GitHub Actions YAML (inlined harness scripts + full MCP tool allow-lists).

Largest & smallest lockfiles

Largest: smoke-copilot-aoai-apikey (173.5 KB), smoke-copilot (172.9 KB), smoke-claude (169.7 KB), smoke-copilot-arm (160.7 KB), smoke-codex (148.5 KB), mcp-inspector (144.4 KB), deep-report (143.2 KB), issue-monster (142.3 KB), cloclo (140.0 KB), daily-news (136.9 KB).

Smallest: test-workflow (74.1 KB), example-permissions-warning (74.7 KB), codex-github-remote-mcp-test (75.6 KB), firewall (76.0 KB), ace-editor (83.4 KB).

Trigger Analysis

Trigger	Count
workflow_dispatch	237
schedule	165
pull_request	33
issues	4
issue_comment	2
push	2
workflow_run / discussion / discussion_comment / pull_request_review_comment	1 each

Top trigger combinations: schedule+workflow_dispatch (161), workflow_dispatch only (46), pull_request+workflow_dispatch (26). Manual dispatch is near-universal (237/245, 96.7%). No day-over-day change in trigger topology.

Schedule cron frequencies

165 scheduled triggers, well-jittered (minute values spread across the hour to avoid fleet-wide :00 collisions). Most are daily (* * *); a cluster run weekday-only (1-5); a handful use */4 or */6 hourly intervals and one weekly 0 0 */7 * *. Only 7 cron expressions repeat (appear twice); the rest are unique.

Safe Outputs Analysis

The v1 analyzer reported no detectable top-level safe-output type keys in the compiled lockfiles (safe_output_types: {}). In these compiled artifacts, safe-output configuration is embedded inside inlined harness scripts/env rather than as scannable top-level YAML keys, so the heuristic does not surface them. This is a known limitation of the v1 schema, not a finding that workflows lack safe outputs — flagged below as a recommended schema improvement. Discussion-category detection was likewise empty for the same reason.

Structural Characteristics

Metric	Min	Avg	Max	Max workflow
Jobs / workflow	5	8.04	12	firewall-escape
Steps / workflow	72	109.49	148	smoke-copilot

Scripts (run steps) total 12,766 across the corpus (~52 per workflow). The tight min/max band (5–12 jobs, 72–148 steps) confirms all lockfiles are generated from a common compiler template with low structural variance.

Permission Patterns

All 245 workflows show an empty top-level permissions: {} block (permissions_top_level_kind: {"{}": 245}); per-key read/write permissions are set within job scopes that the v1 text heuristic did not classify (returned empty). Like safe-outputs, granular permission extraction is a v1 limitation.

Tool & MCP Patterns

MCP server	Occurrences
github	6,552
playwright	168
sentry	64
ruflo	16
grafana	14
arxiv	6
deepwiki	6

The GitHub MCP server dominates overwhelmingly — 6,552 references reflect the full read-only GitHub tool allow-list (get_, list_, search_*) being inlined into many workflows, with ~126 workflows each carrying the identical broad GitHub toolset. This inlined allow-list is the single biggest contributor to lockfile size.

Engine distribution: copilot 163 (66.5%), claude 63 (25.7%), codex 14 (5.7%), and one each of antigravity, crush, gemini, opencode, pi.

Timeout distribution

Timeout (min)	Count
16–30	325
31–60	278
6–15	119
≤5	16
>60	3

(Counts are per-job, so exceed 245.)

Interesting Findings

1. Uniform size creep. Every lockfile grew ~1–2 KB in one day with zero structural/topology change — a strong signal of a shared harness/template regeneration rather than per-workflow edits.
2. GitHub MCP allow-list is the dominant size driver. 6,552 github tool references (~126 workflows carrying an identical broad toolset) far outweigh all other MCP servers combined (~274). Pruning unused GitHub tools per workflow is the highest-leverage size reduction available.
3. Manual dispatch is effectively standard. 96.7% of workflows expose workflow_dispatch, almost always paired with a schedule — the fleet is built for both autonomous and on-demand operation.
4. Low structural variance. Jobs (5–12) and steps (72–148) cluster tightly, confirming a single compiler template; outliers (firewall-escape: 12 jobs, smoke-copilot: 148 steps) are explainable by their broader matrix/tooling.
5. Copilot-first fleet. Two-thirds of workflows target the copilot engine; the long tail of single-use engines (antigravity, crush, opencode, pi) suggests experimental/smoke coverage.

Historical Trends

22 daily summaries available (2026-05-20 → 2026-06-11). Comparing to the latest prior day (2026-06-10): the corpus is in a slow, steady growth phase — workflow count flat at 245, byte footprint rising ~1.6%/day this cycle driven by template regeneration, not new workflows. Trigger mix, engine distribution, and MCP server usage are stable.

Recommendations

1. Upgrade the analyzer to v2 to parse embedded harness blocks so safe-output types, discussion categories, and granular job-level permissions are captured (the v1 text heuristic returns empty for all three).
2. Audit the inlined GitHub MCP allow-list. ~126 workflows carry a broad identical github toolset; scoping each to the tools actually used would meaningfully cut the ~26.5 MB footprint.
3. Monitor the daily size creep. If the ~1.6%/day growth persists without workflow additions, investigate whether the shared template is accumulating avoidable boilerplate.

Methodology

Single-script compact JSON analysis: one cached analyzer (lockfile_stats_v1.py) parsed all 245 lockfiles in one pass and emitted a compact ~4.8 KB summary; all insights above are derived solely from that JSON plus the prior-day historical summary. 0 lockfiles skipped. Note: safe-output, discussion-category, and granular-permission counts are unavailable under the v1 schema (heuristic limitation, not absence).

Generated by 📊 Lockfile Statistics Analysis Agent · 73.7 AIC · ⌖ 11.9 AIC · ⊞ 5.2K · ◷

• expires on Jun 12, 2026, 1:06 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #38927.