[lockfile-stats] Lockfile Statistics Report — 2026-04-27

[github-actions[bot]]

Analysis of 204 .lock.yml files in .github/workflows/ — collected on 2026-04-27 via workflow run §24970440193.

---

Overview

This repository hosts a rich ecosystem of agentic workflows spanning daily automation, code quality, CI/CD tooling, smoke tests, and GitHub management. All 204 lock files share a common harness structure (schema v3, ubuntu-slim, firewall containers), while varying considerably in purpose, complexity, and safe-output strategy.

Key numbers at a glance:

Metric	Value
Total lock files	204
Total size	~16.0 MB (16,349 KB)
Average file size	~80 KB
Median file size	~79 KB
Smallest file	test-workflow.lock.yml (32 KB)
Largest file	smoke-claude.lock.yml (164 KB)
Analysis date	2026-04-27

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0.0%
10–50 KB	7	3.4%
50–100 KB	187	91.7%
> 100 KB	10	4.9%

The vast majority of lock files cluster tightly in the 50–100 KB range, reflecting the standardized harness structure that every workflow inherits. The 10 oversized files (>100 KB) tend to be smoke tests or orchestrators that configure multiple MCP servers and run many jobs.

Largest 10 files

File	Size
smoke-claude.lock.yml	164 KB
smoke-copilot.lock.yml	131 KB
smoke-copilot-arm.lock.yml	129 KB
mcp-inspector.lock.yml	114 KB
issue-monster.lock.yml	110 KB
smoke-codex.lock.yml	109 KB
cloclo.lock.yml	107 KB
daily-performance-summary.lock.yml	103 KB
unbloat-docs.lock.yml	102 KB
poem-bot.lock.yml	100 KB

Smallest 3 files

File	Size
test-workflow.lock.yml	32 KB
example-permissions-warning.lock.yml	33 KB
firewall.lock.yml	33 KB

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows
workflow_dispatch	187	91.7%
schedule	138	67.6%
pull_request	35	17.2%
issue_comment	15	7.4%
issues	12	5.9%
pull_request_review_comment	6	2.9%
discussion_comment	4	2.0%
discussion	4	2.0%
workflow_call	2	1.0%
push	2	1.0%
workflow_run	1	0.5%
deployment_status	1	0.5%

Common Trigger Combinations

Combination	Count	%
schedule + workflow_dispatch	132	64.7%
pull_request + workflow_dispatch	23	11.3%
workflow_dispatch only	20	9.8%
issue_comment only	3	1.5%
workflow_call + workflow_dispatch	2	1.0%
discussion + discussion_comment + issue_comment + issues + pull_request + pull_request_review_comment	2	1.0%
Others (12 unique combos)	22	10.8%

The dominant pattern is schedule + workflow_dispatch — periodic automation with an on-demand override. Nearly two-thirds of all workflows follow this pattern.

Schedule Patterns

Pattern	Count	Description
Daily (* * *)	88	63.8%
Weekdays only (1-5)	28	20.3%
Specific day of week	22	15.9%

Total scheduled workflows: 138 (with 138 cron expressions). Monday (1) is the most popular specific day for weekly/targeted runs.

Rare and notable triggers

• deployment_status: deployment-incident-monitor.lock.yml — triggered on deployment events
• workflow_run: dev-hawk.lock.yml — monitors other workflow runs
• push: smoke-ci.lock.yml, tidy.lock.yml — only 2 workflows react to push events
• workflow_call (reusable): smoke-call-workflow.lock.yml, smoke-workflow-call.lock.yml, smoke-workflow-call-with-inputs.lock.yml

---

Agent Engine Distribution

All 204 lock files use schema version v3. Six distinct AI engines are represented:

Agent ID	Count	%	Notes
copilot	132	64.7%	Dominant engine
claude	57	27.9%	Second most common
codex	12	5.9%	OpenAI Codex-based
opencode	1	0.5%	smoke-opencode.lock.yml
gemini	1	0.5%	smoke-gemini.lock.yml
crush	1	0.5%	smoke-crush.lock.yml

Custom model overrides are used in 10 workflows:

Workflow	Custom Model
auto-triage-issues	gpt-5-mini
changeset	gpt-5.4-mini
daily-community-attribution	claude-haiku-4.5
daily-fact	gpt-5.4-mini
github-remote-mcp-auth-test	gpt-4.1-mini
issue-monster	claude-haiku-4.5
poem-bot	gpt-5
smoke-call-workflow	gpt-5.4-mini
smoke-crush	anthropic/claude-sonnet-4-20250514
smoke-opencode	copilot/gpt-5

Strict mode: 190/204 (93.1%) use "strict": true. The 14 without strict mode include mostly smoke tests and legacy tooling workflows.

---

Safe Outputs Analysis

Workflows Using Each Safe Output Type

Safe Output Type	Workflows Using It	%
create_discussion	197	96.6%
noop	197	96.6%
report_incomplete	197	96.6%
missing_tool	197	96.6%
missing_data	197	96.6%
create_issue	72	35.3%
add_comment	50	24.5%
create_pull_request	42	20.6%
upload_artifact	10	4.9%
update_issue	8	3.9%
create_pull_request_review_comment	7	3.4%

The "core four" (create_discussion, noop, report_incomplete, missing_tool, missing_data) appear in virtually every workflow (97%), forming the standard safe-output baseline.

Discussion Categories

Category	Workflows
audits	~48
announcements	~5
reports	~3
research	~2
dev	~2
artifacts	~2
daily-news	1
agent-research	1

audits is by far the most common discussion category, used by nearly a quarter of all workflows.

Workflows with Multiple Safe Output Types

The most versatile workflow is poem-bot.lock.yml, which uses all 5 primary safe output types: create_discussion, create_issue, add_comment, create_pull_request, and update_issue.

Top workflows by safe output diversity

Workflow	# Output Types
poem-bot	5
workflow-health-manager	3
smoke-project	3
smoke-create-cross-repo-pr	3
smoke-copilot	3
smoke-copilot-arm	3
smoke-ci	3
ci-doctor	3
agent-performance-analyzer	3

---

Structural Characteristics

Job Complexity

Metric	Value
Min jobs per workflow	3
Max jobs per workflow	14 (scout.lock.yml)
Average jobs per workflow	8.0
Average steps per workflow	94.5
Min steps (workflow)	39 (codex-github-remote-mcp-test)
Max steps (workflow)	134 (agentic-optimization-kit)
Avg steps — activation job	~13.8
Avg steps — agent job	~40.9

Most job-rich workflows (top 10)

Workflow	Jobs
scout	14
q	13
cloclo	13
firewall-escape	12
unbloat-docs	11
smoke-claude	11
dev	11
tidy	10
smoke-copilot	10
smoke-copilot-arm	10

Most step-rich workflows (top 10)

Workflow	Steps
agentic-optimization-kit	134
copilot-token-audit	133
smoke-claude	125
daily-news	124
audit-workflows	124
daily-issues-report	122
copilot-pr-nlp-analysis	122
copilot-session-insights	121
smoke-copilot-arm	119
daily-code-metrics	119

Typical Lock File Profile

A representative .lock.yml file has:

• Size: ~79–80 KB
• Jobs: ~8 jobs
• Total steps: ~95 steps
• Agent job steps: ~41 steps
• Activation job steps: ~14 steps
• Triggers: schedule + workflow_dispatch
• Agent: copilot
• Timeout: 15–20 min (most common values)
• Concurrency: workflow-scoped, cancel-in-progress: false

---

Permission Patterns

Most Common Permissions

Permission	Count	Type
contents: read	1,064	Read
issues: write	409	Write
actions: read	289	Read
discussions: write	230	Write
pull-requests: write	201	Write
issues: read	179	Read
pull-requests: read	177	Read
contents: write	148	Write
copilot-requests: write	102	Write
discussions: read	41	Read

Overall Distribution

• Total read grants: 1,759
• Total write grants: 1,109
• Read/Write ratio: ~1.6:1 (read-heavy by design)
• copilot-requests: write: 102 grants (used exclusively in Copilot-engine workflows)

Rare permissions include security-events: write (9), packages: write (1), id-token: write (1), attestations: write (1) — reflecting specialized security and publishing workflows.

---

MCP Server Usage

MCP Server	Workflows	Notes
gh-aw-mcpg:v0.3.0	204 (100%)	Universal — harness gateway
gh-aw-firewall/*:0.25.28	204 (100%)	Universal — agent/api-proxy/squid
github-mcp-server:v1.0.3	198 (97.1%)	Standard GitHub API access
serena-mcp-server:latest	25 (12.3%)	Code intelligence / semantic search

6 workflows do not use github-mcp-server: codex-github-remote-mcp-test, copilot-pr-merged-report, github-mcp-tools-report, github-remote-mcp-auth-test, schema-consistency-checker, schema-feature-coverage.

85 workflows (41.7%) use actions/cache (restore + save), indicating persistent state management.

29 workflows (14.2%) use push_repo_memory, the persistent cross-run memory capability.

---

Timeout Patterns

Timeout	# Occurrences
15 min	224
20 min	217
10 min	57
30 min	50
45 min	18
5 min	14
60 min	7
25 min	2
90 min	1
180 min	1

• Average timeout: 19.3 min
• Min: 5 min
• Max: 180 min (one outlier)
• The 15 and 20 minute slots account for 75% of all timeout values.

---

Concurrency Patterns

All 204 workflows use concurrency groups. Common group patterns:

Concurrency Pattern	Count
Workflow-scoped (gh-aw-$\{\{ github.workflow }})	154
PR/ref-scoped	24
Issue/PR-scoped	15
Issue-scoped	3
Issue/PR/label-scoped	3
Issue/discussion-scoped	1

• Cancel-in-progress: false: 171 (83.8%) — prefer queuing over cancellation
• Cancel-in-progress: true: 27 (13.2%) — used where freshness matters more than completion

---

Interesting Findings

1. copilot dominates but claude is significant: 65% copilot vs. 28% claude. Four other engines (codex, opencode, gemini, crush) are present mainly as smoke-test targets rather than production workflows.

2. Standardization is extreme: 100% use ubuntu-slim, 100% have concurrency, 100% include gh-aw-firewall and gh-aw-mcpg, and 97% share the same baseline safe outputs. The harness is truly universal.

3. audits is the community hub: Nearly 25% of all discussion-creating workflows post to the audits category, making it the dominant venue for automated reporting in this repository.

4. Poem-bot is the outlier king: poem-bot.lock.yml uses all 5 primary safe output types — the only workflow to do so. It also exceeds 100 KB, combining creative output (discussions, issues, PRs, comments, updates) in a single workflow.

5. Memory is becoming a first-class feature: 29 workflows (14%) now use push_repo_memory and 85 (42%) use actions/cache, reflecting a growing pattern of stateful, context-aware agents that learn across runs.

6. serena-mcp-server is a niche power tool: Only 25 workflows (12%) use the Serena code-intelligence server, but they include high-complexity workflows like cloclo, q, archie, and duplicate-code-detector — suggesting it's used for the most sophisticated code analysis tasks.

7. Nearly all schedules are scattered to avoid thundering-herd problems: cron expressions use varied minute/hour values rather than :00 or :30, consistent with best-practice load distribution.

---

Recommendations

1. Audit the 14 non-strict workflows: The 14 workflows without "strict": true (e.g., smoke-claude, mcp-inspector, dev) may be intentionally permissive, but a periodic review can ensure loose constraints don't introduce unexpected behaviors.

2. Consider standardizing on audits category: With 8 distinct discussion categories in use, consolidating to fewer categories (especially reports → audits) would improve discoverability of automated reports.

3. push_repo_memory adoption gap: Only 14% of workflows use persistent memory, despite 42% using action caches. Workflows performing repeated analysis (daily-* series) may benefit from cross-run memory to avoid redundant work and enable trend tracking.

4. Monitor timeout outliers: The 180-minute timeout is 9× the average. Confirm it's justified, or consider breaking that workflow into stages.

5. Track serena-mcp-server rollout: As code-intelligence workflows grow, tracking which workflows add Serena can help identify expanding use cases and potential inclusion in the standard harness.

---

Methodology

• Lock files analyzed: 204 (all .lock.yml in .github/workflows/)
• Analysis tools: bash, awk, grep (no external YAML parser available)
• Data extraction: metadata headers, YAML structure pattern matching
• Cache memory: Results stored in /tmp/gh-aw/cache-memory/history/2026-04-27.json
• Workflow run: §24970440193

References:

• §24970440193

Generated by Lockfile Statistics Analysis Agent · ● 389.2K · ◷

• expires on Apr 28, 2026, 12:12 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #28825.