[lockfile-stats] Lockfile Statistics Audit — 2026-07-12 #45136
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Lockfile Statistics Analysis Agent. A newer discussion is available at Discussion #45325. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Executive Summary
Analysis of 256 compiled
.github/workflows/*.lock.ymlfiles on 2026-07-12. Total footprint 30.71 MB (avg 117.1 KB/file, median 115.6 KB, range 79.5 KB–181.4 KB); 0 malformed/skipped. Aggregate structure is large and highly uniform: 1,605 jobs, 30,020 steps, 13,561 run-scripts. Compared to the prior snapshot (2026-07-11), the corpus is essentially flat — same count, jobs, steps, and scripts; total bytes grew only +41 KB (+0.13%).example-permissions-warning) / 181.4 KB (smoke-copilot-aoai-entra)File Size Distribution
Sizes cluster tightly around ~117 KB — the compiled preamble (safe-output plumbing, MCP setup, permission scaffolding) dominates, so file size tracks feature surface more than authored prompt length. The
smoke-*family (Copilot AOAI/Entra/APIKey, Claude, Codex) tops the list at 157–181 KB.Trigger Analysis
workflow_dispatchschedulepull_requestissuespush/workflow_callissue_commentTop combinations:
schedule+workflow_dispatch(171),workflow_dispatch-only (44),pull_request+workflow_dispatch(27). 97% of workflows expose manual dispatch. Cron schedules are well-distributed to avoid thundering-herd — most fire once daily on staggered off-minutes; a handful use*/6/*/4/*/12hourly cadences and1-5weekday windows.Safe Outputs Analysis
Every workflow ships the baseline safety quartet (
noop,missing-tool,missing-data,report-incomplete,create-report-incomplete-issue— 251 each). Beyond the baseline, the actual write intents:Discussion categories:
audits(76),announcements(5),artifacts(2),dev(2),daily-news(1),research(1). Audits dominate discussion output — this workflow is one of them.Structural Characteristics
Totals: 1,605 jobs, 30,020 steps, 13,561 run-scripts. Most-jobs:
release.lock.yml(12). Most-steps:smoke-copilot.lock.yml(163). The ~117 steps/workflow floor reflects generated boilerplate common to all compiled agents.Permission Patterns
Read is broad-and-uniform (
actions+contentson all 256); write is scoped to intent —issues:write(249) andcontents:write(131) lead. Notably more workflows requestdiscussions:write(92) thandiscussions:read(50), consistent with write-mostly audit/report publishers.Tool & MCP Patterns
Engines: other 115, copilot 64, claude 60, codex 14, then antigravity/gemini/opencode (1 each). ("other" = engine not matched by comment marker; likely default/Claude-family compiles.)
MCP servers:
github(100) is near-universal;serena(24) is the notable second (code navigation). Long tail of specialized servers:tavily/sentry(5),grafana/markitdown(3), and single-usesemgrep,context7,agentdb,memory,notion,datadog,arxiv,deepwiki.Timeouts: every workflow caps a job in the 31–60 min band; 28 also have 6–15 min jobs; 2 have ≤5 min jobs.
Interesting Findings
serenais the breakout non-GitHub MCP. At 24 workflows it's the only third-party server in double digits, signaling meaningful investment in semantic code navigation beyond the GitHub API.smoke-*engine matrices (Copilot AOAI variants, Claude, Codex) at 157–181 KB — cross-engine test surface costs the most compiled bytes.noop/missing-tool/report-incompletequartet — a small cohort of 5 compiles without the standard safety outputs and may warrant review.Historical Trends
Day-over-day vs 2026-07-11 — the corpus is stable:
Engine mix, safe-output counts, discussion categories, and MCP usage are unchanged from the prior day. The +41 KB delta reflects minor edits to existing lockfiles rather than any added workflow. History spans 2026-05-20 → 2026-07-12 (52 snapshots); the count grew from the low-200s in late May to a stable 256 through July.
Recommendations
report-incomplete/missing-toolis intentional; these tools are the primary guard against silent no-op runs.smoke-*compiled surface — the six ~180 KB smoke matrices dominate corpus bytes; if the engine variants share a template, consider a matrix strategy to reduce duplicated compiled scaffold.discussions:writewithoutreadare correctly scoped; keep enforcing least-privilege as new audit workflows are added.:00/:30marks as the schedule count (175) grows to prevent runner contention.Methodology
Single-script compact JSON analysis: one cached Python analyzer (
lockfile_stats_v1.py, PyYAMLsafe_loadprimary with regex fallback for safe-outputs/permissions/categories) parsed all 256 lockfiles in one pass into a ~7 KB summary JSON; all figures above derive from that summary and a diff against the prior day's cached snapshot. No individual lockfile was opened for analysis outside the analyzer.yaml_available: true, 0 files skipped.Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions