[lockfile-stats] Lockfile Statistics Audit — 2026-06-14 (246 workflows, 27.6 MiB compiled)

[github-actions[bot]]

Executive Summary

Snapshot of 246 compiled .github/workflows/*.lock.yml files on 2026-06-14. None malformed (0 skipped).

Metric	Value
Lockfiles	246
Total compiled size	28,897,026 bytes (~27.6 MiB)
Avg / median size	117,467 B / 116,629 B
Min / max size	77,861 B / 176,621 B
Jobs (total / avg / max)	1,979 / 8.04 / 12
Steps (total / avg / max)	28,448 / 115.6 / 154
run: scripts (total)	12,833

File Size Distribution

Compiled lockfiles are uniformly large — every file exceeds 50 KB, and 95% exceed 100 KB.

Bucket	Count
100–250 KB	234
50–100 KB	12

Largest: smoke-copilot-aoai-entra (176.6 KB), smoke-copilot-aoai-apikey (176.2 KB), smoke-copilot (175.5 KB), smoke-claude (173.4 KB), smoke-copilot-arm (163.3 KB).
Smallest: test-workflow (77.9 KB), example-permissions-warning (78.6 KB), codex-github-remote-mcp-test (79.4 KB), firewall (79.8 KB).

Trigger Analysis

Trigger	Workflows
workflow_dispatch	238
schedule	165
pull_request	33
issues	4
issue_comment	2
push	2
workflow_run / discussion / discussion_comment / pull_request_review_comment	1 each

Top trigger combinations: schedule+workflow_dispatch (161), workflow_dispatch only (47), pull_request+workflow_dispatch (26). The scheduled-plus-manual pattern dominates (65% of all workflows), confirming this fleet is overwhelmingly cron-driven agentic automation with a manual escape hatch.

Schedule cadence: 165 scheduled triggers across ~30 distinct cron lines; nearly all run once daily, a handful */4–*/6 hourly, and several weekday-only (* * 1-5). Cron minutes are well-jittered (no clustering on :00), which is good for avoiding API thundering-herd.

Safe Outputs Analysis

⚠️ The current lockfile_stats_v1 extractor returned an empty safe_output_types map for this run — safe-output declarations were not reliably parsed from the compiled lock format. This is a known gap in the v1 schema (the earlier extractor populated it). Treat safe-output counts as not measured this run; a v2 schema bump is recommended (see Recommendations). For reference, the most recent populated snapshot (2026-05-20) showed create_discussion and create_issue declared in all 233 workflows, with add_comment (71), create_pull_request (56), and push_to_pull_request_branch (57) common.

Structural Characteristics

Dimension	Min	Avg	Max	Max holder
Jobs / workflow	5	8.04	12	firewall-escape
Steps / workflow	78	115.6	154	smoke-copilot

Compiled workflows are structurally heavy: a typical agentic workflow expands to ~8 jobs and ~116 steps. Total fleet footprint is ~28.4k steps and ~12.8k inline scripts.

Permission Patterns

⚠️ permissions_read / permissions_write came back empty under v1; the extractor classified all 246 top-level permission blocks as {} (empty/default). This likely reflects that the compiler emits permissions at the job level rather than top-level, which v1 does not descend into. Not measured this run — flagged for the v2 schema bump.

Tool & MCP Patterns

Engines (per compiled job/config occurrence): copilot (164), claude (63), codex (14), plus one each of antigravity, crush, gemini, opencode, pi. Copilot is the majority engine (~68%), Claude second (~26%).

MCP servers (occurrence frequency): github (6,552 — overwhelmingly dominant), playwright (168), sentry (64), ruflo (16), grafana (14), arxiv (6), deepwiki (6).

MCP tool surface: the GitHub MCP read toolset is uniformly mounted — 30+ github::* tools each appear in exactly 126 workflows (e.g. get_pull_request, list_issues, search_code, get_workflow_run_logs). That flat 126 count indicates a shared default GitHub toolset template applied to roughly half the fleet.

Interesting Findings

1. Copilot overtook Claude as the dominant engine in this fleet — 164 vs 63 occurrences. The smoke-copilot-* variants (Entra, API-key, ARM, AOAI) are also the four largest lockfiles, so Copilot config expansion is the single biggest size contributor.
2. GitHub MCP usage is concentrated and templated — 6,552 github-server references and a flat 126-workflow footprint per tool point to a one-size default toolset rather than per-workflow least-privilege tool selection.
3. Uniform size floor: zero lockfiles under 50 KB. Compilation boilerplate (~78 KB minimum even for test-workflow) means the marginal cost of any workflow is high — worth investigating shared-template extraction.
4. firewall-escape is the structural outlier at 12 jobs (fleet max), 50% above the 8-job average.
5. Cron hygiene is good — minutes are jittered across the hour with no :00 clustering, reducing API burst risk for 165 scheduled workflows.

Historical Trends

Comparing latest prior day 2026-06-13 → 2026-06-14 (both 246 lockfiles):

Metric	06-13	06-14	Δ
Total bytes	28,662,127	28,897,026	+234,899 (+0.82%)
Avg size	116,512	117,467	+955
Steps (total)	27,956	28,448	+492
Avg steps/wf	113.6	115.6	+2.0
Max steps	152	154	+2
100–250 KB bucket	229	234	+5
50–100 KB bucket	17	12	−5
Jobs (total)	1,979	1,979	0
Scripts (total)	12,831	12,833	+2

Read: workflow count is flat, but compiled size and step counts are creeping up — 5 workflows crossed from the 50–100 KB band into 100 KB+ in one day, and the fleet gained ~492 steps with no new jobs. This is compiler/template growth, not new automation.

Longer arc (2026-05-20 → 2026-06-14, ~25 days): lockfiles 233 → 246 (+13), total size 22.4 MiB → 27.6 MiB (+23%), avg size 96 KB → 117 KB (+22%). Per-file expansion is outpacing file-count growth — the compiled footprint is growing faster than the number of workflows.

Recommendations

1. Bump the analyzer to lockfile_stats_v2 to restore safe-output, permission, and discussion-category extraction (descend into job-level permissions: and parse the safe-outputs config block). These three sections are currently unmeasured.
2. Investigate per-file size growth (+22% in 25 days). The uniform 78 KB floor suggests heavy shared boilerplate — extracting common setup into a reusable action/composite could shrink every lockfile.
3. Review GitHub MCP tool breadth. A flat 126-workflow / 30-tool default footprint is convenient but broad; prune to least-privilege toolsets per workflow where practical.
4. Watch the 50→100 KB migration. 5 files crossed the band in a day; if this continues, the 100–250 KB bucket will be universal within weeks.

Methodology

Single-script compact JSON analysis: one cached Python analyzer (lockfile_stats_v1.py) parsed all 246 lockfiles in one pass and emitted a compact (~4.8 KB) JSON summary; all insights derive from that summary plus historical snapshots in cache-memory. No lockfiles were opened individually for analysis. Empty-field caveats above reflect genuine v1 extractor gaps, surfaced honestly rather than fabricated.

References: §27511358251

Generated by 📊 Lockfile Statistics Analysis Agent · 80.3 AIC · ⌖ 29.1 AIC · ⊞ 4.5K · ◷

• expires on Jun 15, 2026, 12:44 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #39456.