You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Analysis of all 257.github/workflows/*.lock.yml files as of 2026-07-13. All files parsed cleanly with PyYAML (yaml_available: true, 0 skipped).
Metric
Value
Lockfiles
257
Total size
31.49 MB (31,490,729 B)
Avg / Median size
122.5 KB / 120.7 KB
Min / Max size
81.4 KB / 189.9 KB
Total jobs / steps / run-steps
1,612 / 30,129 / 13,609
Engines detected
copilot 64, claude 60, codex 14 (+3 singletons)
File Size Distribution
Bucket
Count
100–250 KB
248
50–100 KB
9
Lockfiles are large and tightly clustered (~120 KB), reflecting the substantial boilerplate the compiler injects. Largest:smoke-copilot-aoai-entra (185.5 KB), smoke-copilot-aoai-apikey (185.1 KB), smoke-copilot (185.0 KB). Smallest:example-permissions-warning (79.5 KB), firewall (80.4 KB), codex-github-remote-mcp-test (80.6 KB).
Trigger Analysis
Trigger
Workflows
workflow_dispatch
249
schedule
175
pull_request
35
issues
4
push / workflow_call
2 / 2
Top trigger combinations:schedule+workflow_dispatch (171), workflow_dispatch alone (44), pull_request+workflow_dispatch (28). Nearly every workflow (249/257) keeps a manual dispatch escape hatch. Schedules are well spread across the clock and use off-round minutes (fleet-friendly). Cadence mix: daily dominates, with a band of weekday-only (* * 1-5) and several */6h / */12h high-frequency jobs.
Safe Outputs Analysis
Note:noop, missing-tool, missing-data, report-incomplete, and create-report-incomplete-issue appear in ~252 files each — these are runtime-injected defaults present in nearly every lockfile, not author-configured outputs. The counts below are the meaningful, author-chosen ones.
Safe output
Workflows
create-issue
117
create-discussion
87
add-comment
67
create-pull-request
54
push-repo-memory
36
add-labels
26
upload-asset
25
create-pull-request-review-comment
15
submit-pull-request-review
15
update-issue
11
push-to-pull-request-branch
11
Discussion categories:audits 76, announcements 5, artifacts 2, dev 2, daily-news 1, research 1. The audits category is the overwhelming publish target.
Structural Characteristics
Metric
Min
Avg
Max
Jobs / workflow
4
6.27
12
Steps / workflow
79
117.2
163
Most-jobs: release (12). Most-steps: smoke-copilot (163). Across the fleet: 1,612 jobs, 30,129 steps, 13,609 run/script steps.
Permission Patterns
Scope
Read
Write
contents
257
131
actions
257
4
issues
220
250
pull-requests
226
124
discussions
50
92
copilot-requests
—
67
security-events
14
3
contents:read and actions:read are universal. issues:write (250) is the most common write scope — consistent with the issue/comment-heavy safe-output profile.
Timeout & Engine Patterns
Timeouts: 31–60 min band on every workflow (257), with 28 also carrying a short 6–15 min job and 2 with ≤5 min jobs — i.e. a short setup job plus a longer agent job.
Engines: copilot 64, claude 60, codex 14, plus antigravity/gemini/opencode singletons. A large other bucket (116) reflects a detection gap in the regex-based engine sniff rather than 116 unknown engines — see Methodology.
github is the dominant MCP server (101); serena (code navigation) is a strong second at 24. The long tail is diverse: search (tavily/brave), observability (sentry/grafana/datadog), docs (markitdown/microsoftdocs/deepwiki), and research (arxiv).
Interesting Findings
Boilerplate dominates size. 248/257 lockfiles sit in the 100–250 KB band with a median of 120 KB — the author-authored surface is a small fraction of each compiled file.
Manual dispatch is near-universal (249/257). Almost every scheduled workflow keeps a workflow_dispatch escape hatch — a healthy operability pattern.
Issues are the default output channel.issues:write on 250 workflows and create-issue configured on 117 make issues the fleet's primary write surface, ahead of discussions and PRs.
audits is the discussion monoculture. 76 of 87 discussion-writing workflows target the audits category — this report included.
Off-round cron scheduling is the norm. Cron minutes are spread (e.g. 49 14, 23 11, 27 */6) rather than piling on :00, reducing fleet-wide API bursts.
Historical Trends
Day-over-day vs 2026-07-12 (same schema lockfile_stats_v1):
Metric
07-12
07-13
Δ
Lockfiles
256
257
+1
Total bytes
30.71 MB
31.49 MB
+0.79 MB (+2.6%)
Steps
30,020
30,129
+109
Run/script steps
13,561
13,609
+48
MCP github
100
101
+1
Steady incremental growth: one net-new workflow added, adding ~785 KB and ~109 steps. Engine and MCP mix are unchanged day-over-day. (Summaries older than 2026-07-10 used a different engine/MCP detection method — e.g. token-occurrence MCP counts in the thousands — so cross-method comparisons before then are not meaningful.)
Recommendations
Reduce the other engine bucket by extending the analyzer's engine-detection regex so the 116 unmatched files resolve to real engines — the current split understates true engine share.
Consider size budgets. With a 30 MB compiled footprint growing ~2–3%/day, a per-lockfile size guardrail (e.g. warn >180 KB) would catch runaway boilerplate early.
Audit issues:write breadth. 250 workflows hold issue-write; confirm each truly emits issue-family outputs and trim scopes where only reads are needed.
Spread the audits load. 76 workflows publishing to one category can bury signal — consider sub-categories or digest rollups.
Methodology
Single-script compact JSON analysis: one cached Python analyzer (lockfile_stats_v1.py) parsed all 257 lockfiles with yaml.safe_load in a single pass, emitting a ~7 KB summary JSON; all reasoning was derived from that summary (no per-file reads). Safe-output types, discussion categories, and permissions use regex/job-name detection over the compiled YAML, so the boilerplate default outputs are counted alongside author-configured ones (flagged above), and engine detection has a known other gap. History is persisted under cache-memory/history/<date>.json for trend deltas.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Executive Summary
Analysis of all 257
.github/workflows/*.lock.ymlfiles as of 2026-07-13. All files parsed cleanly with PyYAML (yaml_available: true, 0 skipped).File Size Distribution
Lockfiles are large and tightly clustered (~120 KB), reflecting the substantial boilerplate the compiler injects. Largest:
smoke-copilot-aoai-entra(185.5 KB),smoke-copilot-aoai-apikey(185.1 KB),smoke-copilot(185.0 KB). Smallest:example-permissions-warning(79.5 KB),firewall(80.4 KB),codex-github-remote-mcp-test(80.6 KB).Trigger Analysis
Top trigger combinations:
schedule+workflow_dispatch(171),workflow_dispatchalone (44),pull_request+workflow_dispatch(28). Nearly every workflow (249/257) keeps a manual dispatch escape hatch. Schedules are well spread across the clock and use off-round minutes (fleet-friendly). Cadence mix: daily dominates, with a band of weekday-only (* * 1-5) and several*/6h/*/12hhigh-frequency jobs.Safe Outputs Analysis
Discussion categories:
audits76,announcements5,artifacts2,dev2,daily-news1,research1. Theauditscategory is the overwhelming publish target.Structural Characteristics
Most-jobs:
release(12). Most-steps:smoke-copilot(163). Across the fleet: 1,612 jobs, 30,129 steps, 13,609 run/script steps.Permission Patterns
contents:readandactions:readare universal.issues:write(250) is the most common write scope — consistent with the issue/comment-heavy safe-output profile.Timeout & Engine Patterns
Timeouts: 31–60 min band on every workflow (257), with 28 also carrying a short 6–15 min job and 2 with ≤5 min jobs — i.e. a short setup job plus a longer agent job.
Engines: copilot 64, claude 60, codex 14, plus antigravity/gemini/opencode singletons. A large
otherbucket (116) reflects a detection gap in the regex-based engine sniff rather than 116 unknown engines — see Methodology.Tool & MCP Patterns
githubis the dominant MCP server (101);serena(code navigation) is a strong second at 24. The long tail is diverse: search (tavily/brave), observability (sentry/grafana/datadog), docs (markitdown/microsoftdocs/deepwiki), and research (arxiv).Interesting Findings
workflow_dispatchescape hatch — a healthy operability pattern.issues:writeon 250 workflows andcreate-issueconfigured on 117 make issues the fleet's primary write surface, ahead of discussions and PRs.auditsis the discussion monoculture. 76 of 87 discussion-writing workflows target theauditscategory — this report included.49 14,23 11,27 */6) rather than piling on:00, reducing fleet-wide API bursts.Historical Trends
Day-over-day vs 2026-07-12 (same schema
lockfile_stats_v1):Steady incremental growth: one net-new workflow added, adding ~785 KB and ~109 steps. Engine and MCP mix are unchanged day-over-day. (Summaries older than 2026-07-10 used a different engine/MCP detection method — e.g. token-occurrence MCP counts in the thousands — so cross-method comparisons before then are not meaningful.)
Recommendations
otherengine bucket by extending the analyzer's engine-detection regex so the 116 unmatched files resolve to real engines — the current split understates true engine share.issues:writebreadth. 250 workflows hold issue-write; confirm each truly emits issue-family outputs and trim scopes where only reads are needed.auditsload. 76 workflows publishing to one category can bury signal — consider sub-categories or digest rollups.Methodology
Single-script compact JSON analysis: one cached Python analyzer (
lockfile_stats_v1.py) parsed all 257 lockfiles withyaml.safe_loadin a single pass, emitting a ~7 KB summary JSON; all reasoning was derived from that summary (no per-file reads). Safe-output types, discussion categories, and permissions use regex/job-name detection over the compiled YAML, so the boilerplate default outputs are counted alongside author-configured ones (flagged above), and engine detection has a knownothergap. History is persisted undercache-memory/history/<date>.jsonfor trend deltas.References: §29282982423
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions