You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Analysis of 258 compiled .github/workflows/*.lock.yml files on 2026-07-02. 0 malformed/skipped.
Metric
Value
Lockfiles
258
Total size
30,006,773 B (≈28.6 MiB)
Avg / median
116,305 B / 115,005 B
Smallest
test-workflow — 78,168 B
Largest
smoke-copilot-aoai-entra — 178,385 B
File Size Distribution
Bucket
Count
100–250 KB
243
50–100 KB
15
Lockfiles are large and highly uniform — 94% fall in a single 100–250 KB band, reflecting substantial compiler-emitted boilerplate (~114 steps/workflow).
Top combinations:schedule+workflow_dispatch 169 · workflow_dispatch only 50 · pull_request+workflow_dispatch 27. 97% (250/258) expose manual dispatch; 67% (173) are scheduled — an automation-heavy repo.
Safe Outputs Analysis
⚠️ Not available this run: the analyzer executed with yaml_available:false and its text heuristics for safe_output_types, permissions_read/write, and discussion_categories returned empty. These require PyYAML in the runner env (see Recommendations). For reference, the 2026-05-20 snapshot captured create_discussion 233, create_issue 233, missing_tool 233, add_comment 71, create_pull_request 56.
Structural Characteristics
Metric
Total
Avg
Max (workflow)
Jobs
2,071
8.03
13 (release)
Steps
29,474
114.24
155 (smoke-copilot)
Scripts (run:)
13,350
—
—
Permission Patterns
All 258 lockfiles normalize to an empty top-level permissions: {} block (permissions_top_level_kind: {"{}":258}) — least-privilege at the top level, with grants pushed to individual jobs. Per-scope read/write breakdown unavailable this run (yaml).
Engines (258 total): copilot 159 (62%) · claude 60 (23%) · pi 21 · codex 14 · antigravity/crush/gemini/opencode 1 each.
MCP servers (ref frequency): github 5,520 · playwright 126 · sentry 96 · grafana 28 · ruflo 16 · arxiv 6 · deepwiki 6. The GitHub MCP dominates the tool surface by ~44× the next server; dozens of github::* tools appear at a flat count of 120, indicating a shared default allowlist.
Interesting Findings
Copilot-first fleet — 62% of workflows run on the copilot engine, with claude a distinct second at 23%; five other engines appear only once each (experimental).
Near-universal manual override — 250/258 workflows keep workflow_dispatch, so almost every scheduled agent can be triggered on demand.
Monoglot MCP dependency — GitHub MCP references (5,520) dwarf every other server combined; a shared github tool allowlist propagates the same ~120-count tool set across the fleet.
Boilerplate-heavy compilation — median lockfile is ~114 KB and ~114 steps; the source intent is a fraction of this, so most bytes are generated scaffolding.
Fastest-growing dimension is jobs — since 2026-05-20 job count grew +45% vs +11% file count, i.e. workflows are getting structurally deeper, not just more numerous.
Historical Trends
Metric
2026-05-20
2026-07-01
2026-07-02
Δ (6 wks)
Lockfiles
233
258
258
+25 (+10.7%)
Total bytes
22.39 MB
30.00 MB
30.01 MB
+34.0%
Avg size
96,081
116,280
116,305
+21.1%
Total jobs
1,423
2,070
2,071
+45.5%
Total steps
24,002
29,463
29,474
+22.8%
Total scripts
11,518
13,349
13,350
+15.9%
Day-over-day (07-01→07-02) is essentially flat: +6.3 KB total, +1 job, +11 steps — a quiet day with no new workflows.
Recommendations
Curb lockfile growth — total size is up 34% in six weeks; factor shared setup into composite actions to shrink the ~114 KB/-file boilerplate.
Restore full metrics — install PyYAML in the analyzer runner so safe_output_types, per-scope permissions, and discussion_categories repopulate (currently empty due to yaml_available:false).
Audit the GitHub MCP allowlist — the flat 120-count github::* tool set suggests a broad default; trim to least-privilege per workflow.
Review deep workflows — jobs grew +45%; confirm the 13-job release and 155-step smoke-copilot remain intentional.
Methodology
Single-script compact JSON analysis: one cached analyzer (lockfile_stats_v1.py) parsed all 258 lockfiles in one pass into a ≤50 KB JSON summary (4.8 KB actual); all findings derived from that summary plus prior daily snapshots in cache-memory history/. No individual lockfiles were opened for analysis.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Executive Summary
Analysis of 258 compiled
.github/workflows/*.lock.ymlfiles on 2026-07-02. 0 malformed/skipped.test-workflow— 78,168 Bsmoke-copilot-aoai-entra— 178,385 BFile Size Distribution
Lockfiles are large and highly uniform — 94% fall in a single 100–250 KB band, reflecting substantial compiler-emitted boilerplate (~114 steps/workflow).
Trigger Analysis
Top combinations:
schedule+workflow_dispatch169 ·workflow_dispatchonly 50 ·pull_request+workflow_dispatch27. 97% (250/258) expose manual dispatch; 67% (173) are scheduled — an automation-heavy repo.Safe Outputs Analysis
yaml_available:falseand its text heuristics forsafe_output_types,permissions_read/write, anddiscussion_categoriesreturned empty. These require PyYAML in the runner env (see Recommendations). For reference, the 2026-05-20 snapshot capturedcreate_discussion233,create_issue233,missing_tool233,add_comment71,create_pull_request56.Structural Characteristics
release)smoke-copilot)Permission Patterns
All 258 lockfiles normalize to an empty top-level
permissions: {}block (permissions_top_level_kind: {"{}":258}) — least-privilege at the top level, with grants pushed to individual jobs. Per-scope read/write breakdown unavailable this run (yaml).Timeout distribution (job-level): 31–60 min: 289 · 16–30: 253 · 6–15: 126 · ≤5: 16 · >60: 3.
Tool & MCP Patterns
Engines (258 total): copilot 159 (62%) · claude 60 (23%) · pi 21 · codex 14 · antigravity/crush/gemini/opencode 1 each.
MCP servers (ref frequency): github 5,520 · playwright 126 · sentry 96 · grafana 28 · ruflo 16 · arxiv 6 · deepwiki 6. The GitHub MCP dominates the tool surface by ~44× the next server; dozens of
github::*tools appear at a flat count of 120, indicating a shared default allowlist.Interesting Findings
copilotengine, withclaudea distinct second at 23%; five other engines appear only once each (experimental).workflow_dispatch, so almost every scheduled agent can be triggered on demand.Historical Trends
Day-over-day (07-01→07-02) is essentially flat: +6.3 KB total, +1 job, +11 steps — a quiet day with no new workflows.
Recommendations
safe_output_types, per-scope permissions, anddiscussion_categoriesrepopulate (currently empty due toyaml_available:false).github::*tool set suggests a broad default; trim to least-privilege per workflow.releaseand 155-stepsmoke-copilotremain intentional.Methodology
Single-script compact JSON analysis: one cached analyzer (
lockfile_stats_v1.py) parsed all 258 lockfiles in one pass into a ≤50 KB JSON summary (4.8 KB actual); all findings derived from that summary plus prior daily snapshots in cache-memoryhistory/. No individual lockfiles were opened for analysis.References: §28619994154
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions