You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Analysis of 251 compiled .github/workflows/*.lock.yml files. 0 malformed/skipped.
Metric
Value
Lockfiles
251
Total size
29.49 MB
Avg / Median
117.5 KB / 116.6 KB
Min / Max
79.8 KB / 176.8 KB
Total jobs / steps / scripts
2,013 / 28,660 / 13,029
Avg per workflow
8.0 jobs · 114.2 steps · 51.9 scripts
File Size Distribution
Bucket
Count
100–250 KB
240
50–100 KB
11
Largest: smoke-copilot-aoai-entra (176.8 KB), smoke-copilot-aoai-apikey (176.6 KB), smoke-copilot (176.0 KB), smoke-claude (172.0 KB). Smallest: test-workflow (79.8 KB), example-permissions-warning (80.6 KB), firewall (81.8 KB). Lock files are large and tightly clustered (CV ≈ 13%) — generated boilerplate dominates over per-workflow logic.
Trigger Analysis
Trigger
Count
Combination
Count
workflow_dispatch
243
schedule + workflow_dispatch
164
schedule
168
workflow_dispatch only
49
pull_request
33
pull_request + workflow_dispatch
26
issues
4
pull_request only
3
issue_comment
2
(10 other combos)
1 each
243 of 251 (97%) expose workflow_dispatch; 168 (67%) run on a schedule. Cron times are well-spread (no :00/:30 clustering) — schedules are jittered as designed. Most frequent cadence is daily * * *; a cluster of */6 and weekday 1-5 jobs exist.
Structural Characteristics
min
avg
max
max workflow
Jobs
5
8.0
12
firewall-escape
Steps
77
114.2
153
smoke-copilot
Permission & Timeout Patterns
Top-level permissions: resolved to an empty map ({}) for all 251 files in this pass — fine-grained read/write scopes are declared at the job level and were not captured by the v1 aggregate (see methodology caveat). Timeout distribution (across all jobs):
timeout-minutes
jobs
≤5
16
6–15
120
16–30
225
31–60
281
>60
2
Engine Distribution
Engine
Count
copilot
156
claude
57
pi
19
codex
15
antigravity / crush / gemini / opencode
1 each
Tool & MCP Patterns
github MCP dominates with 5,244 tool references across the corpus; playwright (126), sentry (96), grafana (28), ruflo (16), arxiv (6), deepwiki (6) follow. The github server's read tools (actions_get, get_pull_request, issue_read, list_discussions, ...) each appear in ~114 workflows — a shared read-only toolset baked into most agents.
Historical Trends
Metric
05-20
06-17
06-23
06-24
Δ wk
Δ day
Lockfiles
233
250
250
251
+1
+1
Total bytes
22.39 M
29.82 M
29.46 M
29.49 M
−0.33 M
+0.03 M
Avg size
—
119.3 K
117.8 K
117.5 K
−1.8 K
−0.4 K
Jobs total
—
2,008
2,006
2,013
+5
+7
Steps total
—
28,374
28,550
28,660
+286
+110
Scripts total
—
12,525
12,976
13,029
+504
+110
Interesting Findings
pi engine is surging — 1 workflow on 06-17 → 19 on 06-24, while copilot (167→156) and claude (64→57) both shrank. A migration toward the pi engine is underway.
Step/script growth outpaces file count. Lockfiles grew +1 over the week but scripts grew +504 (+4%) — workflows are getting denser, not just more numerous. Avg file size actually fell slightly, so generation is getting more compact per step.
workflow_dispatch is near-universal (97%). Manual-trigger escape hatches are a strong convention; only 8 workflows omit it.
The corpus is a near-monolith of generated scaffolding — 240/251 files land in one 100–250 KB band with CV ≈13%, confirming lock files are dominated by shared compiled boilerplate.
GitHub read-tooling is standardized — ~114 workflows share an identical block of github::* read tools, evidence of a common agent template rather than bespoke tool selection.
Recommendations
Track the pi migration explicitly in a follow-up audit; if intentional, accelerate; if accidental, investigate the 19 conversions.
Investigate the 2 jobs with >60 min timeouts — outliers worth a cost/runtime review.
Reduce lock-file boilerplate. 29.5 MB of highly-redundant generated YAML inflates the repo; a shared-template/compression strategy in the compiler could cut clone/CI overhead.
Improve the analyzer (v2): capture job-level permissions: and safe_output_types (both empty this pass) so permission-surface and safe-output trends become visible.
Methodology
Single-script compact JSON analysis: one cached Python pass (lockfile_stats_v1.py) parsed all 251 lock files into a ≤50 KB JSON summary; all figures above derive from that summary plus 35 days of cached daily summaries. No lock file was opened individually for analysis. Caveat: top-level permissions and safe_output_types aggregates were empty in the v1 schema (scopes/outputs live at job level) — flagged for a v2 fix.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Lockfile Statistics Audit — 2026-06-24
Analysis of 251 compiled
.github/workflows/*.lock.ymlfiles. 0 malformed/skipped.File Size Distribution
Largest:
smoke-copilot-aoai-entra(176.8 KB),smoke-copilot-aoai-apikey(176.6 KB),smoke-copilot(176.0 KB),smoke-claude(172.0 KB). Smallest:test-workflow(79.8 KB),example-permissions-warning(80.6 KB),firewall(81.8 KB). Lock files are large and tightly clustered (CV ≈ 13%) — generated boilerplate dominates over per-workflow logic.Trigger Analysis
243 of 251 (97%) expose
workflow_dispatch; 168 (67%) run on a schedule. Cron times are well-spread (no:00/:30clustering) — schedules are jittered as designed. Most frequent cadence is daily* * *; a cluster of*/6and weekday1-5jobs exist.Structural Characteristics
firewall-escapesmoke-copilotPermission & Timeout Patterns
Top-level
permissions:resolved to an empty map ({}) for all 251 files in this pass — fine-grained read/write scopes are declared at the job level and were not captured by the v1 aggregate (see methodology caveat). Timeout distribution (across all jobs):Engine Distribution
Tool & MCP Patterns
githubMCP dominates with 5,244 tool references across the corpus;playwright(126),sentry(96),grafana(28),ruflo(16),arxiv(6),deepwiki(6) follow. Thegithubserver's read tools (actions_get,get_pull_request,issue_read,list_discussions, ...) each appear in ~114 workflows — a shared read-only toolset baked into most agents.Historical Trends
Interesting Findings
piengine is surging — 1 workflow on 06-17 → 19 on 06-24, whilecopilot(167→156) andclaude(64→57) both shrank. A migration toward thepiengine is underway.workflow_dispatchis near-universal (97%). Manual-trigger escape hatches are a strong convention; only 8 workflows omit it.github::*read tools, evidence of a common agent template rather than bespoke tool selection.Recommendations
pimigration explicitly in a follow-up audit; if intentional, accelerate; if accidental, investigate the 19 conversions.permissions:andsafe_output_types(both empty this pass) so permission-surface and safe-output trends become visible.Methodology
Single-script compact JSON analysis: one cached Python pass (
lockfile_stats_v1.py) parsed all 251 lock files into a ≤50 KB JSON summary; all figures above derive from that summary plus 35 days of cached daily summaries. No lock file was opened individually for analysis. Caveat: top-levelpermissionsandsafe_output_typesaggregates were empty in the v1 schema (scopes/outputs live at job level) — flagged for a v2 fix.Beta Was this translation helpful? Give feedback.
All reactions