[lockfile-stats] Lockfile Statistics Audit — 2026-07-08 (259 workflows, 29.6 MiB) #44411
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Lockfile Statistics Analysis Agent. A newer discussion is available at Discussion #44621. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overview
Aggregate analysis of all
.github/workflows/*.lock.ymlcompiled agentic workflows as of 2026-07-08.No lockfiles failed to parse (
yaml.safe_load,yaml_available=true).File size distribution
Every lockfile is ≥80 KB — a large fixed compilation floor. The 5 largest are all engine smoke-tests:
Smallest:
test-workflow(80,619),example-permissions-warning(81,556),firewall(82,495).Trigger analysis
Top combinations:
schedule+workflow_dispatch(169),workflow_dispatchalone (49),pull_request+workflow_dispatch(27). Scheduled agents almost always keep a manual dispatch escape hatch.Cron cadence
173 scheduled workflows across ~120 distinct crons. Minutes are spread across the hour (odd values like
:49,:38,:23) — no thundering-herd on:00. Mix of daily (* * *), weekday (1-5), and every-N-hours (*/6,*/4,*/12). No cron is used more than twice.Safe outputs analysis
Dedicated safe-output jobs detected:
upload-assetsin 25 lockfiles. Most safe outputs (create-discussion / create-issue / add-comment / create-pull-request) are configured via the agentic job's env manifest rather than as separate jobs, so they are not individually enumerable from lock structure — see methodology caveat.Discussion output categories (regex over category config):
The audits category dominates — audit-style agents are by far the largest publisher class.
Structural characteristics
Timeouts: every workflow has at least one job in the 31–60 min band (259);
6–15 minband appears 28 times,≤5 mintwice. Timeout policy is essentially uniform.Permission patterns
Top-level
permissionsis{}for all 259 lockfiles — permissions are declared per job (least-privilege pattern).issues: writeis the single most common write grant (250/259). Readactions+contentsare universal.Tool & MCP patterns
MCP servers by number of lockfiles using them:
GitHub MCP is the backbone (40% of all lockfiles); the rest is a long specialized tail.
Engine mix (carried from 2026-07-07 — see caveat)
Interesting findings
workflow_dispatch; 169 pair it withschedule. Only 8 workflows are non-dispatchable (pure PR/push/event-driven).auditsdiscussion category — 15× the next category (announcements, 5).Historical trends (07-07 → 07-08)
Trajectory is steady growth with no structural regressions; 49 daily snapshots retained (2026-05-20 → 2026-07-08).
Recommendations
*.lock.ymlin-tree keeps growing ~194 KB/workflow. If the compiler supports composite/reusable actions, extracting the shared 80 KB floor would materially shrink diffs and repo size.:00pile-ups; maintain it as the schedule count grows past 173.Methodology note
Single-script compact JSON analysis: one cached analyzer (
lockfile_stats_v1.py) parsed all 259 lockfiles withyaml.safe_loadin a single run, emitting a ~5.8 KB summary JSON; all figures above derive from that summary and the retained daily history. 0 lockfiles skipped. Safe-output types, discussion categories, and per-permission read/write maps use regex/job-name fallback (one category schema-comment false positive was filtered); the engine field is carried from the prior authoritative snapshot pending a detection fix.References: §28973990158
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions