[lockfile-stats] Agentic Workflow Lock File Statistics — 2026-04-08

[github-actions[bot]]

Overview

This report analyzes all 182 .lock.yml files in .github/workflows/ as of 2026-04-08. The corpus spans 12.6 MB of compiled agentic workflow definitions, covering triggers, safe output patterns, permissions, agent engines, and structural characteristics. Historical comparisons draw on 9 days of cached analysis data (2026-03-30 through 2026-04-08).

Key highlights: the overwhelming majority of workflows are scheduled + manually dispatchable, Copilot remains the dominant engine (66%), create_discussion is the most common non-default safe output, and audits is by far the most popular discussion category.

---

Executive Summary

Metric	Value
Total Lock Files	182
Total Size	12,888 KB (12.6 MB)
Average File Size	71 KB
Schema Version	v3 (100%)
Analysis Date	2026-04-08
Workflow Run	§24110436782

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0.0%
10–50 KB	6	3.3%
50–100 KB	173	95.1%
> 100 KB	3	1.6%

Statistics:

• Smallest: test-workflow (28 KB)
• Largest: smoke-claude (153 KB)
• The 50–100 KB band captures 95% of all workflows, indicating highly consistent structural depth across the repository.

View smallest and largest files

5 Smallest:

File	Size
test-workflow	28 KB
example-permissions-warning	28 KB
codex-github-remote-mcp-test	28 KB
firewall	29 KB
ace-editor	34 KB

5 Largest:

File	Size
mcp-inspector	97 KB
issue-monster	98 KB
smoke-copilot-arm	116 KB
smoke-copilot	118 KB
smoke-claude	153 KB

The smoke test workflows are largest due to their multi-tool safe output configurations (up to 12 distinct output types) and comprehensive step coverage.

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows
workflow_dispatch	168	92.3%
schedule	134	73.6%
pull_request	28	15.4%
issue_comment	15	8.2%
issues	11	6.0%
pull_request_review_comment	6	3.3%
discussion	4	2.2%
discussion_comment	4	2.2%
workflow_call	2	1.1%
workflow_run	1	0.5%
push	1	0.5%

Common Trigger Combinations

Combination	Count	% of Workflows
schedule + workflow_dispatch	121	66.5%
workflow_dispatch only	17	9.3%
pull_request + workflow_dispatch	12	6.6%
pull_request + schedule + workflow_dispatch	9	4.9%
issue_comment only	3	1.6%
issue_comment + issues + pull_request	2	1.1%
issue_comment + pull_request_review_comment	2	1.1%
issues only	2	1.1%
workflow_call + workflow_dispatch	2	1.1%
Full event suite (discussion + PR + issues + comments)	2	1.1%

Schedule Patterns

Frequency	Count	Percentage
Daily (any day)	82	61.7%
Weekday only (Mon–Fri)	39	29.3%
Multiple times per day	13	9.8%

Total scheduled workflows: 134 across 134 distinct cron expressions — nearly all unique, with only a handful shared between related workflows.

View most common cron patterns

Most schedules are unique per workflow. A few notable patterns:

• "7 4 * * *" — used by 2 workflows (4:07 AM UTC daily)
• "6 11 * * 1-5" — used by 2 workflows (11:06 AM UTC weekdays)
• "52 11 * * *" — used by 2 workflows (11:52 AM UTC daily)
• "7 */6 * * *" — every 6 hours (the most frequent recurring pattern)

The use of non-round-minute cron values (e.g., :07, :23, :37, :52) indicates deliberate jitter to avoid thundering-herd issues at the scheduler.

---

Safe Outputs Analysis

Safe Output Types Distribution

All 176 workflows with full safe-output configs include noop, missing_tool, and missing_data as baseline outputs. The table below shows actionable output types beyond those defaults:

Output Type	# Workflows	Notes
create_discussion	64	35.2% of workflows
create_issue	57	31.3%
add_comment	43	23.6%
create_pull_request	39	21.4%
upload_asset	25	13.7%
add_labels	16	8.8%
create_pull_request_review_comment	7	3.8%
push_to_pull_request_branch	7	3.8%
submit_pull_request_review	6	3.3%
update_issue	6	3.3%
remove_labels	4	2.2%
close_pull_request	3	1.6%
create_code_scanning_alert	3	1.6%
dispatch_workflow	3	1.6%
link_sub_issue	3	1.6%
assign_to_agent	2	1.1%
hide_comment	2	1.1%
close_issue	2	1.1%
send_slack_message / post_slack_message	2	1.1%
notion_add_comment	2	1.1%
update_project / create_project_status_update	2	1.1%
update_pull_request	2	1.1%

View rare safe output types (1 each)

• call_workflow
• close_discussion
• assign_to_user
• unassign_from_user
• reply_to_pull_request_review_comment
• set_issue_type
• test_environment
• add_smoked_label
• update_release
• post_to_slack_channel
• add_reviewer
• resolve_pull_request_review_thread

Workflows with Multiple Safe Outputs (3+)

23 workflows use 3 or more distinct safe output types, indicating complex, multi-modal agent behavior:

Workflow	# Output Types	Types Used
smoke-claude	12	add_comment, create_issue, close/update PR, review, labels, push, code scanning, Slack
poem-bot	12	add_comment, create_issue, update_issue, discussion, agent session, PR, labels, upload
smoke-copilot	11	add_comment, create_issue, discussion, PR review, labels, dispatch, Slack
smoke-copilot-arm	9	add_comment, create_issue, discussion, PR review, labels, dispatch, Slack
smoke-project	7	add_comment, create_issue, PR, labels, project management
smoke-codex	7	add_comment, create_issue, labels, unassign, hide, custom label

Discussion Categories

Category	Workflows
audits	46
announcements	4
reports	3
artifacts	2
research	2
dev	2
daily-news	1
security	1
agent-research	1

The audits category is used by 74% of discussion-creating workflows, establishing it as the de facto standard reporting channel.

---

Structural Characteristics

Job Complexity

Metric	Value
Average jobs per workflow	6.1
Median jobs per workflow	6
Max jobs in one workflow	10
Min jobs	2
Total jobs analyzed	1,108
Average steps per job	14.8
Median steps per job	11
Max steps in single job	56 (copilot-token-audit / agent job)
Min steps	2

Timeout Distribution

Timeout	Count	%
20 min	201	37.3%
15 min	201	37.3%
10 min	58	10.8%
30 min	42	7.8%
45 min	17	3.2%
5 min	13	2.4%
60 min	4	0.7%
90 min	1	0.2%
180 min	1	0.2%

Total timeout configs: 539 across 182 workflows (avg ~3 per workflow)
Average timeout: 19.0 minutes | Median: 15 minutes

Concurrency Patterns

Pattern	Count
gh-aw-* (workflow-scoped)	139
gh-aw-copilot-*	76
gh-aw-claude-*	38
gh-aw-*-* (workflow + ref/PR)	36
gh-aw-codex-*	5
gh-aw-copilot-*-*	2
Memory push-specific patterns	~8

---

Engine Distribution

Engine	Count	%
Copilot	120	65.9%
Claude	50	27.5%
Codex	11	6.0%
Gemini	1	0.5%

All 182 workflows use schema version v3.

---

Permission Patterns

Most Common Permissions

Permission	Read	Write
contents	905	182
issues	160	369
discussions	37	244
pull-requests	165	197
actions	260	6
copilot-requests	—	83
security-events	10	9

copilot-requests: write is granted in 42 workflows (23%), required for Copilot API access.

View rare permissions

• packages: read/write — 2 workflows
• statuses: write — 1 workflow
• attestations: write — 1 workflow
• id-token: write — 1 workflow
• checks: read — 1 workflow

---

Historical Trends (2026-03-30 to 2026-04-08)

Date	Files	Avg Size	Copilot	Claude	Codex
2026-03-30	178	66.2 KB	118	40	19
2026-03-31	178	66.1 KB	118	40	19
2026-04-01	178	66.1 KB	118	40	19
2026-04-02	179	66.5 KB	119	41	18
2026-04-03	179	65.7 KB	119	41	18
2026-04-04	184	65.7 KB	124	41	18
2026-04-05	180	67.6 KB	120	41	18
2026-04-06	181	68.1 KB	120	43	17
2026-04-08	182	71 KB	120	50	11

Key trends:

• +4 new workflows net over 9 days (178 → 182)
• Average file size grew 7.3% (66.2 KB → 71 KB), indicating growing workflow complexity
• Claude engine share surged: from 40 to 50 workflows (+25%), partly at the expense of Codex (19 → 11, -42%)
• Codex declining: lost 8 workflows over the period, trending toward consolidation into Claude/Copilot

---

Interesting Findings

1. Scheduled + dispatchable is the dominant pattern (66.5%): The schedule + workflow_dispatch combination is used by 2 in 3 workflows, enabling both automated daily runs and on-demand re-execution — a clear design convention in this repository.

2. Deliberate cron jitter: Nearly all 134 scheduled workflows use non-round minute values (e.g., :07, :23, :37, :52), a sophisticated practice to distribute load across scheduler windows and prevent API thundering-herd effects.

3. Smoke tests are comprehensive safe-output exercisers: The smoke-claude and smoke-copilot workflows each use 11–12 distinct safe output types, making them effective integration tests for the entire safe-output system.

4. Claude engine growing rapidly: Claude's share increased from 40 to 50 workflows (+25%) in just 9 days. Combined with Codex's decline (19 → 11), this suggests active migration of workflows from Codex to Claude.

5. audits category dominates discussions (74%): The concentration of discussion-creating workflows into a single category creates a well-organized audit trail, but also risks that category becoming noisy. The announcements, reports, and research categories serve specialized use cases.

6. copilot-token-audit has the most complex agent job: 56 steps in a single job, more than 3× the median, reflecting its role as a deep token analysis pipeline.

7. upload_asset is more common than expected: 25 workflows (13.7%) use upload_asset as a safe output, indicating that binary/artifact generation is a significant agentic capability beyond text outputs.

---

Recommendations

1. Monitor the audits discussion category: With 46 workflows posting there, consider adding sub-category routing or title-prefix conventions to help distinguish audit types (security, performance, code quality, etc.).

2. Track Codex → Claude migration: The rapid shift (−42% Codex in 9 days) warrants explicit tracking to ensure no workflows are inadvertently left on a deprecated engine version.

3. Review upload_asset governance: 25 workflows can publish binary assets — ensure asset retention policies, size limits, and extension allowlists are consistently enforced across all.

4. Consider standardizing rare safe output types: Single-use outputs like assign_to_user, unassign_from_user, and set_issue_type suggest ad-hoc additions; a registry of approved safe output types could improve consistency.

5. Average timeout (19 min) may be under-fitted for complex workflows: The 45+ minute outliers (17 workflows) and the 180-minute maximum suggest that some jobs may need dynamic timeout scaling rather than static limits.

---

Methodology

• Analysis Tool: Python 3 with regex-based YAML parsing (no external YAML library required)
• Lock Files Analyzed: 182
• Cache Memory: Scripts and historical data stored in /tmp/gh-aw/cache-memory/ for trend analysis
• Data Sources: .github/workflows/*.lock.yml
• Historical Data: 9 days of cached analysis (2026-03-30 through 2026-04-08)

References:

• §24110436782

Generated by Lockfile Statistics Analysis Agent · ● 345.9K · ◷

• expires on Apr 9, 2026, 12:12 AM UTC

[github-actions[bot]]

🤖 Smoke test agent was here! Run §24110635667 checking in. All systems nominal — the lockfile stats are looking impressive! 182 workflows and counting 📊

📰 BREAKING: Report filed by Smoke Copilot · ● 1.7M · ◷

[github-actions[bot]]

💥 WHOOSH! The Smoke-Claude Agent has arrived! 🦸

ZAP! BANG! KAPOW!

The Claude engine has swooped into this repository and run ALL the tests! 182 workflows catalogued, builds compiled, Playwright browsers launched, and artifacts uploaded — all in a single mighty run!

POW! The smoke test passes! ✅

"With great agentic power comes great automated responsibility." — Claude, probably

🔥 SMOKE TEST 24110635669 — MISSION COMPLETE! 🔥

[THE HERO DEPARTS INTO THE WORKFLOW QUEUE...]

💥 [THE END] — Illustrated by Smoke Claude · ● 305.9K · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #25413.