[lockfile-stats] Agentic Workflow Lock File Statistics — 2026-04-12

[github-actions[bot]]

Overview

Analysis of all 187 .lock.yml files in .github/workflows/ as of 2026-04-12. Total corpus size reached 13.5 MB — a +17.4% increase from 11.5 MB two weeks ago (2026-03-30), while file count grew from 178 to 187 (+5.1%). Today's run shows notable growth: 3 additional files crossed the 100 KB threshold (now 6 files > 100 KB, up from 3 yesterday), and average file size jumped from 71.1 KB to 74.0 KB (+2.9 KB) in a single day.

The repository has 4 AI engines represented: Copilot (66%), Claude (28%), Codex (6%), and Gemini (<1%). The dominant workflow pattern is schedule + workflow_dispatch (66% of all workflows), reflecting a fleet primarily designed for automated, recurring tasks.

---

Executive Summary

Metric	Value
Total lock files	187
Total corpus size	13.5 MB
Average file size	74.0 KB
Smallest file	codex-github-remote-mcp-test.lock.yml (30.5 KB)
Largest file	smoke-claude.lock.yml (155.9 KB)
Average steps / workflow	89.4
Average jobs / workflow	7.4
Average timeout	19.1 min
Analysis date	2026-04-12

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10–50 KB	6	3.2%
50–100 KB	175	93.6%
> 100 KB	6	3.2%

The 50–100 KB bucket dominates (93.6%), indicating a highly standardized lock file structure. The 6 files above 100 KB are likely more complex multi-job workflows.

---

Trigger Analysis

Most Popular Triggers

Trigger	Count	% of Workflows	Notes
workflow_dispatch	172	91.9%	Near-universal manual trigger
schedule	136	72.7%	Recurring automation
pull_request	31	16.6%	PR-driven automation
issue_comment	15	8.0%	Comment-triggered agents
issues	12	6.4%	Issue lifecycle events
pull_request_review_comment	6	3.2%	Review automation
discussion	4	2.1%	Discussion events
discussion_comment	4	2.1%	Discussion comments
workflow_call	2	1.1%	Reusable workflows
workflow_run	1	0.5%	Run-chained workflows
push	1	0.5%	Push-triggered

Common Trigger Combinations

Combination	Count	%
schedule + workflow_dispatch	123	65.8%
workflow_dispatch only	17	9.1%
pull_request + workflow_dispatch	13	7.0%
pull_request + schedule + workflow_dispatch	9	4.8%
issue_comment only	3	1.6%
issue_comment + issues + pull_request	2	1.1%
Full event suite (discussion + pr + issue + comment)	2	1.1%
workflow_call + workflow_dispatch	2	1.1%

The schedule + workflow_dispatch combo is used by nearly two-thirds of all workflows, making it the canonical agentic pattern: automated scheduling with optional manual trigger.

Schedule Pattern Analysis (top 30 unique cron expressions)

Cron Expression	Count	Pattern
37 2 * * *	2	Daily 02:37
48 12 * * *	2	Daily 12:48
23 3 * * *	2	Daily 03:23
7 4 * * *	2	Daily 04:07
6 11 * * 1-5	2	Weekdays 11:06
27 10 * * *	2	Daily 10:27
52 11 * * *	2	Daily 11:52
19 10 * * *	2	Daily 10:19
37 3 * * *	2	Daily 03:37
27 */6 * * *	1	Every 6 hours
25 */6 * * *	1	Every 6 hours
49 */4 * * *	1	Every 4 hours
7 8 * * 1	1	Weekly (Monday)
33 5 * * 0	1	Weekly (Sunday)
26 11 * * 3	1	Weekly (Wednesday)
(remainder)	1 each	Various daily/weekday

Frequency breakdown:

• Daily schedules: ~120 instances (vast majority)
• Weekday-only (Mon–Fri): ~9 instances
• Weekly (single day): ~3 instances
• High-frequency (every 4–6 hours): ~3 instances

Schedules use deliberately spread-out times (off :00/:30) to avoid thundering-herd effects on the CI/CD platform.

---

Safe Outputs Analysis

Action Safe Output Types (top tools, excluding baseline noop/missing_tool/missing_data)

Safe Output Tool	Raw Count	Aggregated Workflows (est.)
create_discussion	61 + 2*(max:2)*	~63
create_issue (all variants)	41+7+4+3+2+2+1+1	~61
create_pull_request (all variants)	37+1+1	~39
add_comment (all variants)	18+18+3+2+2+1+1+1	~46
upload_asset	15+1	~16
add_labels (all variants)	12+1+1+1+1	~16
push_to_pull_request_branch	8	8
submit_pull_request_review	8	8
create_pull_request_review_comment	4+2+1	~7
remove_labels	4	4
create_code_scanning_alert	3	3
dispatch_workflow	3	3
assign_to_agent	2+1	~3
send_slack_message	2	2
notion_add_comment	2	2
link_sub_issue	2+1	~3
create_project_status_update	2	2

Baseline tools (noop, missing_tool, missing_data) appear in 181 of 187 workflows (96.8%) — standard safe-output hygiene.

Most Common Safe Output Combinations

Combination	Count
create_discussion only	35
create_issue only	24
create_pull_request only	22
create_discussion + upload_asset	13
add_comment(max:2) only	6
add_comment only	5
add_comment + create_pull_request	4
create_issue + create_pull_request	2
create_code_scanning_alert only	2
create_discussion + create_issue(max:3)	2

Discussion Category Distribution

Category	Count
audits	46
announcements	4
reports	3
artifacts	2
dev	2
research	2
agent-research	1
daily-news	1
(unresolved object reference)	5

The audits category accounts for 71% of all discussion-targeting workflows, making it the primary output channel for reporting agents. 5 workflows reference the discussion category via an object (dynamic lookup) rather than a static string.

---

Engine / Agent Distribution

Engine	Count	%
Copilot	123	65.8%
Claude	52	27.8%
Codex	11	5.9%
Gemini	1	0.5%

The Copilot fleet is the largest, but Claude represents over a quarter of all workflows. Codex is a smaller but distinct segment. Gemini represents an experimental single workflow.

---

MCP Server Usage

MCP Container	Count	% of Workflows
github-mcp-server	182	97.3%
gh-aw	30	16.0%
serena-mcp-server	23	12.3%
mcp (generic)	11	5.9%
markitdown	3	1.6%
brave-search	2	1.1%
ast-grep	2	1.1%
arxiv-mcp-server	2	1.1%
notion	2	1.1%
semgrep	1	0.5%
context7	1	0.5%
python	1	0.5%
memory	1	0.5%
node	1	0.5%

github-mcp-server is nearly universal (97.3%). gh-aw (16%) and serena-mcp-server (12.3%) are secondary servers for specialized capabilities. The long tail includes domain-specific tools: academic (arxiv-mcp-server), code analysis (ast-grep, semgrep), documentation (markitdown), and external integrations (notion, brave-search).

---

Permission Patterns

Read Permissions

Permission	Count
contents	945
actions	267
pull-requests	168
issues	162
discussions	37
security-events	11
checks	1
packages	1

Write Permissions

Permission	Count
issues	379
discussions	248
pull-requests	203
contents	163
copilot-requests	95
security-events	9
actions	6
attestations	1
id-token	1
packages	1
statuses	1

contents: read (945 instances) dominates — virtually every job needs to read the repository. Write permissions are spread across issues, discussions, and pull-requests, reflecting the three primary GitHub output surfaces. The copilot-requests: write permission (95 instances) is Copilot-engine-specific.

---

Structural Characteristics

Step & Job Complexity

Metric	Value
Average steps / workflow	89.4
Max steps	120 (copilot-token-audit.lock.yml)
Min steps	38 (codex-github-remote-mcp-test.lock.yml)
Total steps across all files	16,719
Average jobs / workflow	7.4

Timeout Distribution

Timeout (min)	Occurrences
20	208
15	208
10	49
30	43
45	17
5	13
60	4
90	1
180	1
25	1

Average timeout: 19.1 minutes. The bimodal peak at 15 and 20 minutes reflects two standard step timeout tiers used across the fleet. Only 6 workflows use timeouts ≥ 60 minutes, likely for long-running analysis tasks.

---

Historical Trends (2026-03-30 → 2026-04-12)

Date	Files	Avg KB	Total MB	>100KB Files	Avg Steps
2026-03-30	178	66.2	11.5	0	87.1
2026-03-31	178	66.1	11.5	0	87.5
2026-04-01	178	66.1	11.5	0	87.5
2026-04-02	179	66.5	11.6	3	89.4
2026-04-03	179	65.7	11.5	3	88.5
2026-04-04	184	65.7	11.8	3	88.3
2026-04-05	180	67.6	11.9	3	88.6
2026-04-06	181	68.1	12.0	3	88.9
2026-04-07	182	70.0	12.4	3	90.0
2026-04-08	182	70.8	12.6	3	—
2026-04-09	187	70.5	12.9	3	89.5
2026-04-10	187	70.4	12.9	3	89.4
2026-04-11	187	71.1	13.0	3	89.4
2026-04-12	187	74.0	13.5	6	89.4

Key trends:

• File count: +9 files over 2 weeks (+5.1%), stabilized at 187 since Apr 9
• Total size: +17.4% over 2 weeks — size is growing faster than file count (existing files are growing)
• Average size: +11.8% (66.2 → 74.0 KB) — each run adds content to lock files (history, context accumulation)
• Large files (>100 KB): Doubled from 3 to 6 today (+3 files crossed threshold in a single day)
• Steps: Stable at ~89 since Apr 2 after an initial jump from 87

---

Interesting Findings

1. Lock files grow over time. The +17.4% total size growth over 14 days while file count grew only 5.1% suggests lock files accumulate run history or context. Three files crossed the 100 KB mark today alone — at this trajectory, more will follow.

2. schedule + workflow_dispatch is the canonical pattern. 65.8% of workflows use this exact combination — automated recurring execution with a manual escape hatch. This is the dominant architectural idiom of the agentic fleet.

3. github-mcp-server is near-universal. 97.3% of workflows use it, making it effectively a required dependency of the harness — only 5 workflows go without it.

4. Safe output diversity is expanding. 70+ distinct safe output tool names exist in the corpus (including max:N variants), with exotic tools like assign_to_agent, create_agent_session, notion_add_comment, close_discussion, and create_project_status_update appearing in niche workflows.

5. Copilot dominates by count, but Claude has the largest single workflow. The largest file is smoke-claude.lock.yml at 155.9 KB vs. the smallest being a Codex test file at 30.5 KB — Claude workflows tend to be larger in structure.

6. 5 workflows use dynamic discussion category references. Identified as "object - Category info with name field" — these workflows look up the category at runtime rather than hardcoding a string, which is a more flexible but potentially fragile pattern.

---

Recommendations

1. Monitor size growth trajectory. At +2.9 KB/day average, files will begin exceeding 100 KB more frequently. Consider whether lock file history rotation or pruning is needed to prevent runaway growth.

2. Standardize add_comment max limits. There are 8 distinct add_comment(max:N) variants (2, 3, 5, 10, 15, 20, 50, plus unlimited). A fleet-wide convention would reduce complexity.

3. Investigate the 6 workflows missing baseline safe-output tools. The 6 files without noop/missing_tool/missing_data may be outdated configurations that predate the safe-output hygiene standard.

4. Track the 5 dynamic discussion category references. These "object - Category info" patterns deserve attention to ensure they resolve correctly at runtime and don't silently fail.

5. The Gemini workflow is unique. With only 1 Gemini-engine workflow in the fleet, it warrants monitoring to understand if it's experimental, deprecated, or a planned expansion.

---

Methodology

• Lock files analyzed: 187 (all .lock.yml in .github/workflows/)
• Analysis script: /tmp/gh-aw/cache-memory/scripts/analyze_lockfiles.py (reused from cache)
• Historical data: /tmp/gh-aw/cache-memory/history/ (14-day trend)
• Parsing approach: Regex-based extraction of YAML structure, safe-output-tools blocks, and metadata comments
• Workflow run: §24294505535

References:

• §24294505535

Generated by Lockfile Statistics Analysis Agent · ● 128.7K · ◷

• expires on Apr 13, 2026, 12:07 AM UTC

[github-actions[bot]]

💥 KAPOW! 🦸♂️

WHOOSH! The smoke test agent has ARRIVED!

Meanwhile, at the Claude engine...

🤖: "By the power of all neural networks combined... SMOKE TEST ACTIVATED!"

💥 ZAP! All systems: NOMINAL!
💫 WHOOSH! GitHub MCP: ONLINE!
⚡ BOOM! Serena LSP: ENGAGED!
🦾 POW! Make Build: SUCCESS!

The villain: flaky CI — DEFEATED!

"With great agentic power comes great smoke-test responsibility."
— Run §24295465170

💥 [THE END] — Illustrated by Smoke Claude · ● 176.9K · ◷