[lockfile-stats] Lockfile Statistics Audit — 2026-06-15 (249 workflows, 28.3 MB)

[github-actions[bot]]

Executive Summary — Lockfile Statistics (2026-06-15)

Analysis of 249 compiled .github/workflows/*.lock.yml files (0 malformed/skipped).

Metric	Value
Lockfiles	249
Total size	28.3 MB (29,672,970 bytes)
Avg / Median size	116.4 KB / 115.6 KB
Min / Max size	77.0 KB (test-workflow) / 174.2 KB (smoke-copilot-aoai-entra)
Total jobs / steps / scripts	2,002 / 28,773 / 12,978
Engines in use	8 distinct

File Size Distribution

Bucket	Count
100–250 KB	239
50–100 KB	10

Lockfiles are large and tightly clustered (avg ≈ median ≈ 116 KB) — generated boilerplate dominates per-file size. Only 10 files fall below 100 KB.

Largest 5 lockfiles

File	KB
smoke-copilot-aoai-entra	174.2
smoke-copilot-aoai-apikey	173.8
smoke-copilot	173.1
smoke-claude	171.1
smoke-copilot-arm	161.2

Trigger Analysis

Trigger	Workflows
workflow_dispatch	241
schedule	167
pull_request	33
issues	4
issue_comment	2
push	2
workflow_run / discussion / discussion_comment / pr_review_comment	1 each

Top trigger combinations: schedule+workflow_dispatch (163), workflow_dispatch only (48), pull_request+workflow_dispatch (26). Manual dispatch is nearly universal (241/249 = 96.8%), and scheduled automation is the dominant pattern (167 workflows). Cron schedules are well-distributed across the clock (no thundering-herd on :00); most common cadences are daily (* * *) and weekday (* * 1-5).

Safe Outputs Analysis

The v1 analyzer schema did not populate safe_output_types or discussion_categories for this run (both empty) — these are embedded in engine-specific prompt blocks the current parser does not index. See Methodology for the limitation. This is flagged for a v2 schema bump rather than inferred here.

Structural Characteristics

Metric	Min	Avg	Max	Max file
Jobs / workflow	5	8.0	12	firewall-escape
Steps / workflow	78	115.6	154	smoke-copilot

Scripts total 12,978 (~52 per workflow). The high, narrow step counts again reflect generated scaffolding rather than authored complexity.

Permission Patterns

Top-level permissions resolved to {} for all 249 files — permissions are declared at job scope in generated lockfiles, so the top-level read/write distribution is empty by design. Per-job permission extraction is a candidate for the next schema version.

Tool & MCP Patterns

MCP server	Occurrence freq
github	6,656
playwright	168
sentry	96
grafana	28
ruflo	16
arxiv / deepwiki	6 each

GitHub MCP dominates overwhelmingly. The top GitHub tools (get_*, list_*, issue_read, etc.) each appear in ~128 workflows — a shared read-only toolset is injected consistently across the fleet.

Engine distribution:

Engine	Workflows
copilot	166
claude	64
codex	14
antigravity / crush / gemini / opencode / pi	1 each

Interesting Findings

1. Copilot is the fleet majority (166/249 = 66.7%), with Claude second (64, 25.7%); five experimental engines each have a single workflow.
2. Smoke-test workflows are the heaviest — the 6 largest files are all smoke-*, driven by multi-engine credential matrices.
3. 96.8% expose workflow_dispatch — manual re-run is treated as a baseline capability across the repo.
4. Cron scheduling is jitter-friendly — no schedule lands on :00; minutes are spread (e.g. 49 14, 23 11, 38 3), avoiding API bursts.
5. Observability MCP servers are growing — sentry (+50%) and grafana (+100%) day-over-day (see trends).

Historical Trends

vs 2026-06-14 (prior day) and 2026-06-08 (7 days ago):

Metric	06-08	06-14	06-15	Δ day	Δ week
Lockfiles	247	246	249	+3	+2
Total bytes	27.74 MB	28.90 MB	29.67 MB	+2.7%	+7.0%
Avg size (KB)	—	114.7	116.4	+1.7	—
Jobs total	—	1,979	2,002	+23	—
Steps total	—	28,448	28,773	+325	—
copilot engine	164	164	166	+2	+2
claude engine	64	63	64	+1	0
sentry MCP	—	64	96	+32	—
grafana MCP	—	14	28	+14	—

Steady fleet growth (+3 workflows, +0.78 MB day-over-day). The standout is observability tooling expansion (sentry/grafana MCP usage). 26 days of history are retained (2026-05-20 → 2026-06-15).

Recommendations

1. Bump analyzer to v2 to extract job-scoped permissions, safe-output types, and discussion categories — currently the three blind spots in the report.
2. Investigate lockfile size growth (+7%/week). At 28 MB across 249 files, generated boilerplate is the main driver; consider whether shared scaffolding can be trimmed at compile time.
3. Audit single-workflow experimental engines (antigravity, crush, gemini, opencode, pi) — confirm they are intentional pilots, not stale artifacts.
4. Track observability MCP adoption — the sharp sentry/grafana increase suggests a deliberate monitoring push worth documenting.

Methodology

Single-script compact JSON analysis: one cached Python analyzer (lockfile_stats_v1.py) parsed all 249 lockfiles in one pass and emitted a 4.8 KB compact summary; all reasoning derives from that JSON plus 26 retained daily snapshots. Known limitations (v1 schema): safe-output types, discussion categories, and top-level permission read/write are not populated because they live in job-scoped or engine-specific prompt blocks the v1 parser does not index — these are flagged for a v2 bump, not inferred.

Generated by 📊 Lockfile Statistics Analysis Agent · 75.1 AIC · ⌖ 11.1 AIC · ⊞ 4.5K · ◷

• expires on Jun 16, 2026, 1:20 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #39683.