[lockfile-stats] Lockfile Statistics Audit — 2026-06-17 (250 workflows, 28.4 MB)

[github-actions[bot]]

Executive Summary

Snapshot of 250 compiled .github/workflows/*.lock.yml files on 2026-06-17 (0 malformed/skipped).

Metric	Value	Δ vs 2026-06-16
Lockfiles	250	+1
Total size	28.44 MB (29,821,184 B)	+203 KB (+0.7%)
Avg size	116.5 KB	+0.3%
Median size	115.9 KB	—
Min / Max	77.0 KB / 174.7 KB	—
Total jobs	2,008	+6
Total steps	28,374	+95
Total run: scripts	12,525	+42

A near-uniform +~400 bytes per file across the entire set indicates a global recompilation rather than isolated edits, plus one net-new workflow (Copilot engine, schedule+workflow_dispatch).

File Size Distribution

Bucket	Count	%
100–250 KB	240	96.0%
50–100 KB	10	4.0%

Lockfiles are large and tightly clustered (median ≈ avg) — characteristic of generated boilerplate (MCP config, safe-output plumbing, engine scaffolding) dominating each file.

Largest & smallest workflows

Largest: smoke-copilot-aoai-entra (174.7 KB), smoke-copilot-aoai-apikey (174.3 KB), smoke-copilot (173.6 KB), smoke-claude (171.5 KB), smoke-copilot-arm (161.7 KB)

Smallest: test-workflow (77.0 KB), example-permissions-warning (77.7 KB), firewall (78.9 KB), codex-github-remote-mcp-test (79.0 KB), ace-editor (86.1 KB)

Trigger Analysis

Trigger	Count	% of workflows
workflow_dispatch	242	96.8%
schedule	167	66.8%
pull_request	33	13.2%
issues	4	1.6%
issue_comment	2	0.8%
push	2	0.8%
workflow_run / discussion / discussion_comment / pr_review_comment	1 each	—

Top combinations: schedule+workflow_dispatch (163), workflow_dispatch alone (49), pull_request+workflow_dispatch (26). The fleet is overwhelmingly scheduled agents with a manual override — 65% follow the canonical cron+dispatch pattern.

Schedule cadence

167 scheduled workflows span 160+ distinct cron expressions — minutes are well-jittered (few share a slot), avoiding thundering-herd API load. Cadences range from hourly (23 * * * *) and every-4/6h (*/4, */6) to weekday business hours (* * 1-5) and weekly (* * 0|1|3).

Safe Outputs Analysis

⚠️ The cached v1 analyzer reported empty safe_output_types, discussion_categories, and permissions maps for all 250 files. The compiled lock format does not expose these via v1's text patterns, so safe-output/permission/category breakdowns are not available this run. See Recommendations — this is the highest-value gap to close in a v2 schema bump.

Structural Characteristics

Per-workflow	Min	Avg	Max	Max holder
Jobs	5	8.03	12	firewall-escape
Steps	76	113.5	152	smoke-copilot
run: scripts	—	50.1	—	—

Each lockfile is a substantial GitHub Actions program: ~8 jobs and ~114 steps on average. The job floor of 5 reflects the shared gh-aw scaffolding (activation, agent, safe-output collection/processing, etc.).

Permission Patterns

v1 reports permissions_top_level_kind: {"{}": 250} — all 250 declare an empty top-level permissions block, with effective grants pushed to job level (not captured by v1). Least-privilege at top level is uniform.

Tool & MCP Patterns

MCP server	Allowlist entries (fleet-wide)
github	6,656
playwright	168
sentry	96
grafana	28
ruflo	16
arxiv / deepwiki	6 each

GitHub MCP dominates — ~128 workflows enumerate the full GitHub toolset (each of get_commit, issue_read, list_commits, get_workflow_run_logs, ... appears in 128 files). This broad read surface is the single largest contributor to lockfile size.

Engine Distribution

Engine	Count	%
copilot	167	66.8%
claude	64	25.6%
codex	14	5.6%
antigravity / crush / gemini / opencode / pi	1 each	2.0%

Copilot is the fleet default (2/3); Claude is the clear secondary. The +1 new workflow this period was Copilot.

Timeout Distribution

Bucket (min)	Jobs
≤5	16
6–15	122
16–30	335
31–60	283
>60	3

Most jobs sit in the 16–60 min band; only 3 jobs exceed an hour — runaway-cost exposure is well-contained.

Interesting Findings

1. Uniform ~400 B/file growth points to a compiler/template bump touching all 250 lockfiles simultaneously, not feature work — a useful fingerprint for "what changed" triage.
2. 96% of files are 100 KB+, yet source workflows are tiny — generated MCP/safe-output scaffolding is the dominant byte cost, led by the full GitHub toolset (128 files × full enumeration).
3. Cron jitter is healthy: 167 schedules spread across 160+ distinct expressions, almost no minute collisions — deliberate thundering-herd avoidance.
4. Engine concentration risk: 67% Copilot means a Copilot-side regression would impact two-thirds of the fleet at once.
5. firewall-escape carries the most jobs (12) while smoke-copilot carries the most steps (152) — the structural outliers worth watching for compile-time cost.

Historical Trends (2026-06-16 → 2026-06-17)

Metric	06-16	06-17	Δ
Lockfiles	249	250	+1
Total bytes	29,613,640	29,821,184	+207,544
Avg bytes	118,930	119,284	+354
Jobs	2,002	2,008	+6
Steps	28,279	28,374	+95
Scripts	12,483	12,525	+42
copilot engine	166	167	+1
100–250KB bucket	238	240	+2

Steady, low-volatility growth: one workflow added (~6 jobs / ~95 steps) plus a uniform recompile. No structural regressions.

Recommendations

1. Bump the analyzer to v2 to extract safe_outputs, discussion categories, and job-level permissions from the lock format — currently the largest blind spot.
2. Audit the GitHub MCP allowlist: 128 workflows enumerate the full toolset. Trimming to per-workflow needs would cut a large share of the 28 MB footprint.
3. Track engine concentration (67% Copilot) as a resilience metric; consider engine diversity for critical scheduled agents.
4. Watch the 3 jobs with >60 min timeouts for cost; confirm they genuinely need it.

---

Methodology: single-script compact JSON analysis. One Python pass over all 250 .lock.yml files emits a ≤50 KB summary (4.8 KB actual); all insights derived from that JSON plus the prior-day cached summary. No per-file re-reads. Caveat: v1 schema does not surface safe-output/permission/category detail.

Generated by 📊 Lockfile Statistics Analysis Agent · ◷

• expires on Jun 18, 2026, 1:01 PM UTC-08:00