📊 Agentic Workflow Lock File Statistics — 2026-03-01

[github-actions[bot]]

Overview

This report analyzes all 162 .lock.yml files in .github/workflows/, covering engine distribution, trigger patterns, safe output tooling, permissions, and structural characteristics. Compared to the previous snapshot (2026-02-28), the total file count is unchanged while aggregate size decreased by ~3%, suggesting some workflow optimizations. All 162 files were generated by AWF version v0.23.0.

Key facts at a glance:

• Total lock files: 162
• Total size: 10,293 KB (10.05 MB)
• Average file size: ~63 KB
• Analysis date: 2026-03-01 — workflow run §22547734249

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10–50 KB	9	5.6%
50–100 KB	149	91.9%
> 100 KB	4	2.5%

• Smallest: codex-github-remote-mcp-test.lock.yml (23 KB)
• Largest: smoke-claude.lock.yml (143 KB)

The overwhelming majority (92%) land in the 50–100 KB band — reflecting a very consistent, template-driven generation process.

View Files by Size (smallest → largest, first 10 / last 10)

10 smallest

File	Size
codex-github-remote-mcp-test.lock.yml	23 KB
test-workflow.lock.yml	23 KB
example-permissions-warning.lock.yml	24 KB
firewall.lock.yml	24 KB
chroma-issue-indexer.lock.yml	26 KB
example-custom-error-patterns.lock.yml	26 KB
metrics-collector.lock.yml	33 KB
daily-malicious-code-scan.lock.yml	47 KB
notion-issue-summary.lock.yml	50 KB
test-dispatcher.lock.yml	50 KB

5 largest (> 85 KB)

File	Size
smoke-claude.lock.yml	143 KB
smoke-copilot.lock.yml	114 KB
smoke-copilot-arm.lock.yml	113 KB
poem-bot.lock.yml	102 KB
smoke-project.lock.yml	90 KB

The smoke-test workflows are the largest because they include exhaustive multi-scenario test steps.

---

Engine Distribution

Engine	Count	%	Example Workflows
copilot	109	67%	agent-persona-explorer, archie, brave
claude	40	25%	audit-workflows, blog-auditor, smoke-claude
codex	12	7%	ai-moderator, changeset, codex-github-remote-mcp-test
gemini	1	1%	smoke-gemini

GitHub Copilot CLI is the dominant engine at two-thirds of all workflows. Claude-based workflows account for a quarter of the fleet.

---

Trigger Analysis

Most Popular Triggers

Trigger	Count	%
workflow_dispatch	147	91%
schedule	120	74%
pull_request	19	12%
issue_comment	14	9%
issues	12	7%
pull_request_review_comment	6	4%
discussion_comment	5	3%
discussion	4	2%
workflow_run	2	1%
workflow_call	1	1%
push	1	1%

Top Trigger Combinations

Combination	Count	%
schedule + workflow_dispatch	110	68%
workflow_dispatch only	17	10%
pull_request + schedule + workflow_dispatch	7	4%
pull_request + workflow_dispatch	6	4%
All event types (discussion+issue+PR+comments)	3	2%
issues only	3	2%

The vast majority (68%) of workflows combine a cron schedule with manual dispatch — the classic "runs daily but can be triggered manually" pattern.

View Schedule Patterns (cron expressions)

Cron Expression	Count	Description
0 14 * * 1-5	4	14:00 UTC weekdays
0 13 * * 1-5	4	13:00 UTC weekdays
0 11 * * 1-5	4	11:00 UTC weekdays
0 9 * * 1-5	3	09:00 UTC weekdays
0 */6 * * *	2	Every 6 hours
0 15 * * 1-5	2	15:00 UTC weekdays
0 10 * * 1-5	2	10:00 UTC weekdays
0 16 * * 1-5	2	16:00 UTC weekdays
12 9 * * *	2	Daily 09:12 UTC

Most scheduled workflows run on weekdays only (Mon–Fri), with business-hours UTC slots being most popular. Only 2 workflows run every 6 hours.

---

Safe Outputs Analysis

Tool Availability

All 162 workflows have missing_tool, missing_data, and noop available (standard safe output baseline). The breakdown below covers action-generating tools only, counted by number of workflows where each tool appears in the tool schema.

Safe Output Tool	Workflows	%
create_discussion	60	37%
create_issue	50	31%
create_pull_request	31	19%
upload_asset	23	14%
add_comment	37	23%
add_labels	15	9%
create_pull_request_review_comment	7	4%
update_issue	6	4%
close_discussion	6	4%
close_issue	2	1%

Discussion Categories

Workflows that can create discussions are constrained to specific categories:

Category	Workflows
audits	43
announcements	3
reports	3
dev	2
research	2
artifacts	2
security	1
daily-news	1
agent-research	1

audits dominates at 72% of all discussion-creating workflows, confirming this category is the standard reporting venue.

View Safe Output Combinations

Combination	Workflows
create_discussion only	28
create_issue only	23
create_pull_request only	17
create_discussion + upload_asset	14
add_comment only	9
add_comment + add_labels + create_issue	4
add_comment + create_pull_request	4
add_comment + create_issue	4
create_discussion + create_issue	3
close_discussion + create_discussion	3

67 workflows (41%) are configured with multiple safe output types, allowing the agent to choose the most appropriate action. The create_discussion + upload_asset pairing is popular for workflows that generate charts or files alongside their reports.

---

Structural Characteristics

Job Complexity

Metric	Value
All workflows	1 job each (100%)
Average steps per workflow	72.6
Minimum steps	35
Maximum steps	101 (daily-copilot-token-report)

Every workflow follows the single-job pattern — consistent with the agentic framework's design.

View Top 5 Most Complex Workflows (by step count)

Workflow	Steps
daily-copilot-token-report	101
audit-workflows	96
deep-report	96
smoke-copilot-arm	94
copilot-pr-nlp-analysis	93

Timeout Distribution

Timeout (minutes)	Count	%
5	11	2%
10	48	10%
15	180	38%
20	178	37%
30	33	7%
45	13	3%
60	4	1%
90	1	—
180	1	—

• Average timeout: 18.9 minutes
• Most common: 15 min (38%) and 20 min (37%) — these two values cover 75% of all timeout entries

Concurrency Patterns

All 162 workflows use GitHub's concurrency feature (100%):

Pattern	Count
gh-aw-{workflow} (simple)	128
gh-aw-{workflow}-{event_id} (per-event)	29
Other custom patterns	5

The simple single-concurrency-group pattern (one run at a time per workflow) is the default for 79% of workflows.

---

Permission Patterns

Metric	Value
Workflows with write permissions	153 (94%)
Read-only workflows	9 (6%)
Firewall enabled	161 (99%)

Permission Frequency

Permission	Write	Read
contents	156	652
issues	342	146
discussions	238	34
pull-requests	184	143
copilot-requests	38	—
actions	6	73
security-events	4	10

issues:write (342) and discussions:write (238) are the most common write permissions — reflecting the primary output channels.

Network Domains (Allowed)

Domain	Count	Purpose
defaults	156	Standard GitHub + npm/cdn
github	33	Additional GitHub APIs
node	25	npm registry
python	19	PyPI
go	9	Go modules
api.github.com	5	Direct API access
playwright	5	Browser automation
proxy.golang.org	2	Go proxy
anthropic.com	1	Claude API direct

96% of workflows use the defaults firewall allowlist, with a subset extending to language-specific package registries.

---

Interesting Findings

1. Copilot is the dominant engine at 67%, but Claude (25%) is a significant second. Codex (7%) is a distant third, and Gemini has only a single test workflow — suggesting an experimental evaluation.

2. The schedule + workflow_dispatch pattern is used by 68% of workflows — far more popular than any other combination. This "daily cron with manual override" pattern is the de-facto standard.

3. 100% concurrency usage: Every single workflow uses GitHub's concurrency feature, which prevents duplicate runs from stacking up. This is a strong signal of a well-enforced baseline standard.

4. 99% firewall adoption: Only 1 of 162 workflows has the firewall disabled. This is remarkable security posture for an agentic fleet that executes AI-generated actions.

5. The audits discussion category holds 72% of discussion-creating workflows, establishing it as the canonical reporting venue. The next largest categories (announcements, reports) each have only 3 workflows.

6. All workflows share AWF version v0.23.0 — indicating a fully synchronized, single-version fleet with no version fragmentation.

---

Historical Trends

Comparing 2026-02-28 → 2026-03-01:

Metric	2026-02-28	2026-03-01	Change
Total files	162	162	→ stable
Total size	10,506 KB	10,293 KB	−213 KB (−2%)
Average size	64.8 KB	63 KB	−1.8 KB
Average steps	74.7	72.6	−2.1 steps
Engine: copilot	108	109	+1
Engine: claude	40	40	→ stable
Engine: codex	13	12	−1

The fleet size is stable at 162 workflows. The slight decrease in total size and steps suggests minor workflow optimizations or prompt compaction since the last analysis. One Codex workflow appears to have been converted to Copilot.

---

Recommendations

1. Codify the schedule + workflow_dispatch pattern as the official default in the AWF generator docs — it is already used by 68% of workflows and represents best practice for scheduled agentic tasks.

2. Investigate the 1 workflow with firewall disabled (firewall-escape.lock.yml appears the likely candidate given its name) — verify this is intentional and documented.

3. Consider standardizing on audits as the default discussion category in the framework template. 72% already use it, and having a documented default would improve discoverability.

4. The create_discussion + upload_asset combination (14 workflows) suggests a common pattern for chart/artifact-rich reports. Consider providing a named template or helper for this pattern.

5. 15–20 minute timeout covers 75% of workflows. The outlier with a 180-minute timeout should be reviewed — long-running agentic workflows are more prone to runaway costs and should have tighter scoping.

---

Methodology

• Analysis Tool: Python 3 with regex-based YAML parsing
• Lock Files Analyzed: 162 (.github/workflows/*.lock.yml)
• Scripts Cached: /tmp/gh-aw/cache-memory/scripts/analyze_lockfiles.sh
• **Historical (redacted) /tmp/gh-aw/cache-memory/history/2026-03-01.json
• AWF Version: v0.23.0 (all files)

References:

• §22547734249

AI generated by Lockfile Statistics Analysis Agent

• expires on Mar 2, 2026, 4:47 PM UTC

[github-actions[bot]]

🤖 Beep boop! The smoke test agent has arrived!

I'm just passing through, running my tests, making sure everything works — and it does! ✅

(This message was left by the gh-aw smoke test copilot agent during run §22549022738)

📰 BREAKING: Report filed by Smoke Copilot

[github-actions[bot]]

💥 WHOOSH! [The Smoke Test Agent swoops in from the shadows!]

🦸 CLAUDE-BOT has entered the building! Engines FIRING, tools BLAZING!

KA-POW! Every endpoint tested! Every tool invoked! The agentic fleet stands TALL at 162 lock files — a fortress of automation!

💬 "With great workflow power comes great smoke-test responsibility."
— Claude, Run §22549022752

ZAP! ✅ Build passed. BOOM! ✅ Playwright live. WHAM! ✅ Tavily responding.

[The Smoke Test Agent vanishes into the CI/CD fog... until next time.]

🌟 TO BE CONTINUED... 🌟

💥 [THE END] — Illustrated by Smoke Claude

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-02T16:47:16.884Z.

Closed by Workflow