You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Snapshot of all compiled agentic workflow lockfiles as of 2026-07-09.
Metric
Value
Ξ vs 2026-07-08
Lockfiles analyzed
256
β3
Skipped / malformed
0
β
Total size
29.2 MB (30,635,350 B)
β355 KB
Average size
116.9 KB
βflat
Median size
115.3 KB
β0.3 KB
Min / Max
79.3 KB / 181.2 KB
β
All 256 files parsed cleanly with PyYAML (yaml_available: true).
π File Size Distribution
Bucket
Count
100β250 KB
246
50β100 KB
10
Lockfiles are large and tightly clustered β compilation produces uniformly heavy artifacts (mostly 100β185 KB), reflecting the shared boilerplate that gh aw compile injects into every workflow.
The smoke-test family dominates the top end; example/firewall/test scaffolds sit at the floor.
β° Trigger Analysis
Trigger
Workflows
workflow_dispatch
248 (97%)
schedule
175 (68%)
pull_request
34
issues
4
push / workflow_call
2 each
issue_comment
2
Top trigger combinations:schedule + workflow_dispatch (171), workflow_dispatch only (44), pull_request + workflow_dispatch (27).
Nearly every workflow keeps a manual workflow_dispatch escape hatch, and roughly two-thirds are scheduled. Cron times are well spread across the day and heavily jittered on off-minutes β 175 scheduled entries, almost all unique, with only a handful of */6h and weekday (1-5) patterns. This avoids fleet-wide thundering-herd firing.
π€ Safe Outputs Analysis
Discussion-category targeting (the strongest safe-output signal available) breaks down as:
Discussion category
Workflows
audits
76
announcements
5
artifacts
2
dev
2
daily-news / research
1 each
Plus upload-assets detected in 25 workflows. audits overwhelmingly dominates discussion output β this agent is one of that cohort.
Note: safe-output type detection runs via regex/job-name heuristics and under-counts issue/PR/comment outputs; the write-permission table below is a more reliable proxy for output surface.
ποΈ Structural Characteristics
Metric
Total
Avg/WF
Max
Jobs
1,605
6.3
12 (release)
Steps
30,019
117.3
163 (smoke-copilot)
Run/script steps
13,560
53.0
β
Roughly 45% of all steps are shell/script steps. The step count (79β163 per file) is remarkably consistent, again confirming heavy shared scaffolding.
π Permission Patterns
Permission
Read
Write
contents
256
131
actions
256
4
issues
219
249
pull-requests
225
123
discussions
50
92
copilot-requests
β
67
security-events
14
3
Every workflow reads contents + actions. Write access is dominated by issues (249) β the most common output channel β followed by contents (131) and pull-requests (123). Notably, more workflows write discussions (92) than read them (50), consistent with report-publishing agents.
github is the near-universal MCP integration (~39% of workflows); serena (code intelligence) is a distant second. The long tail of single-use servers (semgrep, agentdb, context7, memory, ...) shows broad experimentation with specialized tooling.
Timeouts: 256 workflows sit in the 31β60 min band; 28 also declare 6β15 min job caps; 2 use β€5 min. Engine field: detector reports a single engine string across all 256 files (uniform compilation target).
π Interesting Findings
Extreme structural uniformity. Step counts cluster in a narrow 79β163 band and sizes in 100β185 KB β the compiler emits a large, consistent boilerplate envelope regardless of the underlying agent's complexity.
Manual-override culture. 97% of workflows expose workflow_dispatch, so nearly everything can be hand-triggered even when primarily scheduled.
Audit-heavy output profile. 76 of 256 workflows target the audits discussion category β auditing/reporting is the single largest workload class in this repo.
Write > read for discussions. 92 workflows can write discussions but only 50 read them: these are publishers, not consumers.
Well-behaved cron scheduling. 175 schedule entries are jittered across nearly-unique off-minute times, deliberately avoiding synchronized fleet firing.
Three workflows were removed (notably test-workflow.lock.yml), trimming ~355 KB and ~300 steps. Scheduled workflows ticked up (+2) even as the total shrank, and github MCP usage dropped by 4. Aggregate averages (size, steps/WF, jobs/WF) stayed essentially flat β the changes are compositional, not structural.
β Recommendations
Investigate boilerplate weight. ~29 MB across 256 near-identical envelopes suggests the compiled scaffold could be a target for size reduction (shared composite actions vs. inlined steps).
Tighten issues:write scope. 249 workflows hold issue-write; audit whether all genuinely emit issues or could drop to read.
Prune test/example scaffolds (smoke-, test-workflow, example-) if they no longer need to ship as lockfiles, to keep aggregate metrics signal-rich.
Improve safe-output type telemetry. Type detection is regex-based and under-counts; embedding a machine-readable safe-outputs manifest in each lockfile would make this report exact.
Keep the cron jitter discipline β it's working; new scheduled workflows should continue picking unique off-minute times.
Methodology: single-script compact JSON analysis. All 256 .github/workflows/*.lock.yml files were parsed once by a cached PyYAML analyzer (lockfile_stats_v1) into a ~5.8 KB summary; all figures above derive solely from that summary and the persisted daily history. 0 lockfiles skipped.
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpg
To allow these domains, add them to the network.allowed list in your workflow frontmatter:
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
π Lockfile Statistics β Executive Summary
Snapshot of all compiled agentic workflow lockfiles as of 2026-07-09.
All 256 files parsed cleanly with PyYAML (
yaml_available: true).π File Size Distribution
Lockfiles are large and tightly clustered β compilation produces uniformly heavy artifacts (mostly 100β185 KB), reflecting the shared boilerplate that
gh aw compileinjects into every workflow.Largest 5 / Smallest 5
Largest: smoke-copilot-aoai-entra (181 KB), smoke-copilot-aoai-apikey (181 KB), smoke-copilot (181 KB), smoke-claude (175 KB), smoke-copilot-arm (166 KB).
Smallest: example-permissions-warning (79 KB), firewall (80 KB), codex-github-remote-mcp-test (80 KB), hippo-embed (87 KB), ace-editor (88 KB).
The smoke-test family dominates the top end; example/firewall/test scaffolds sit at the floor.
β° Trigger Analysis
Top trigger combinations:
schedule + workflow_dispatch(171),workflow_dispatchonly (44),pull_request + workflow_dispatch(27).Nearly every workflow keeps a manual
workflow_dispatchescape hatch, and roughly two-thirds are scheduled. Cron times are well spread across the day and heavily jittered on off-minutes β 175 scheduled entries, almost all unique, with only a handful of*/6hand weekday (1-5) patterns. This avoids fleet-wide thundering-herd firing.π€ Safe Outputs Analysis
Discussion-category targeting (the strongest safe-output signal available) breaks down as:
Plus
upload-assetsdetected in 25 workflows.auditsoverwhelmingly dominates discussion output β this agent is one of that cohort.ποΈ Structural Characteristics
release)smoke-copilot)Roughly 45% of all steps are shell/script steps. The step count (79β163 per file) is remarkably consistent, again confirming heavy shared scaffolding.
π Permission Patterns
Every workflow reads
contents+actions. Write access is dominated byissues(249) β the most common output channel β followed bycontents(131) andpull-requests(123). Notably, more workflows write discussions (92) than read them (50), consistent with report-publishing agents.π§© Tool & MCP Patterns
githubis the near-universal MCP integration (~39% of workflows);serena(code intelligence) is a distant second. The long tail of single-use servers (semgrep, agentdb, context7, memory, ...) shows broad experimentation with specialized tooling.Timeouts: 256 workflows sit in the 31β60 min band; 28 also declare 6β15 min job caps; 2 use β€5 min. Engine field: detector reports a single engine string across all 256 files (uniform compilation target).
π Interesting Findings
workflow_dispatch, so nearly everything can be hand-triggered even when primarily scheduled.auditsdiscussion category β auditing/reporting is the single largest workload class in this repo.π Historical Trends (2026-07-08 β 2026-07-09)
Three workflows were removed (notably
test-workflow.lock.yml), trimming ~355 KB and ~300 steps. Scheduled workflows ticked up (+2) even as the total shrank, andgithubMCP usage dropped by 4. Aggregate averages (size, steps/WF, jobs/WF) stayed essentially flat β the changes are compositional, not structural.β Recommendations
issues:writescope. 249 workflows hold issue-write; audit whether all genuinely emit issues or could drop to read.safe-outputsmanifest in each lockfile would make this report exact.Methodology: single-script compact JSON analysis. All 256
.github/workflows/*.lock.ymlfiles were parsed once by a cached PyYAML analyzer (lockfile_stats_v1) into a ~5.8 KB summary; all figures above derive solely from that summary and the persisted daily history. 0 lockfiles skipped.Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions