[lockfile-stats] Lockfile Statistics Audit — 2026-06-22 (249 workflows, 29.29 MB)

[github-actions[bot]]

Executive Summary

Analysis of 249 compiled .github/workflows/*.lock.yml files (0 malformed/skipped) as of 2026-06-22.

Metric	Value	Δ vs 2026-06-21
Lockfiles	249	0
Total size	29.29 MB (29,290,729 B)	+66.2 KB (+0.23%)
Avg size	117,633 B	+266 B
Median size	116,840 B	+374 B
Min / Max	79,871 / 176,810 B	—
Total jobs	1,999	−1
Total steps	28,443	+266
Total run-script blocks	12,921	+366

Lockfiles are uniformly large (min ~78 KB) — generated agentic workflows carry substantial boilerplate.

File Size Distribution

Bucket	Count	Δ
100–250 KB	237	+1
50–100 KB	12	−1

One workflow crossed the 100 KB boundary since yesterday. Avg jobs/workflow 8.03, steps/workflow 114.23 (was 113.16).

Largest & smallest lockfiles

Largest: smoke-copilot-aoai-entra (176.8 KB), smoke-copilot-aoai-apikey (176.5 KB), smoke-copilot (176.0 KB), smoke-claude (172.3 KB), smoke-copilot-arm (164.0 KB), mcp-inspector (150.1 KB), deep-report (148.8 KB), smoke-codex (146.6 KB), issue-monster (144.8 KB), dataflow-pr-discussion-dataset (141.6 KB).

Smallest: test-workflow (79.9 KB), example-permissions-warning (80.6 KB), firewall (81.8 KB), codex-github-remote-mcp-test (81.9 KB), hippo-embed (88.9 KB).

Trigger Analysis

Trigger	Workflows
workflow_dispatch	241
schedule	167
pull_request	33
issues	4
issue_comment	2
push	2
workflow_run / discussion / discussion_comment / pull_request_review_comment	1 each

Top combinations: schedule+workflow_dispatch 163, workflow_dispatch only 48, pull_request+workflow_dispatch 26. 97% of workflows expose manual dispatch.

Schedule cadence: 167 scheduled crons, overwhelmingly daily (m h * * *) with a cluster of weekday-only (* * 1-5) and every-6-hour (*/6) jobs. Minute offsets are well-spread (no :00 clustering), reflecting jittered scheduling.

Safe Outputs & Discussion Categories

The text-heuristic pass did not resolve structured safe-output type or discussion-category fields in this run (YAML parser unavailable in the analyzer env → these maps were empty). Tracked as a methodology gap below rather than a "zero usage" claim.

Structural Characteristics

Metric	min	avg	max	max workflow
Jobs/wf	5	8.03	12	firewall-escape
Steps/wf	77	114.23	153	smoke-copilot

Script blocks grew +366 day-over-day — generated workflows are getting marginally heavier per file.

Permission Patterns

Top-level permissions resolved as empty/{} for all 249 via the heuristic pass (job-level and minimization markers not captured without YAML). Flagged as a known analyzer limitation.

Tool & MCP Patterns

MCP server	Reference count
github	5,152
playwright	126
sentry	96
grafana	28
ruflo	16
arxiv	6
deepwiki	6

GitHub MCP dominates. The most-referenced GitHub tools (each in ~112 workflows) are read-oriented: issue_read, get_pull_request*, list_commits, get_file_contents, list_discussions, get_code_scanning_alert, etc. — consistent with the read-only GitHub MCP posture.

Engine distribution: copilot 156, claude 56, pi 19, codex 14; antigravity / crush / gemini / opencode 1 each. Copilot powers 63% of workflows.

Timeouts (per job): 31–60 min ×279, 16–30 min ×218, 6–15 min ×119, ≤5 min ×16, >60 min ×2.

Interesting Findings

1. Smoke-test workflows are the heaviness drivers — the 5 largest files are all smoke-* engine matrices (164–177 KB), each bundling multi-engine setup.
2. Near-universal manual override — 241/249 (97%) ship workflow_dispatch, making every scheduled agent manually re-runnable.
3. Steady organic growth — total bytes +0.23% and script blocks +366 in one day with no change in workflow count, i.e. existing workflows are being enriched, not just added.
4. GitHub MCP reference count fell 5,824 → 5,152 (−672, −11.5%) while file sizes rose — suggests a tool-list trim/dedup in regenerated lockfiles even as content grew.
5. Read-only GitHub surface — every top GitHub tool is a getter/lister; no write tools appear in the top-30, matching the read-only MCP contract.

Historical Trends (2026-06-21 → 2026-06-22)

Metric	Yesterday	Today	Δ
Total bytes	29,224,559	29,290,729	+66,170
Avg size	117,367	117,633	+266
Total steps	28,177	28,443	+266
Script blocks	12,555	12,921	+366
Total jobs	2,000	1,999	−1
GitHub MCP refs	5,824	5,152	−672
16–30 min timeouts	267	218	−49
Max steps (smoke-copilot)	152	153	+1

Workflow count, trigger mix, cron set, and engine distribution were stable; the movement is in incremental per-file growth and MCP tool-list compaction.

Recommendations

1. Trim smoke-test lockfile bloat — the smoke-* matrix files (>164 KB) are the size outliers; consider shared/templated setup to cut duplicated boilerplate.
2. Investigate the −672 GitHub MCP reference drop to confirm it's intentional tool-list minimization (good) rather than accidental tool loss.
3. Restore structured introspection — add an embedded-config (YAML/JSON frontmatter) parse path so safe-output types, discussion categories, and permission scopes are measured directly rather than via text heuristics.
4. Watch the 100 KB cohort — 237/249 already exceed 100 KB and the band is still growing; set a soft size budget for generated lockfiles.

Methodology

Single-script compact JSON analysis: one cached analyzer (lockfile_stats_v1.py) parsed all 249 lockfiles in one pass, emitting a ~4.8 KB summary JSON; all figures above derive from that summary and the persisted prior-day snapshot. Permission/safe-output/category maps were empty because the analyzer ran without a YAML parser (text heuristics only) — noted as a limitation, not zero usage. 0 lockfiles malformed/skipped.

Generated by 📊 Lockfile Statistics Analysis Agent · 81.1 AIC · ⌖ 12 AIC · ⊞ 5K · ◷

• expires on Jun 23, 2026, 1:16 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #41102.