[lockfile-stats] Agentic Workflow Lock File Statistics — 2026-04-28

[github-actions[bot]]

Overview

This report analyzes all 204 .lock.yml files in .github/workflows/ as of 2026-04-28. The corpus totals 16.3 MB and spans six AI agent engines, revealing clear patterns around triggers, safe outputs, MCP tooling, and workflow structure. No previous baseline exists (first run), so trends will be tracked in future runs.

---

Executive Summary

Metric	Value
Total lock files	204
Total corpus size	16.3 MB
Average file size	80.1 KB
Median file size	79.1 KB
Size std deviation	14.3 KB
Avg jobs per workflow	6.0
Avg steps per job	15.7
Most common timeout	15 min (197 of 204)
All workflows have concurrency	✅ 204 / 204

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10–50 KB	7	3.4%
50–100 KB	187	91.7%
> 100 KB	10	4.9%

Smallest: test-workflow (32.4 KB)
Largest: smoke-claude (164.5 KB)

The remarkably tight clustering around 50–100 KB suggests the lock file compiler produces very consistent output sizes. The 7 small files (<50 KB) are minimal workflows; the 10 large files (>100 KB) are smoke tests and complex orchestrators.

---

Trigger Analysis

Most Popular Triggers

Trigger	Count	Percentage
workflow_dispatch	187	91.7%
schedule	138	67.6%
pull_request	35	17.2%
issue_comment	15	7.4%
issues	12	5.9%
pull_request_review_comment	6	2.9%
discussion	4	2.0%
discussion_comment	4	2.0%
push	2	1.0%
workflow_call	2	1.0%
deployment_status	1	0.5%
workflow_run	1	0.5%

Top Trigger Combinations

Combination	Count
schedule + workflow_dispatch	132
pull_request + workflow_dispatch	23
workflow_dispatch only	20
issue_comment only	3
issue_comment + issues + pull_request	2
workflow_call + workflow_dispatch	2
discussion + discussion_comment + issue_comment + issues + pull_request + pull_request_review_comment	2

The dominant pattern is schedule + workflow_dispatch (65% of all workflows), indicating most agentic workflows run automatically on a schedule but remain manually triggerable for on-demand use.

Schedule Patterns

126 unique cron expressions are in use. The overwhelming majority use daily cadence:

Frequency Type	Count
Daily (all 7 days)	87
Weekdays only (Mon–Fri)	44
Weekly / monthly	7

Run-time distribution (UTC hour):

UTC Window	Count	Note
06:00–12:00	57	Morning — highest load
18:00–24:00	33	Evening
12:00–18:00	25	Afternoon
00:00–06:00	16	Night

No cron expression is used by more than 2 workflows, confirming deliberate schedule-scattering to avoid concurrent API load.

---

Agent Engine Distribution

Engine	Count	Percentage
copilot	132	64.7%
claude	57	27.9%
codex	12	5.9%
gemini	1	0.5%
crush	1	0.5%
opencode	1	0.5%

Copilot is the dominant engine, used by nearly two-thirds of all workflows. Claude powers the second-largest cohort (28%), while Codex handles a focused set of 12 workflows. Three experimental engines each appear in exactly one workflow: Gemini, Crush, and OpenCode — likely smoke tests.

---

Safe Outputs Analysis

Safe Output Type Distribution

Type	Count	Percentage
create-discussion	197	96.6%
noop	197	96.6%
create-issue	72	35.3%
add-comment	60	29.4%
update-issue	8	3.9%

Nearly all workflows (96.6%) include both create-discussion and noop — reflecting the repository-wide safe-output requirement that all workflows must call at least one safe-output tool.

Top Safe Output Combinations

Combination	Count
create-discussion + noop	87
create-discussion + create-issue + noop	48
add-comment + create-discussion + noop	36
add-comment + create-discussion + create-issue + noop	18
add-comment + create-discussion + create-issue + noop + update-issue	4

Discussion Categories

Category	Count
audits	48
announcements	5
reports	3
artifacts	2
dev	2
research	2
agent-research	1
daily-news	1

"audits" is by far the most-used discussion category, used by ~24% of all workflows — reflecting the prevalence of daily audit/analysis workflows in this repository.

---

Structural Characteristics

Job Complexity

Metric	Value
Average jobs per workflow	6.0
Maximum jobs	9 (smoke-claude)
Average steps per job	15.7
Maximum steps in single job	68 (agentic-optimization-kit / agent job)
Minimum steps	2

Timeout Distribution

timeout-minutes	Count
15 min	197
10 min	26
5 min	2

The 15-minute timeout is the clear standard. The 5-minute outliers are lightweight utility jobs.

Workflow Name Patterns

Pattern	Count
daily-*	43
smoke-*	23
weekly-*	4
Other	134

---

MCP Server & Tool Patterns

Container Images (Top 10)

Image	Count	Percentage
gh-aw-firewall/agent	204	100%
gh-aw-firewall/api-proxy	204	100%
gh-aw-firewall/squid	204	100%
github/gh-aw-mcpg	204	100%
github/github-mcp-server	198	97.1%
node (LTS)	197	96.6%
github/serena-mcp-server	25	12.3%
playwright/mcp	12	5.9%
mcp/markitdown	3	1.5%
mcp/arxiv-mcp-server	2	1.0%

The firewall stack (agent, api-proxy, squid) and gh-aw-mcpg are universal — present in 100% of workflows. GitHub MCP server appears in 97.1%. Serena (code navigation) is used by 25 workflows (12.3%), and Playwright (browser automation) by 12 (5.9%).

Actions Usage

Action	Count
actions/checkout	204 (100%)
actions/download-artifact	204 (100%)
actions/github-script	204 (100%)
actions/upload-artifact	204 (100%)
actions/setup-node	195 (95.6%)
actions/cache	175 (85.8%)
actions/setup-go	42 (20.6%)
docker/build-push-action	33 (16.2%)
docker/setup-buildx-action	33 (16.2%)
actions/setup-python	23 (11.3%)

Shared Module Usage (Top 10)

Shared Module	Count
shared/noop-reminder.md	144
shared/reporting.md	118
shared/observability-otlp.md	85
shared/daily-audit-discussion.md	42
shared/daily-audit-base.md	40
shared/mcp/serena.md	25
shared/jqschema.md	24
shared/mcp/serena-go.md	23
shared/reporting-otlp.md	23
shared/github-guard-policy.md	19

shared/noop-reminder.md is the most widely imported module (70.6%), confirming that the noop-reminder is a near-universal include.

Secret Usage (Top 10)

Secret	Count
GH_AW_GITHUB_MCP_SERVER_TOKEN	204 (100%)
GH_AW_GITHUB_TOKEN	204 (100%)
GITHUB_TOKEN	204 (100%)
GH_AW_OTEL_ENDPOINT	85 (41.7%)
GH_AW_OTEL_HEADERS	85 (41.7%)
COPILOT_GITHUB_TOKEN	83 (40.7%)
ANTHROPIC_API_KEY	58 (28.4%)
GH_AW_CI_TRIGGER_TOKEN	46 (22.5%)
CODEX_API_KEY	12 (5.9%)
OPENAI_API_KEY	12 (5.9%)
TAVILY_API_KEY	5 (2.5%)

---

Interesting Findings

1. Perfect concurrency coverage: All 204 workflows define concurrency settings — this is 100% adoption, suggesting a required standard or compiler-enforced default.

2. No traditional permissions: Every workflow has permissions: {} at the top level, meaning all privilege grants are scoped to individual jobs — a strong security practice.

3. Schedule time scattering: 126 unique cron expressions for 138 scheduled workflows. Nearly every scheduled workflow runs at a distinct minute, preventing thundering-herd effects on the GitHub API.

4. Playwright for 5.9% of workflows: 12 workflows include the playwright/mcp browser automation container, indicating a meaningful subset of agentic workflows perform web interaction tasks.

5. Morning-heavy scheduling: 41% of scheduled workflows fire between 06:00–12:00 UTC (Western European business hours), suggesting the team operates primarily in that timezone.

6. Experimental engine exploration: Three engines — Gemini, Crush, and OpenCode — each appear in exactly one workflow, consistent with structured experimentation or smoke-testing of new runtime integrations.

---

Historical Trends

This is the first run of this analysis. Historical data has been saved to cache for future comparisons:

• Cache path: /tmp/gh-aw/cache-memory/history/2026-04-28.json
• Future runs will compare file count growth, size changes, and pattern evolution.

---

Recommendations

1. Standardize the 10-minute timeout minority: 26 workflows use a 10-minute timeout vs. the standard 15 minutes. Review whether these are intentionally constrained or could be normalized.

2. Monitor Playwright workflow growth: Browser automation (12 workflows, 5.9%) is a meaningful and growing capability. Track whether this subset increases and ensure appropriate resource budgeting.

3. Track experimental engine adoption: Gemini, Crush, and OpenCode each have 1 workflow. Future runs can measure whether these expand beyond smoke-test status.

4. OTEL coverage gap: Observability (OTEL endpoint/headers) is present in only 85 of 204 workflows (41.7%), despite being a shared module. Consider expanding coverage to improve production monitoring.

---

Methodology

• Analysis Tool: Python 3 with PyYAML for YAML parsing, regex for metadata extraction
• Lock Files Analyzed: 204 (all .github/workflows/*.lock.yml)
• Cache Memory: Scripts and history stored in /tmp/gh-aw/cache-memory/
• Data Sources: .github/workflows/*.lock.yml, # gh-aw-metadata and # gh-aw-manifest comment headers, YAML body
• Run ID: §25026428668

References:

• §25026428668

Generated by Lockfile Statistics Analysis Agent · ● 211.2K · ◷

• expires on Apr 29, 2026, 12:17 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #29010.