You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Audit of all .github/workflows/*.lock.yml files in github/gh-aw. Single-script compact JSON analysis; day-over-day deltas vs 2026-06-15.
Executive summary
Metric
Value
Δ vs 2026-06-15
Lockfiles
249
0
Malformed/skipped
0
0
Total size
28.2 MB (29,613,640 B)
−59,330 B (−0.2%)
Avg size
118,930 B
−238 B
Median size
118,269 B
−119 B
Min / Max
78,429 / 178,467 B
leaner
Jobs (total)
2,002
0
Steps (total)
28,279
−494
Script blocks (total)
12,483
−495
The corpus is stable in count but got marginally leaner: identical job count (2,002) while steps and script blocks both dropped ~500, i.e. step-level trimming in regenerated lockfiles.
File size distribution
Bucket
Count
100–250 KB
238
50–100 KB
11
95.6% of lockfiles fall in 100–250 KB — generated boilerplate dominates and sizes are tightly clustered (avg ≈ median ≈ 118 KB). One file shifted from the 100–250 KB into the 50–100 KB bucket since yesterday.
Top combinations: schedule+workflow_dispatch (163), workflow_dispatch only (48), pull_request+workflow_dispatch (26). 97% (241/249) expose manual dispatch and 67% (167) are scheduled — a heavily cron-driven, manually-overridable automation fleet. No trigger or cron-frequency changes vs prior day.
Safe outputs analysis
Not captured by the current analyzer (safe_output_types / discussion_categories returned empty in this run). Flagged as a known gap — see Recommendations.
Structural characteristics
Metric
min
avg
max
max workflow
Jobs / workflow
5
8.04
12
firewall-escape
Steps / workflow
76
113.57
152
smoke-copilot
Steps/workflow average fell 115.55 → 113.57; max steps 154 → 152. Jobs/workflow unchanged.
Permission patterns
Top-level permissions: parsed as empty ({}) for all 249 — the analyzer did not resolve per-permission read/write levels this run. Reported as a gap, not as "no permissions."
Timeout distribution
Bucket (min)
Count
≤5
16
6–15
122
16–30
333
31–60
282
>60
3
(Counts exceed 249 because they aggregate per-job timeout-minutes across multiple jobs per workflow.)
Tool & MCP patterns
Engine
Workflows
copilot
166
claude
64
codex
14
antigravity / crush / gemini / opencode / pi
1 each
MCP server
References
github
6,656
playwright
168
sentry
96
grafana
28
ruflo
16
arxiv
6
deepwiki
6
The GitHub MCP server dominates (~97% of all MCP references). Each individual github::* read tool appears exactly 128 times, indicating ~128 workflows embed a uniform full GitHub read toolset (~52 github tools each).
Interesting findings
Uniform GitHub toolset fingerprint — every sampled github::* tool shows up exactly 128×, evidence of a shared, copy-identical MCP toolset block across ~half the fleet rather than per-workflow tailoring.
Copilot is the default engine (166/249, 67%); Claude second (64, 26%); six other engines appear once each — long-tail experimentation.
Manual-override-everywhere — 97% carry workflow_dispatch, almost always paired with a schedule (163 of 167 scheduled workflows also allow dispatch).
Lockfiles got leaner without losing jobs — identical 2,002 jobs but −494 steps / −495 scripts day-over-day, suggesting a compiler change that trims redundant steps.
Tight size band — 95.6% within a single 100–250 KB bucket; the largest files are all smoke-* engine matrix tests.
Historical trends (vs 2026-06-15)
Stable corpus. Net change: total size −0.2%, steps −494, script blocks −495, steps/workflow −1.98. Trigger mix, engine mix, MCP usage, job count, and timeout distribution all unchanged. One file migrated down a size bucket.
Recommendations
Restore safe-output, discussion-category and permission metrics in the analyzer — these three sections were empty this run and are high-value for governance audits. Bump to lockfile_stats_v2.py when the schema changes.
De-duplicate the shared GitHub toolset — the identical 128× toolset is a large contributor to the ~118 KB uniform file size; scoping tools per workflow would shrink lockfiles.
Watch the smoke-* matrix — it accounts for all top-5 largest files (>165 KB); confirm the size is intentional given the engine-matrix coverage.
Methodology
Single-script compact JSON analysis: one cached Python analyzer (lockfile_stats_v1.py) parses all 249 lockfiles in one pass and emits a compact JSON summary; this report reasons only from that summary plus the prior-day cached summary. 0 malformed files skipped.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Audit of all
.github/workflows/*.lock.ymlfiles ingithub/gh-aw. Single-script compact JSON analysis; day-over-day deltas vs 2026-06-15.Executive summary
The corpus is stable in count but got marginally leaner: identical job count (2,002) while steps and script blocks both dropped ~500, i.e. step-level trimming in regenerated lockfiles.
File size distribution
95.6% of lockfiles fall in 100–250 KB — generated boilerplate dominates and sizes are tightly clustered (avg ≈ median ≈ 118 KB). One file shifted from the 100–250 KB into the 50–100 KB bucket since yesterday.
Largest / smallest
smoke-copilot-aoai-entra(178,467 B),smoke-copilot-aoai-apikey(178,058),smoke-copilot(177,315),smoke-claude(175,147),smoke-copilot-arm(165,122).test-workflow(78,429 B),example-permissions-warning(79,154),firewall(80,363),codex-github-remote-mcp-test(80,456),ace-editor(87,707).Trigger analysis
Top combinations:
schedule+workflow_dispatch(163),workflow_dispatchonly (48),pull_request+workflow_dispatch(26). 97% (241/249) expose manual dispatch and 67% (167) are scheduled — a heavily cron-driven, manually-overridable automation fleet. No trigger or cron-frequency changes vs prior day.Safe outputs analysis
Not captured by the current analyzer (
safe_output_types/discussion_categoriesreturned empty in this run). Flagged as a known gap — see Recommendations.Structural characteristics
firewall-escapesmoke-copilotSteps/workflow average fell 115.55 → 113.57; max steps 154 → 152. Jobs/workflow unchanged.
Permission patterns
Top-level
permissions:parsed as empty ({}) for all 249 — the analyzer did not resolve per-permission read/write levels this run. Reported as a gap, not as "no permissions."Timeout distribution
(Counts exceed 249 because they aggregate per-job
timeout-minutesacross multiple jobs per workflow.)Tool & MCP patterns
The GitHub MCP server dominates (~97% of all MCP references). Each individual
github::*read tool appears exactly 128 times, indicating ~128 workflows embed a uniform full GitHub read toolset (~52 github tools each).Interesting findings
github::*tool shows up exactly 128×, evidence of a shared, copy-identical MCP toolset block across ~half the fleet rather than per-workflow tailoring.workflow_dispatch, almost always paired with a schedule (163 of 167 scheduled workflows also allow dispatch).smoke-*engine matrix tests.Historical trends (vs 2026-06-15)
Stable corpus. Net change: total size −0.2%, steps −494, script blocks −495, steps/workflow −1.98. Trigger mix, engine mix, MCP usage, job count, and timeout distribution all unchanged. One file migrated down a size bucket.
Recommendations
lockfile_stats_v2.pywhen the schema changes.smoke-*matrix — it accounts for all top-5 largest files (>165 KB); confirm the size is intentional given the engine-matrix coverage.Methodology
Single-script compact JSON analysis: one cached Python analyzer (
lockfile_stats_v1.py) parses all 249 lockfiles in one pass and emits a compact JSON summary; this report reasons only from that summary plus the prior-day cached summary. 0 malformed files skipped.Beta Was this translation helpful? Give feedback.
All reactions