You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Top combinations:schedule+workflow_dispatch (169), workflow_dispatch alone (49), pull_request+workflow_dispatch (27). Scheduled agents almost always keep a manual dispatch escape hatch.
Cron cadence
173 scheduled workflows across ~120 distinct crons. Minutes are spread across the hour (odd values like :49, :38, :23) — no thundering-herd on :00. Mix of daily (* * *), weekday (1-5), and every-N-hours (*/6, */4, */12). No cron is used more than twice.
Safe outputs analysis
Dedicated safe-output jobs detected: upload-assets in 25 lockfiles. Most safe outputs (create-discussion / create-issue / add-comment / create-pull-request) are configured via the agentic job's env manifest rather than as separate jobs, so they are not individually enumerable from lock structure — see methodology caveat.
Discussion output categories (regex over category config):
Category
Lockfiles
audits
76
announcements
5
artifacts
2
dev
2
daily-news
1
research
1
The audits category dominates — audit-style agents are by far the largest publisher class.
Structural characteristics
Metric
Total
Per workflow (min / avg / max)
Jobs
1,620
4 / 6.25 / 12
Steps
30,312
79 / 117.03 / 163
Run scripts
13,699
— / 52.9 / —
Most jobs: release (12). Most steps: smoke-copilot (163).
Δ vs 07-07: +6 jobs, +405 steps, +303 scripts for +1 workflow — each new agentic workflow compiles to ~117 steps / ~194 KB.
Timeouts: every workflow has at least one job in the 31–60 min band (259); 6–15 min band appears 28 times, ≤5 min twice. Timeout policy is essentially uniform.
Permission patterns
Top-level permissions is {} for all 259 lockfiles — permissions are declared per job (least-privilege pattern).
Permission
Read
Write
actions
259 (100%)
5
contents
259 (100%)
131 (51%)
pull-requests
225 (87%)
123 (47%)
issues
221 (85%)
250 (97%)
discussions
50 (19%)
92 (36%)
copilot-requests
—
67 (26%)
security-events
14
3
issues: write is the single most common write grant (250/259). Read actions+contents are universal.
GitHub MCP is the backbone (40% of all lockfiles); the rest is a long specialized tail.
Engine mix (carried from 2026-07-07 — see caveat)
Engine
Lockfiles
copilot
160
claude
60
pi
21
codex
14
antigravity / crush / gemini / opencode
1 each
Caveat: today's automated classifier could not reliably extract the engine id from compiled lock text (no stable engine: marker survives compilation). The corpus changed by exactly +1 file vs 07-07, so this distribution is effectively current. Fixing engine detection is tracked as a follow-up.
Interesting findings
80 KB compilation floor. The smallest lockfile is 80.6 KB and 96% exceed 100 KB, yet each holds 79–163 steps of largely generated boilerplate — 29.6 MiB of committed generated YAML for 259 logical workflows.
Manual escape hatch is near-universal. 251/259 (96.9%) expose workflow_dispatch; 169 pair it with schedule. Only 8 workflows are non-dispatchable (pure PR/push/event-driven).
Audit agents are the dominant output class. 76 lockfiles publish to the audits discussion category — 15× the next category (announcements, 5).
GitHub MCP centrality. 104 lockfiles wire in GitHub MCP; the next server (serena) appears in under a quarter as many, and 11 servers appear in just 1–2 lockfiles each.
Steady linear growth. +1 workflow day-over-day added +405 steps, +303 run scripts, and +194 KB — a clean per-workflow footprint of ~117 steps / ~53 scripts / ~194 KB.
Historical trends (07-07 → 07-08)
Metric
07-07
07-08
Δ
Lockfiles
258
259
+1
Total bytes
30,804,942
30,999,123
+194,181
Jobs
1,614
1,620
+6
Steps
29,907
30,312
+405
Scripts
13,396
13,699
+303
Avg steps/wf
115.92
117.03
+1.11
audits category
76
76
=
Trajectory is steady growth with no structural regressions; 49 daily snapshots retained (2026-05-20 → 2026-07-08).
Recommendations
Boilerplate footprint — 29.6 MiB of generated *.lock.yml in-tree keeps growing ~194 KB/workflow. If the compiler supports composite/reusable actions, extracting the shared 80 KB floor would materially shrink diffs and repo size.
Uniform 31–60 min timeouts — every workflow lands in the same band; verify long-running agents aren't silently truncated and consider per-workflow tuning where runtimes differ.
Safe-output auditability — most enabled safe-output types aren't detectable from lock structure. Emitting a small machine-readable manifest of enabled safe outputs per workflow would make audits like this exact.
Keep cron staggering — current odd-minute spread avoids :00 pile-ups; maintain it as the schedule count grows past 173.
Fix engine classification — add a stable engine-id marker (e.g. a header comment) to compiled lockfiles so engine distribution is verifiable rather than carried-forward.
Methodology note
Single-script compact JSON analysis: one cached analyzer (lockfile_stats_v1.py) parsed all 259 lockfiles with yaml.safe_load in a single run, emitting a ~5.8 KB summary JSON; all figures above derive from that summary and the retained daily history. 0 lockfiles skipped. Safe-output types, discussion categories, and per-permission read/write maps use regex/job-name fallback (one category schema-comment false positive was filtered); the engine field is carried from the prior authoritative snapshot pending a detection fix.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Overview
Aggregate analysis of all
.github/workflows/*.lock.ymlcompiled agentic workflows as of 2026-07-08.No lockfiles failed to parse (
yaml.safe_load,yaml_available=true).File size distribution
Every lockfile is ≥80 KB — a large fixed compilation floor. The 5 largest are all engine smoke-tests:
Smallest:
test-workflow(80,619),example-permissions-warning(81,556),firewall(82,495).Trigger analysis
Top combinations:
schedule+workflow_dispatch(169),workflow_dispatchalone (49),pull_request+workflow_dispatch(27). Scheduled agents almost always keep a manual dispatch escape hatch.Cron cadence
173 scheduled workflows across ~120 distinct crons. Minutes are spread across the hour (odd values like
:49,:38,:23) — no thundering-herd on:00. Mix of daily (* * *), weekday (1-5), and every-N-hours (*/6,*/4,*/12). No cron is used more than twice.Safe outputs analysis
Dedicated safe-output jobs detected:
upload-assetsin 25 lockfiles. Most safe outputs (create-discussion / create-issue / add-comment / create-pull-request) are configured via the agentic job's env manifest rather than as separate jobs, so they are not individually enumerable from lock structure — see methodology caveat.Discussion output categories (regex over category config):
The audits category dominates — audit-style agents are by far the largest publisher class.
Structural characteristics
Timeouts: every workflow has at least one job in the 31–60 min band (259);
6–15 minband appears 28 times,≤5 mintwice. Timeout policy is essentially uniform.Permission patterns
Top-level
permissionsis{}for all 259 lockfiles — permissions are declared per job (least-privilege pattern).issues: writeis the single most common write grant (250/259). Readactions+contentsare universal.Tool & MCP patterns
MCP servers by number of lockfiles using them:
GitHub MCP is the backbone (40% of all lockfiles); the rest is a long specialized tail.
Engine mix (carried from 2026-07-07 — see caveat)
Interesting findings
workflow_dispatch; 169 pair it withschedule. Only 8 workflows are non-dispatchable (pure PR/push/event-driven).auditsdiscussion category — 15× the next category (announcements, 5).Historical trends (07-07 → 07-08)
Trajectory is steady growth with no structural regressions; 49 daily snapshots retained (2026-05-20 → 2026-07-08).
Recommendations
*.lock.ymlin-tree keeps growing ~194 KB/workflow. If the compiler supports composite/reusable actions, extracting the shared 80 KB floor would materially shrink diffs and repo size.:00pile-ups; maintain it as the schedule count grows past 173.Methodology note
Single-script compact JSON analysis: one cached analyzer (
lockfile_stats_v1.py) parsed all 259 lockfiles withyaml.safe_loadin a single run, emitting a ~5.8 KB summary JSON; all figures above derive from that summary and the retained daily history. 0 lockfiles skipped. Safe-output types, discussion categories, and per-permission read/write maps use regex/job-name fallback (one category schema-comment false positive was filtered); the engine field is carried from the prior authoritative snapshot pending a detection fix.References: §28973990158
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions