You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Aggregate analysis of all compiled .github/workflows/*.lock.yml files. 258 lockfiles, 0 malformed/skipped, 29.3 MiB total. Parsed with yaml.safe_load (yaml_available: true).
Executive Summary
Metric
Value
Lockfiles
258
Total size
30,749,425 B (≈29.3 MiB)
Average
119,183 B (≈116 KB)
Median
117,829 B
Min
80,100 B (test-workflow)
Max
184,059 B (smoke-copilot-aoai-entra)
Malformed
0
File Size Distribution
Bucket
Count
100–250 KB
247 (95.7%)
50–100 KB
11 (4.3%)
Distribution is tight — every lockfile sits between 80–184 KB, reflecting the large shared boilerplate the compiler emits per workflow. The 6 largest are all smoke tests (smoke-copilot-*, smoke-claude, smoke-codex), which bundle multiple engine setups.
Top combinations: schedule+workflow_dispatch (169), workflow_dispatch only (48), pull_request+workflow_dispatch (27). 97% of workflows expose workflow_dispatch for manual runs. 173 use cron; the schedule is well spread across minutes/hours (jitter applied) with a mix of daily, weekday-only (* * 1-5), every-6h, and weekly cadences.
Safe Outputs Analysis
Caveat:safe_output_types and discussion_categories came back empty under the current v1 parser. The compiled lock format does not expose safe-output config in a shape the v1 extractor recognizes (config is emitted inside embedded runtime JSON rather than top-level YAML keys). This is a parser gap, not an absence of safe outputs — flagged for a v2 script bump. Not treated as a zero.
Structural Characteristics
Metric
Total
Avg/wf
Max
Jobs
1,614
6.26
12 (release)
Steps
29,900
115.9
161 (daily-news)
Run-scripts
13,390
~51.9
—
Every compiled workflow expands to ~116 steps on average — dominated by generated setup/teardown scaffolding. release has the most jobs (12); daily-news the most steps (161).
Permission Patterns
Caveat:permissions_top_level_kind reports {} for all 258 files under v1 — top-level permissions is not surfaced in the lock output the way the extractor expects (permissions are scoped per-job in compiled form). Per-scope read/write maps are therefore empty. Flagged for v2.
Timeout Distribution
Bucket (min)
Count
31–60
258
6–15
28
≤5
2
All 258 carry a job in the 31–60 min band (the default agentic ceiling); a subset add shorter-bounded auxiliary jobs.
Tool & MCP Patterns
Engines: copilot 160 · claude 59 · pi 21 · codex 14 · antigravity/crush/gemini/opencode 1 each. Copilot + Claude cover 85% of workflows.
MCP tools: the GitHub toolset dominates — 30+ github::* read tools each appear ~118× (roughly one per Copilot/Claude workflow), e.g. github::get_pull_request, github::issue_read, github::list_discussions, github::get_file_contents.
Interesting Findings
Extreme size homogeneity — 95.7% of lockfiles land in a single 100–150 KB band; the 80–184 KB min/max spread is only ~2.3×, evidence that per-workflow compiled boilerplate vastly outweighs authored content.
Manual escape hatch is near-universal — 250/258 (97%) include workflow_dispatch, and 169 pair it with a schedule, so almost every scheduled agent is also manually re-runnable.
GitHub MCP is the backbone — 5,428 github-server references vs 126 for the next server (playwright), a ~43× gap; the platform is overwhelmingly a GitHub-automation surface.
Copilot overtakes Claude as default engine — 160 vs 59; the long tail (pi, codex, gemini, crush, antigravity, opencode) shows active multi-engine experimentation.
Smoke tests are the heaviest artifacts — the 6 largest lockfiles are all smoke-* engine-matrix tests, each bundling redundant engine setup blocks.
Historical Trends (vs 2026-07-05)
Prior day ran with yaml_available: false (regex fallback), so structural counts (jobs/steps/timeouts) are not comparable across the parser flip and are omitted here. Stable, parser-independent metrics:
Metric
07-05
07-06
Δ
Lockfiles
258
258
0
Total bytes
30,759,538
30,749,425
−10,113 (−0.03%)
Avg size
119,223
119,183
−40
Median size
118,042
117,829
−213
Engine: copilot
159
160
+1
Engine: claude
60
59
−1
Triggers: workflow_call
0
2
+2
github MCP refs
5,520
5,428
−92
Essentially flat day-over-day: one workflow shifted claude→copilot, and workflow_call triggers appeared on 2 workflows (new workflow_call+workflow_dispatch combination). Fleet size and total footprint are stable.
Recommendations
Bump the analyzer to lockfile_stats_v2.py to fix the two known parser gaps — extract safe-output types and per-job permissions from the compiled runtime JSON blocks rather than top-level YAML keys. Until then, treat those sections as "unmeasured," not "zero."
De-duplicate smoke-test scaffolding — the 6 largest lockfiles repeat engine-setup blocks; a shared composite action could shrink the heaviest artifacts.
Record yaml_available prominently in each history snapshot (already present) and skip cross-day structural deltas whenever it flips, to avoid false trend signals like the job-count swing seen 07-05→07-06.
Methodology
Single-script compact JSON analysis: one first-turn command caches/executes lockfile_stats_v1.py, emitting a ~4.9 KB summary JSON; all reasoning derives from that summary plus cached daily history — no per-file inspection in the reporting turns.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Aggregate analysis of all compiled
.github/workflows/*.lock.ymlfiles. 258 lockfiles, 0 malformed/skipped, 29.3 MiB total. Parsed withyaml.safe_load(yaml_available: true).Executive Summary
test-workflow)smoke-copilot-aoai-entra)File Size Distribution
Distribution is tight — every lockfile sits between 80–184 KB, reflecting the large shared boilerplate the compiler emits per workflow. The 6 largest are all smoke tests (
smoke-copilot-*,smoke-claude,smoke-codex), which bundle multiple engine setups.Trigger Analysis
workflow_dispatchschedulepull_requestissuesissue_comment/push/workflow_callworkflow_run/discussion/discussion_comment/deployment_status/pull_request_review_commentTop combinations:
schedule+workflow_dispatch(169),workflow_dispatchonly (48),pull_request+workflow_dispatch(27). 97% of workflows exposeworkflow_dispatchfor manual runs. 173 use cron; the schedule is well spread across minutes/hours (jitter applied) with a mix of daily, weekday-only (* * 1-5), every-6h, and weekly cadences.Safe Outputs Analysis
Structural Characteristics
release)daily-news)Every compiled workflow expands to ~116 steps on average — dominated by generated setup/teardown scaffolding.
releasehas the most jobs (12);daily-newsthe most steps (161).Permission Patterns
Timeout Distribution
All 258 carry a job in the 31–60 min band (the default agentic ceiling); a subset add shorter-bounded auxiliary jobs.
Tool & MCP Patterns
Engines: copilot 160 · claude 59 · pi 21 · codex 14 · antigravity/crush/gemini/opencode 1 each. Copilot + Claude cover 85% of workflows.
MCP servers (token frequency): github 5,428 · playwright 126 · sentry 96 · grafana 28 · ruflo 16 · arxiv 6 · deepwiki 6.
MCP tools: the GitHub toolset dominates — 30+
github::*read tools each appear ~118× (roughly one per Copilot/Claude workflow), e.g.github::get_pull_request,github::issue_read,github::list_discussions,github::get_file_contents.Interesting Findings
workflow_dispatch, and 169 pair it with a schedule, so almost every scheduled agent is also manually re-runnable.smoke-*engine-matrix tests, each bundling redundant engine setup blocks.Historical Trends (vs 2026-07-05)
Essentially flat day-over-day: one workflow shifted claude→copilot, and
workflow_calltriggers appeared on 2 workflows (newworkflow_call+workflow_dispatchcombination). Fleet size and total footprint are stable.Recommendations
lockfile_stats_v2.pyto fix the two known parser gaps — extract safe-output types and per-job permissions from the compiled runtime JSON blocks rather than top-level YAML keys. Until then, treat those sections as "unmeasured," not "zero."yaml_availableprominently in each history snapshot (already present) and skip cross-day structural deltas whenever it flips, to avoid false trend signals like the job-count swing seen 07-05→07-06.Methodology
Single-script compact JSON analysis: one first-turn command caches/executes
lockfile_stats_v1.py, emitting a ~4.9 KB summary JSON; all reasoning derives from that summary plus cached daily history — no per-file inspection in the reporting turns.References: §28822167168
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions