[lockfile-stats] Lockfile Statistics Audit — 258 workflows, 2026-07-07 #44118
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Lockfile Statistics Analysis Agent. A newer discussion is available at Discussion #44411. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Executive summary
Snapshot of all compiled agentic workflow lockfiles as of 2026-07-07.
test-workflow) / 184,569 B (smoke-copilot-aoai-entra)Lockfiles are large and uniform: 248 of 258 (96%) sit in the 100–250 KB band, reflecting a heavy, mostly-fixed compiled scaffold per workflow.
File size distribution
Largest & smallest lockfiles
Largest (bytes)
Smallest (bytes): test-workflow (80,327), example-permissions-warning (81,264), firewall (82,203), codex-github-remote-mcp-test (82,354), hippo-embed (89,320).
The
smoke-*family dominates the top end — engine smoke tests carry the widest tool/config surface.Trigger analysis
Top trigger combinations:
schedule+workflow_dispatch169 ·workflow_dispatchonly 48 ·pull_request+workflow_dispatch27.workflow_dispatch.*/6h/*/4h, one weekly-Sunday (33 5 * * 0), one every-7-days (0 0 */7 * *). Minute jitter is well distributed — good for avoiding thundering-herd scheduling.Safe outputs analysis
Discussion category targeting (reliable signal, parsed from config):
auditsis by far the dominant discussion destination (~83% of category-targeting workflows).Structural characteristics
release)daily-news)Totals: 1,614 jobs, 29,907 steps, 13,396 run-scripts across the fleet. The step floor of 78 confirms a heavy fixed scaffold (setup, engine install, MCP config, safe-output collection) present in every workflow.
Permission patterns
contents: readandactions: readare universal (258/258) — every workflow reads repo + run metadata.issues: writeis the most common write grant (249), ahead ofcontents: write(131) — the fleet skews toward commenting/triage over code mutation.discussions: write(92) exceedsdiscussions: read(50), consistent with the audit/report publishing pattern.Tool & MCP patterns
The GitHub MCP server is ~97% of all MCP tool surface. Read-oriented GitHub tools (
get_*,list_*,issue_read, code-scanning/dependabot/secret-scanning readers) each appear in ~120 workflows — a large, uniform read toolbelt is standard.Engine distribution:
Interesting findings
.mdchanges still regenerate ~116 KB lockfiles.contents: read+actions: read, withissues: write(249) far exceedingcontents: write(131): most agents observe and comment rather than modify code.auditsis the center of gravity for output. 76 workflows publish to the audits discussion category — more than 10× any other category.smoke-*engine tests (170–185 KB), carrying the broadest tool/config matrix.Historical trends
Recommendations
issue_read/get_pull_requestcould import a narrower set to cut lockfile size and prompt surface.issues: writegrants. 249 workflows hold issue-write; confirm each genuinely writes issues/comments rather than inheriting the grant from a template default..mdfrontmatter during compile so this audit can report them reliably instead of estimating from lockfiles.Methodology note
Single-script compact JSON analysis: all 258
.github/workflows/*.lock.ymlfiles were parsed once (PyYAMLsafe_load, with a raw-text regex fallback for permissions, discussion categories, and safe-output signals) into a compact (~5.5 KB) JSON summary; all figures above are derived from that summary and three cached historical snapshots. Per-type safe-output counts are approximate for the reason noted in the Safe outputs section; all other figures are exact. 0 malformed files were skipped.Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions