You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Snapshot of 258 compiled workflow lockfiles (.github/workflows/*.lock.yml) as of 2026-07-04. 0 files were malformed or skipped.
Metric
Value
Lockfiles
258
Total size
30,708,967 bytes (~29.3 MB)
Average
119,027 bytes (~116.2 KB)
Median
117,849 bytes (~115.1 KB)
Smallest
80,112 bytes — test-workflow
Largest
181,321 bytes — smoke-copilot-aoai-entra
Lockfiles are large and tightly clustered — compilation produces a heavy, uniform baseline (~78–177 KB) per workflow, driven mostly by the embedded MCP tool surface (see Tool patterns).
Top trigger combinations:schedule + workflow_dispatch (169), workflow_dispatch only (50), pull_request + workflow_dispatch (27). Manual dispatch is nearly universal (250/258 = 96.9%), and scheduled agents (67%) dominate the fleet.
Schedule cadence
Crons are heavily spread across minutes/hours (good — avoids thundering-herd on the API). Most common patterns are daily (M H * * *), weekday (* * 1-5), and a cluster of every-6-hour jobs (M */6 * * *). No two workflows share an identical high-frequency slot en masse.
Safe Outputs Analysis
Methodology limitation: the PyYAML module was unavailable in this run (yaml_available:false), so safe-output type extraction (which relies on structured parsing of the compiled config) returned empty and is not reported as zero. Trigger, size, engine, MCP, and structural metrics below are regex/text-derived and unaffected. This is a known gap to close by vendoring a YAML parse path into the analyzer.
Structural Characteristics
Metric
Total
Avg/wf
Min
Max
Jobs
2,071
8.03
5
13 (release)
Steps
29,736
115.3
78
156 (smoke-copilot)
Inline scripts
13,349
51.7
—
—
Every lockfile carries a large, standardized scaffold: no workflow drops below 5 jobs / 78 steps, reflecting the shared compiled runtime (setup, firewall, engine, safe-outputs collection).
Permission Patterns
Top-level permissions blocks resolved to {} for all 258 files in this schema (permissions are set per-job in compiled output; structured per-job read/write extraction was also gated by the missing YAML parser). Reported here for transparency rather than as a behavioral finding.
Timeout Distribution
Bucket (min)
Count
31–60
289
16–30
253
6–15
126
≤5
16
>60
3
(Counts exceed 258 because timeouts are counted per job/step.) The mass sits in the 16–60 min range — consistent with agentic jobs that need real headroom but are bounded well under an hour.
Tool & MCP Patterns
MCP server
References
github
5,520
playwright
126
sentry
96
grafana
28
ruflo
16
arxiv
6
deepwiki
6
The github MCP server is effectively universal; ~30 distinct github::* read tools each appear in ~120 workflows (e.g. get_pull_request, list_discussions, issue_read, list_code_scanning_alerts). This uniform, large tool manifest is the primary driver of lockfile size.
Engine distribution:
Engine
Count
copilot
159
claude
60
pi
21
codex
14
antigravity / crush / gemini / opencode
1 each
Interesting Findings
The fleet is remarkably uniform in size — 95.7% of lockfiles fall in a single 100–250 KB band, with min→max spanning only ~2.3×. Size is dominated by shared scaffolding, not per-workflow logic.
pi engine is the fastest-growing engine — from 1 workflow a month ago (2026-06-04) to 21 today, a 21× jump, while copilot (dominant) and claude stayed flat. Worth understanding what's driving pi adoption.
Manual + scheduled is the default shape — 169 workflows use exactly schedule + workflow_dispatch; the fleet is overwhelmingly autonomous cron agents with a manual escape hatch.
GitHub MCP saturation — 5,520 github-server references vs. 126 for the next server (playwright). Nearly every workflow ships the full github read toolset, even when a narrower manifest would shrink lockfiles.
Timeouts skew generous — 542 of 687 timeout declarations are ≥16 min; only 16 are ≤5 min, confirming these are long-running agentic jobs rather than quick checks.
Historical Trends
44 daily snapshots on record (2026-05-20 → 2026-07-04).
vs.
Date
Lockfiles
Total bytes
Avg size
Steps
Prev day
07-03
258 → 258 (0)
+9,219
+36
−1
1 week
06-27
253 → 258 (+5)
+1,042,939 (+3.5%)
+1,770
+816
1 month
06-04
240 → 258 (+18)
+5,548,925 (+22.1%)
+14,194 (+13.5%)
+4,363
First record
05-20
233 → 258 (+25)
+8,321,908 (+37.2%)
—
—
Steady growth: +25 lockfiles (+10.7%) and +37% total size since the first snapshot. Notably, average size grew +13.5% in a month — lockfiles are getting bigger, not just more numerous, suggesting the shared scaffold/tool manifest is expanding.
Recommendations
Trim the default MCP tool manifest. github-server tools dominate lockfile weight; scoping each workflow to the tools it actually uses would cut the ~29 MB fleet footprint and slow the +13.5%/month average-size growth.
Investigate pi engine growth (1→21 in a month). Confirm it's intentional and that these workflows meet the same review/security bar as copilot/claude ones.
Restore the YAML parse path in the analyzer so safe-output types and per-job permission read/write distributions are reported instead of gated. This is the biggest current blind spot.
Watch average-size drift. Set a soft budget alert if avg lockfile size crosses ~130 KB, given the sustained upward trend.
Methodology
Single-script compact JSON analysis: one cached Python analyzer (lockfile_stats_v1.py) parsed all 258 lockfiles in one pass into a ~4.8 KB summary JSON; all figures above are derived from that summary and 44 persisted daily snapshots. No lockfile was opened individually for reasoning. Note the YAML-parser gap above affects only safe-output-type and permission-value breakdowns.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Executive Summary
Snapshot of 258 compiled workflow lockfiles (
.github/workflows/*.lock.yml) as of 2026-07-04. 0 files were malformed or skipped.test-workflowsmoke-copilot-aoai-entraLockfiles are large and tightly clustered — compilation produces a heavy, uniform baseline (~78–177 KB) per workflow, driven mostly by the embedded MCP tool surface (see Tool patterns).
File Size Distribution
Largest 10
Trigger Analysis
Top trigger combinations:
schedule + workflow_dispatch(169),workflow_dispatchonly (50),pull_request + workflow_dispatch(27). Manual dispatch is nearly universal (250/258 = 96.9%), and scheduled agents (67%) dominate the fleet.Schedule cadence
Crons are heavily spread across minutes/hours (good — avoids thundering-herd on the API). Most common patterns are daily (
M H * * *), weekday (* * 1-5), and a cluster of every-6-hour jobs (M */6 * * *). No two workflows share an identical high-frequency slot en masse.Safe Outputs Analysis
Structural Characteristics
release)smoke-copilot)Every lockfile carries a large, standardized scaffold: no workflow drops below 5 jobs / 78 steps, reflecting the shared compiled runtime (setup, firewall, engine, safe-outputs collection).
Permission Patterns
Top-level
permissionsblocks resolved to{}for all 258 files in this schema (permissions are set per-job in compiled output; structured per-job read/write extraction was also gated by the missing YAML parser). Reported here for transparency rather than as a behavioral finding.Timeout Distribution
(Counts exceed 258 because timeouts are counted per job/step.) The mass sits in the 16–60 min range — consistent with agentic jobs that need real headroom but are bounded well under an hour.
Tool & MCP Patterns
The github MCP server is effectively universal; ~30 distinct
github::*read tools each appear in ~120 workflows (e.g.get_pull_request,list_discussions,issue_read,list_code_scanning_alerts). This uniform, large tool manifest is the primary driver of lockfile size.Engine distribution:
Interesting Findings
piengine is the fastest-growing engine — from 1 workflow a month ago (2026-06-04) to 21 today, a 21× jump, whilecopilot(dominant) andclaudestayed flat. Worth understanding what's drivingpiadoption.schedule + workflow_dispatch; the fleet is overwhelmingly autonomous cron agents with a manual escape hatch.Historical Trends
44 daily snapshots on record (2026-05-20 → 2026-07-04).
Steady growth: +25 lockfiles (+10.7%) and +37% total size since the first snapshot. Notably, average size grew +13.5% in a month — lockfiles are getting bigger, not just more numerous, suggesting the shared scaffold/tool manifest is expanding.
Recommendations
piengine growth (1→21 in a month). Confirm it's intentional and that these workflows meet the same review/security bar as copilot/claude ones.Methodology
Single-script compact JSON analysis: one cached Python analyzer (
lockfile_stats_v1.py) parsed all 258 lockfiles in one pass into a ~4.8 KB summary JSON; all figures above are derived from that summary and 44 persisted daily snapshots. No lockfile was opened individually for reasoning. Note the YAML-parser gap above affects only safe-output-type and permission-value breakdowns.References: §28718728613
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions