[lockfile-stats] Agentic Workflow Lock File Statistics - 2026-04-09

[github-actions[bot]]

Executive Summary

Analysis of 187 lock files totaling 13.5 MB across .github/workflows/*.lock.yml, run on 2026-04-09. Repository gained +5 files since yesterday (182 → 187), maintaining a steady growth pace. The lock file ecosystem is highly normalized: 95.2% of files fall in the 50–100 KB range, workflows run on three AI engines (Copilot 66%, Claude 28%, Codex 6%), and github-mcp-server is effectively universal (97%).

Metric	Value
Total lock files	187
Total size	13.5 MB (13,504,680 bytes)
Average file size	70.5 KB
Smallest file	test-workflow.lock.yml (28.2 KB)
Largest file	smoke-claude.lock.yml (153.0 KB)
Average jobs per workflow	6.0
Average steps per workflow	89.5
Maximum steps	122 (smoke-claude.lock.yml)
Average timeout	19.1 min
Analysis date	2026-04-09

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10–50 KB	6	3.2%
50–100 KB	178	95.2%
> 100 KB	3	1.6%

The 50–100 KB concentration is remarkably tight — virtually all workflows share a nearly identical structural depth. The 3 oversized files (smoke-claude.lock.yml at 153 KB, plus 2 others) are likely smoke test workflows with unusually large inline prompts.

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows
workflow_dispatch	172	92%
schedule	136	73%
pull_request	31	17%
issue_comment	15	8%
issues	12	6%
pull_request_review_comment	6	3%
discussion	4	2%
discussion_comment	4	2%
workflow_call	2	1%
workflow_run	1	<1%
push	1	<1%

Top Trigger Combinations

Combination	Count	%
schedule + workflow_dispatch	123	66%
workflow_dispatch only	17	9%
pull_request + workflow_dispatch	13	7%
pull_request + schedule + workflow_dispatch	9	5%
issue_comment only	3	2%
issue_comment + issues + pull_request	2	1%
discussion + discussion_comment + issue_comment + issues + pull_request + pull_request_review_comment	2	1%
issues only	2	1%
issue_comment + pull_request_review_comment	2	1%
workflow_call + workflow_dispatch	2	1%

The dominant pattern is scheduled + on-demand: 66% of workflows combine a cron schedule with manual workflow_dispatch fallback. Only 9% are purely manual dispatch.

Schedule Pattern Details

136 workflows use schedule, with 20 unique cron expressions:

Pattern type	Count
Daily (random hour/min, all days)	~120
Weekday-only (1-5)	4
Every 6 hours (*/6)	2
Weekly (* * 1 or * * 0)	6

Most cron expressions are unique per workflow (e.g., "14 20 * * *", "37 2 * * *") — deliberately staggered to avoid GitHub Actions queue congestion. Only a handful of times appear twice (e.g., "37 2 * * *": 2 occurrences).

---

Safe Outputs Analysis

All 187 workflows include missing_tool, missing_data, and noop as baseline safe outputs (100% adoption). The table below shows action outputs beyond these three.

Action Safe Output Distribution (normalized)

Tool	Count	% of Workflows
create_discussion	63	34%
create_issue	59	32%
add_comment	46	25%
create_pull_request	39	21%
add_labels	17	9%
upload_asset	16	9%
push_to_pull_request_branch	8	4%
submit_pull_request_review	8	4%
create_pull_request_review_comment	7	4%
update_issue	6	3%
remove_labels	4	2%
create_code_scanning_alert	3	2%
dispatch_workflow	3	2%
link_sub_issue	3	2%
assign_to_agent	3	2%
close_pull_request	3	2%

Note: counts are normalized — e.g., add_comment includes variants like add_comment(max:2), add_comment(max:10), etc.

Top Safe Output Combinations (action tools only)

Combination	Count	%
create_discussion only	35	19%
create_issue only	24	13%
create_pull_request only	22	12%
create_discussion + upload_asset	13	7%
add_comment(max:2) only	6	3%
add_comment only	5	3%
add_comment + create_pull_request	4	2%

Rate-Limiting Patterns

Many workflows use the (max:N) rate-limit syntax to cap AI output volume:

Tool	Variants seen
add_comment	max:2, max:3, max:5, max:10, max:15, max:20, max:50
create_issue	max:2, max:3, max:4, max:5, max:10, max:100
create_pull_request_review_comment	max:2, max:5, max:10
create_discussion	max:2
add_labels	max:4, max:5, max:10, max:20, max:100

add_comment(max:2) alone appears in 18 workflows — the most common rate-limited variant — showing a deliberate preference for concise, bounded AI commentary.

Discussion Categories Used

Category	Count
audits	46
announcements	4
reports	3
artifacts	2
dev	2
research	2
agent-research	1
daily-news	1

audits accounts for 73% of all create_discussion workflows.

---

Engine & Agent Distribution

Agent	Count	%	Engine Version
Copilot	123	66%	v1.0.21
Claude	52	28%	v2.1.94
Codex	11	6%	v0.118.0
Gemini	1	<1%	—

Three active engines with distinct versioning schemes. Gemini appears as a single outlier workflow.

---

MCP Server Usage

MCP Server	Instances	% of Workflows
github-mcp-server	182	97%
gh-aw (internal)	30	16%
serena-mcp-server	23	12%
mcp (generic)	11	6%
markitdown	3	2%
brave-search	2	1%
ast-grep	2	1%
arxiv-mcp-server	2	1%
notion	2	1%
semgrep	1	<1%
context7	1	<1%
memory	1	<1%

github-mcp-server is de facto universal infrastructure. serena-mcp-server (code analysis, 12%) and markitdown (document parsing, 2%) are the notable specialized additions.

Allowed Domain Profiles

Domain Profile	Count	%
defaults (standard allowlist)	180	96%
github (GitHub APIs)	43	23%
node (npm/Node.js)	26	14%
python (PyPI)	21	11%
go (Go modules)	13	7%
playwright (browser testing)	5	3%
api.github.com (direct)	5	3%

---

Structural Characteristics

Job Complexity

Metric	Value
Average jobs per workflow	6.0
Average steps per workflow	89.5
Maximum steps	122 (smoke-claude.lock.yml)
Minimum steps	38 (codex-github-remote-mcp-test.lock.yml)
Total steps across all files	16,728

Timeout Distribution

Timeout (min)	Instances	Notes
20	209	Most common
15	207	Nearly tied
10	49	Short tasks
30	43	Extended tasks
45	17	Long-running
5	13	Quick checks
60	4	Max standard
180	1	Outlier

The 20-minute and 15-minute timeouts are nearly tied and dominate — reflecting two standardized step-duration tiers in the workflow framework.

Permission Patterns (per job-level instances)

Read permissions (instances across all jobs in all files):

Permission	Instances
contents: read	945
actions: read	267
pull-requests: read	168
issues: read	162
discussions: read	37
security-events: read	10

Write permissions (instances across all jobs):

Permission	Instances
issues: write	379
discussions: write	248
pull-requests: write	203
contents: write	163
copilot-requests: write	89
security-events: write	9
actions: write	6

copilot-requests: write (89 instances) is Copilot-engine-specific — used for API quota billing. contents: read is the most broadly required permission.

---

Historical Trends

Metric	2026-04-08	2026-04-09	Change
Total files	182	187	+5 (+2.7%)
Total size	13.2 MB	13.5 MB	+300 KB
Avg file size	70.8 KB	70.5 KB	−0.3 KB (stable)
Copilot workflows	120	123	+3
Claude workflows	50	52	+2
Codex workflows	11	11	0
Avg timeout	19.0 min	19.1 min	stable

At +5 files/day, the repository is on track for ~150 new lock files per month. File size stability (70.5 KB) confirms new workflows match the established template size.

---

Key Findings

1. Extraordinary structural uniformity: 95.2% of all 187 lock files fall in the 50–100 KB size band — a hallmark of templated generation. This tight distribution simplifies tooling and auditing.

2. Rate-limiting is a first-class design pattern: 18 workflows use add_comment(max:2) — the most common single action tool variant. The (max:N) system is applied to 7 different tools with at least 5 different limit values, showing deliberate, workflow-specific guardrails on AI output volume.

3. create_discussion + upload_asset is a natural pair: 13 workflows (7%) combine these two — likely workflows that generate binary artifacts (reports, exports) alongside a linked discussion summary.

4. github-mcp-server is load-bearing infrastructure: Used in 97% (182/187) of workflows. The 5 exceptions are likely pure shell-based workflows or specialized pipelines.

5. Copilot dominates but Claude is actively growing: Copilot holds 66% share; Claude grew by 2 new workflows in one day alongside Copilot's +3. Codex is flat. Gemini is a single-workflow experiment.

6. serena-mcp-server is the leading specialized MCP tool: Present in 12% of workflows (23 instances), well ahead of other specialized servers, suggesting code analysis and semantic search are common workflow requirements.

7. Two standardized timeout tiers: The 20-minute (209 instances) and 15-minute (207 instances) timeouts are nearly equal and account for the vast majority of all timeout settings — structural evidence of a two-tier step design in the workflow framework.

---

Recommendations

1. Audit the 3 oversized files (>100 KB): smoke-claude.lock.yml and the two others may have grown due to oversized inline prompts — worth reviewing for prompt extraction opportunities.

2. Standardize discussion categories: 8 distinct categories in use, with audits at 73% dominance. Consider formally documenting the intended use of announcements, reports, and artifacts to avoid drift.

3. Monitor Gemini adoption: The single Gemini workflow is an early indicator — worth tracking whether this grows into a fourth active engine or remains isolated.

4. Consider a (max:N) style guide: With 7+ tools using rate limits and 5+ different max values for create_issue alone, a convention document could reduce inconsistency.

5. Track the +5/day growth rate: At current pace, the repository will exceed 200 lock files within ~2-3 weeks. Ensure the repository tooling scales accordingly.

---

Methodology

• Analysis tool: Python 3 with regex-based YAML parsing (cached at /tmp/gh-aw/cache-memory/scripts/analyze_lockfiles.py)
• Lock files analyzed: 187 files in .github/workflows/*.lock.yml
• Safe output counting: Extracted from <safe-output-tools> Tools: inline prompt section (ground truth)
• Cache memory: Scripts and history persisted in /tmp/gh-aw/cache-memory/; historical comparison against history/2026-04-08.json
• Step counting: - name: occurrences per file; job counting via top-level keys under jobs:
• Permission counting: Per-job instances (not per-workflow), so totals exceed 187

References:

• §24165055415

Generated by Lockfile Statistics Analysis Agent · ● 188.6K · ◷

• expires on Apr 10, 2026, 12:09 AM UTC