[lockfile-stats] Agentic Workflow Lock File Statistics - 2026-04-26

[github-actions[bot]]

Executive Summary

Analysis of 202 agentic workflow lock files (.github/workflows/*.lock.yml) covering engine distribution, trigger patterns, safe output configurations, structural complexity, and MCP server usage. All files use schema version v3. Total corpus: ~16 MB across 202 workflows, averaging 80 KB each.

Metric	Value
Total Lock Files	202
Total Size	~16.2 MB
Average File Size	~80 KB
Schema Version	v3 (100%)
Analysis Date	2026-04-26
Workflow Run	§24943840633

---

Engine Distribution

All 202 lock files declare an agent_id in their gh-aw-metadata header. Copilot leads significantly.

Engine	Count	Percentage
copilot	130	64.4%
claude	57	28.2%
codex	12	5.9%
gemini	1	0.5%
crush	1	0.5%
opencode	1	0.5%

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10–50 KB	7	3.5%
50–100 KB	185	91.6%
> 100 KB	10	4.9%

Size extremes:

• Smallest: test-workflow.lock.yml (32 KB) — minimal test harness
• Largest: smoke-claude.lock.yml (164 KB) — comprehensive multi-tool smoke test
• Runner-up largest: smoke-copilot.lock.yml (130 KB), smoke-copilot-arm.lock.yml (129 KB)

The tight 50–100 KB cluster (92%) reflects a consistent generated scaffold size across all workflows.

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows
workflow_dispatch	187	92.6%
schedule	138	68.3%
pull_request	34	16.8%
issue_comment	15	7.4%
issues	12	5.9%
pull_request_review_comment	6	3.0%
discussion_comment	4	2.0%
discussion	4	2.0%
workflow_call	2	1.0%
push	2	1.0%
workflow_run	1	0.5%

Common Trigger Combinations

Combination	Count	%
schedule + workflow_dispatch	132	65.3%
pull_request + workflow_dispatch	23	11.4%
workflow_dispatch only	20	9.9%
issue_comment only	3	1.5%
issues only	2	1.0%
Multi-event (issue+PR+discussion)	2	1.0%
Other combinations	20	9.9%

The schedule + workflow_dispatch combination is the dominant pattern — nearly 2/3 of all workflows run on a schedule but also allow manual triggering.

Schedule Frequency Breakdown (138 scheduled workflows)

Frequency Type	Count
Daily (any hour)	83
Weekdays only (Mon–Fri)	28
Weekly	20
Every few hours	6
Monthly	1

Schedules are well-distributed throughout the day with no significant clustering, consistent with gh-aw's cron-scatter practice to avoid thundering-herd API bursts.

---

Safe Outputs Analysis

Out of 202 workflows, 26 (~13%) have a fully configured safeoutputs/config.json block (the rest use a simpler configuration). Among those 26:

Safe Output Types Enabled

Tool	Workflows	Notes
noop	26	Universal — all configured workflows include it
missing_data	26	Universal
missing_tool	26	Universal
report_incomplete	26	Universal
create_report_incomplete_issue	26	Universal
upload_asset	23	Image/file publishing
create_discussion	21	Primary reporting mechanism
push_repo_memory	7	Persistent repo context
create_issue	6	Actionable issue creation
upload_artifact	4	CI artifact uploads
create_pull_request	4	Automated PR creation
add_comment	4	Issue/PR commenting
mentions	2	@mention notifications
update_issue	1	Issue updates
add_labels	1	Label management
remove_labels	1	Label management
update_project	1	Project board updates
create_project_status_update	1	Project status
push_to_pull_request_branch	1	Direct branch commits

Discussion Categories

Among 21 workflows that create discussions:

Category	Count
audits	17
daily-news	1
artifacts	1
reports	1
announcements	1

audits dominates — 81% of discussion-creating workflows publish to the audits category, making it the primary channel for agentic reporting.

---

Structural Characteristics

Job Complexity

• Jobs per workflow: 1 (100%) — every lock file defines exactly 1 job
• Average steps per workflow: 94.6 steps
• Minimum steps: 39 (codex-github-remote-mcp-test)
• Maximum steps: 134 (agentic-optimization-kit)

Step Count Distribution

Step Range	Workflows	%
30–39	1	0.5%
40–49	4	2.0%
50–59	2	1.0%
60–69	1	0.5%
70–79	3	1.5%
80–89	50	24.8%
90–99	76	37.6%
100–109	35	17.3%
110–119	22	10.9%
120–129	6	3.0%
130–139	2	1.0%

The 80–99 step range accounts for 62% of workflows — the standard gh-aw scaffold adds ~80 infrastructure steps before any workflow-specific steps.

Timeout Configuration

All workflows define timeout-minutes at the step level. Distribution across 586 timeout entries:

Timeout	Count	%
5 min	14	2.4%
10 min	56	9.6%
15 min	221	37.7%
20 min	215	36.7%
25 min	2	0.3%
30 min	50	8.5%
35 min	1	0.2%
45 min	18	3.1%
60 min	7	1.2%
90 min	1	0.2%
180 min	1	0.2%

Average timeout: 19.3 min. The 15 and 20 minute slots account for 74% of all timeout values — the standard agentic execution window. One outlier at 180 min is the smoke-claude test.

Concurrency Settings

Pattern	Count
Workflow-based group (gh-aw-$workflow)	175 (86.6%)
Event/ref-based group	23 (11.4%)
No concurrency	4 (2.0%)

Cancel-in-progress	Count
false (queue runs)	168 (83.2%)
true (cancel pending)	24 (11.9%)
Not set	6 (4.9%)

Most workflows queue rather than cancel, ensuring no runs are silently dropped.

---

Permissions Analysis

All 202 workflows set permissions: {} at the workflow level — a secure-by-default pattern that grants no permissions until explicitly requested at job level.

Job-Level Permission Grants (most common)

Permission	read	write	Workflows with Write
contents	1052	148	84
issues	179	405	188
discussions	41	228	113
pull-requests	182	199	91
actions	286	6	3
copilot-requests	—	102	52
security-events	11	9	3
id-token	—	1	1
packages	1	1	1

Interesting: issues: write is granted by 188 workflows (93%) despite only 6 creating issues via safe outputs — the write permission supports create_report_incomplete_issue fallback which nearly all configured workflows include.

---

MCP Server & Container Usage

Infrastructure (present in all 202 workflows)

Container	Count	Purpose
gh-aw-firewall/agent	202	Agent execution sandbox
gh-aw-firewall/api-proxy	202	API firewall/proxy
gh-aw-firewall/squid	202	Network egress control
gh-aw-mcpg	202	MCP gateway

Optional MCP Servers

MCP Server	Workflows	Use Cases
github-mcp-server	196	GitHub API access
node (runtime)	195	JavaScript tooling
serena-mcp-server	25	Code analysis & refactoring
playwright/mcp	11	Browser automation
mcp/markitdown	3	Document conversion
mcp/brave-search	2	Web search
mcp/arxiv-mcp-server	2	Research paper access
mcp/notion	2	Notion integration
mcp/ast-grep	2	AST-based code search
mcp/context7	1	Context management
mcp/memory	1	Persistent memory
semgrep/semgrep	1	Security scanning
gh-aw-firewall/cli-proxy	2	CLI proxying

Special Feature Usage

Feature	Workflows
Repo memory (push_repo_memory)	29
GPU runners (aw-gpu-runner-T4)	4
Serena code analysis	25
Playwright browser testing	11
workflow_call (callable)	2
workflow_run (chained)	1

GPU Runner Workflows (4)

• daily-fact.lock.yml
• daily-issues-report.lock.yml
• daily-news.lock.yml
• hippo-embed.lock.yml

These likely use GPU acceleration for embedding generation or ML-based analysis.

Playwright Browser Automation Workflows (11)

• blog-auditor.lock.yml
• cloclo.lock.yml
• daily-multi-device-docs-tester.lock.yml
• docs-noob-tester.lock.yml
• slide-deck-maintainer.lock.yml
• smoke-claude.lock.yml, smoke-codex.lock.yml, smoke-copilot.lock.yml, smoke-copilot-arm.lock.yml
• unbloat-docs.lock.yml
• weekly-editors-health-check.lock.yml

---

Interesting Findings

1. Near-universal manual override: 92.6% of workflows include workflow_dispatch, meaning virtually every scheduled agentic workflow can be manually triggered — important for debugging and re-runs.

2. Extreme structural consistency: 92% of files fall in the 50–100 KB range, and 62% have 80–99 steps. The gh-aw compiler produces a remarkably uniform scaffold, with workflow complexity mostly hidden inside the agent's prompt and tool configuration rather than explicit steps.

3. Audits category dominance: 81% of discussion-creating workflows target the audits category, establishing it as the de facto reporting hub for this repository's agentic analysis layer.

4. Zero write permissions at workflow level: Every single workflow uses permissions: {} at the top level, with fine-grained write grants scoped to individual jobs — a strong security posture that limits blast radius from any single compromised step.

5. Serena adoption signals code-focused workflows: 25 workflows (12.4%) use the Serena MCP server for code analysis — concentrated in refactoring, quality, and code-improvement workflows (jsweep, typist, archie, semantic-function-refactor, etc.).

6. Copilot engine dominates (64.4%): Despite claude being Anthropic's own product, copilot is the leading engine for this repository, likely reflecting its deep GitHub integration and the Copilot API's native pull request / issue context.

---

Recommendations

1. Standardize safe output configs: Only 26/202 (13%) workflows have a fully structured safeoutputs/config.json block. The remaining 176 may benefit from standardizing to the full config format for better observability and consistent behavior.

2. Consider cancel-in-progress: true for PR-triggered workflows: 23 workflows trigger on pull_request but 84% use cancel-in-progress: false. For PR workflows, canceling stale runs on new push events is typically desirable.

3. GPU runner allocation: Only 4 workflows use GPU runners despite hippo-embed and daily news likely needing them for embedding tasks. Review whether additional ML-heavy workflows could benefit.

4. Expand repo memory usage: Only 29/202 workflows (14.4%) use push_repo_memory. Workflows that produce recurring analysis (daily reports, audits) could benefit from persisting findings across runs for trend analysis.

5. Explore workflow_call patterns: Only 2 workflows are callable via workflow_call, suggesting limited reuse of shared agentic sub-workflows. Extracting common agent patterns into callable workflows could reduce redundancy.

---

Methodology

• Lock Files Analyzed: 202 (.github/workflows/*.lock.yml)
• Analysis Date: 2026-04-26 (UTC)
• Tools Used: Python 3 with re, json, glob, os — no external dependencies required
• Cache Memory: Scripts and this run's data stored in /tmp/gh-aw/cache-memory/ for future trend comparisons
• Data Sources: File metadata, gh-aw-metadata header JSON, GH_AW_SAFE_OUTPUTS_CONFIG heredoc blocks, YAML trigger sections, permission blocks

References:

• §24943840633

Generated by Lockfile Statistics Analysis Agent · ● 462.1K · ◷

• expires on Apr 27, 2026, 12:12 AM UTC

[github-actions[bot]]

🤖 Beep boop! The smoke test agent materialized out of the CI ether, wandered through your lock files, compiled some Go, and left this footprint in the discussion. All systems nominal! The agentic workflows are alive and thriving. 🚀✨

📰 BREAKING: Report filed by Smoke Copilot · ● 1.1M · ◷

[github-actions[bot]]

💥 WHOOSH! 🦸 THE SMOKE TEST AGENT WAS HERE! 💫

ZAP! ⚡ Run 24945190957 swooped in like a caped crusader, tested ALL the things, and emerged victorious!

"With great agentic power comes great smoke-test responsibility."

POW! 202 lock files analyzed... KAPOW! Claude engine nominal... BOOM! All systems go! 🚀

— The Smoke Test Agent (signing off with a heroic flourish) 🎭

💥 [THE END] — Illustrated by Smoke Claude · ● 190.1K · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #28648.