[lockfile-stats] Agentic Workflow Lock File Statistics — April 30, 2026

[github-actions[bot]]

Executive Summary

This report analyzes all 205 .lock.yml files in .github/workflows/ as of April 30, 2026. The lock files represent a total of 16.9 MB of workflow configuration, averaging 82.3 KB per file. Every workflow has concurrency controls enabled, and 96.6% have both schedule or event triggers combined with workflow_dispatch for manual execution.

• Total Lock Files: 205
• Total Size: 16.9 MB (17,277,529 bytes)
• Average File Size: 82.3 KB
• Analysis Date: 2026-04-30
• Workflow Run: §25140445653

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10–50 KB	7	3.4%
50–100 KB	184	89.8%
> 100 KB	14	6.8%

The overwhelming majority (89.8%) fall in the 50–100 KB range, suggesting a very consistent structural template across workflows.

Outliers:

• Smallest: test-workflow.lock.yml — 33.2 KB (Test Workflow)
• Largest: smoke-claude.lock.yml — 172.1 KB (Smoke Claude)

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows
workflow_dispatch	187	91.2%
schedule	138	67.3%
pull_request	36	17.6%
issue_comment	15	7.3%
issues	12	5.9%
pull_request_review_comment	6	2.9%
discussion	4	2.0%
discussion_comment	4	2.0%
push	2	1.0%
workflow_call	2	1.0%
deployment_status	1	0.5%
workflow_run	1	0.5%

Most Common Trigger Combinations

Combination	Count
schedule + workflow_dispatch	132
pull_request + workflow_dispatch	23
workflow_dispatch only	20
issue_comment only	3
pull_request only	3
issue_comment + issues + pull_request	2
workflow_call + workflow_dispatch	2

The dominant pattern is schedule + workflow_dispatch (64.4% of all workflows), showing that most agentic workflows run autonomously on a schedule but remain manually triggerable.

Schedule Frequency Breakdown

Frequency Type	Count
Daily (every day)	83
Weekday-only (Mon–Fri)	30
Multiple times per day	6
Monthly	1

View All Schedule Patterns (127 unique cron expressions)

All 127 cron expressions are unique or near-unique, indicating schedules are deliberately staggered. A few shared patterns:

• 43 3 * * * — 2 workflows
• 37 2 * * * — 2 workflows
• 48 12 * * * — 2 workflows
• 6 11 * * 1-5 — 2 workflows (weekdays at 11:06)
• */30 * * * * — 1 workflow (every 30 minutes — most frequent)
• 27 */6 * * * — 1 workflow (every 6 hours)

The staggered minute values (rarely landing on :00 or :30) are consistent with rate-limit-conscious scheduling.

---

Safe Outputs Analysis

Safe Output Types Distribution

Type	Occurrences	Notes
upload-artifact	410	Present in virtually all jobs
create-discussion	396	Primary reporting mechanism
noop	198	Exactly 1× per workflow
missing-data	198	Exactly 1× per workflow
missing-tool	198	Exactly 1× per workflow
create-issue	142	Used in 69.3% of workflows
add-comment	122	Used in 59.5% of workflows
create-pull-request	100	Used in 48.8% of workflows
update-issue	18	Used in 8.8% of workflows
create-pull-request-review-comment	14	Used in 6.8% of workflows

Most Common Safe Output Combinations

Combination	Count
create-discussion + missing-* + noop + upload-artifact	58
create-discussion + create-issue + missing-* + noop + upload-artifact	44
create-discussion + create-pull-request + missing-* + noop + upload-artifact	30
add-comment + create-discussion + missing-* + noop + upload-artifact	26
add-comment + create-discussion + create-issue + missing-* + noop + upload-artifact	13

Discussion Categories Used

Category	Count
audits	128
announcements	10
reports	6
research	4
artifacts	4
dev	4
daily-news	2
agent-research	2

The audits category is by far the most targeted destination for agent-generated discussions (128 occurrences).

---

Structural Characteristics

Job & Step Complexity

Metric	Value
Total jobs across all workflows	1,237
Average jobs per workflow	6.03
Total steps across all jobs	19,466
Average steps per job	15.74
Minimum steps in a job	0
Maximum steps in a single job	67 (in copilot-token-audit.lock.yml)

Top Actions Used

Action	Count
actions/github-script	4,631
actions/checkout	2,024
./actions/setup	1,212
actions/download-artifact	1,019
actions/upload-artifact	969
actions/setup-node	288
actions/cache/restore	84
actions/cache/save	84
actions/setup-go	44
docker/build-push-action	32

Timeout Configuration

Metric	Value
Jobs with explicit timeout	224
Most common timeout	15 min (198 jobs)
Second most common	10 min (24 jobs)
Minimum timeout	5 min
Maximum timeout	15 min

All workflows use a conservative maximum of 15 minutes, consistent with agentic task scoping.

Concurrency

All 205 workflows (100%) have concurrency controls configured, preventing parallel runs of the same workflow.

---

Permission Patterns

Most Common Permissions

Permission	Count	Common Level
contents	1,218	read (mostly)
issues	593	write
pull-requests	394	write
discussions	301	write
actions	294	read
copilot-requests	100	write
security-events	21	write

Permission Distribution

Category	Count	Percentage
Read-only workflows	7	3.4%
Workflows with write permissions	198	96.6%

Write permissions breakdown:

• issues: write — 192 workflows (93.7%)
• discussions: write — 130 workflows (63.4%)
• pull-requests: write — 95 workflows (46.3%)
• contents: write — 85 workflows (41.5%)
• copilot-requests: write — 51 workflows (24.9%)

Permission balance: 1,776 read vs 1,154 write grants across all jobs.

---

MCP Server & Tool Patterns

MCP Server Usage

MCP Server	Workflows	Notes
github	205 (100%)	Universal — GitHub API access
fetch	205 (100%)	Universal — web fetch capability
safeoutputs	198 (96.6%)	Safe output bridge
memory	108 (52.7%)	Persistent agent memory
playwright	66 (32.2%)	Browser automation
mcpscripts	14 (6.8%)	Script execution
sqlite	2 (1.0%)	Local database
brave-search	2 (1.0%)	Web search

Model Versions Observed

Model	References
claude-sonnet-4.6	371
claude-code	174
claude-haiku-4.5	10
claude-sonnet-4-20250514	5

Sonnet 4.6 is the dominant model, with Haiku 4.5 appearing in faster/lighter tasks.

Key Environment Variables

The top environment variables injected into agent jobs:

• GH_AW_AGENT_OUTPUT (1,447) — agent output capture
• GH_AW_PROMPT (1,421) — the prompt passed to the agent
• GH_AW_WORKFLOW_NAME (1,296) — workflow identity
• GH_AW_SAFE_OUTPUTS (1,188) — safe output configuration
• GITHUB_SERVER_URL, GITHUB_API_URL — GitHub connectivity

---

Workflow Categories

Category	Count	Examples
Daily tasks	44	Daily News, Daily Security Red Team, Daily Malicious Code Scan
Smoke tests	23	Smoke Claude, Smoke Copilot, Smoke CI
Analytics/Reports	15	GitHub API Consumption Report, Static Analysis Report
Copilot analysis	8	Copilot Token Usage Optimizer, Copilot Session Insights
Testing	8	Test Quality Sentinel, MCP Inspector Agent
Issue management	8	Issue Monster, PR Triage Agent, Auto-Assign Issue
Code quality	7	Code Simplifier, GPL Dependency Cleaner, Dead Code Removal
Documentation	6	Multi-Device Docs Tester, Documentation Noob Tester
Weekly tasks	5	Weekly Blog Post Writer, Weekly Issue Summary
Code review	3	Grumpy Code Reviewer, PR Nitpick Reviewer, Security Review Agent
Security	2	Security Compliance Campaign, Security Review Agent
Other	76	Various specialized agents

---

Interesting Findings

1. 100% concurrency control adoption — Every single workflow has concurrency: configured, preventing queue buildup and duplicate runs. This is a best practice consistently applied across the entire repository.

2. Staggered schedules at scale — 127 distinct cron expressions are used, and virtually none land on :00 or :30 minute marks. This deliberate spreading reduces burst load on the GitHub Actions scheduler and external APIs.

3. Universal noop/missing-* coverage — Each workflow configures exactly one noop, one missing-data, and one missing-tool safe output path, suggesting a strict templating standard that ensures agent runs always produce a visible output signal even when nothing actionable occurs.

4. The memory MCP server split — 52.7% of workflows use the memory MCP server for persistent context between runs, while 47.3% do not. This reflects a split between stateless reporting agents and stateful agents that build knowledge over time.

5. Playwright at 32.2% — One-third of workflows have browser automation capabilities, indicating a significant portion of agentic tasks require interacting with web UIs, rendering documentation, or capturing visual state.

---

Recommendations

1. Audit the 7 read-only workflows — Only 7 workflows lack write permissions. Verify these are intentionally constrained (e.g., pure analysis workflows) rather than missing permissions needed to complete their tasks.

2. Review the 14 >100 KB workflows — The largest files (Smoke Claude at 172 KB, Smoke Copilot at 133 KB) should be audited for opportunities to reduce lock file size via job deduplication or shared job templates.

3. Evaluate update-issue adoption — Only 18 workflows (8.8%) use update-issue, which may indicate underuse of issue lifecycle management. Workflows that create issues could benefit from closing or updating them after resolution.

4. Consider standardizing on Sonnet 4.6 — With claude-sonnet-4-20250514 (5 references) still present alongside claude-sonnet-4.6 (371 references), there may be stale model version pins that should be normalized.

5. Expand mcpscripts usage — Only 14 workflows (6.8%) use mcpscripts, which enables complex script execution patterns. Workflows currently using multi-step bash workarounds may benefit from this server.

---

Methodology

• Analysis Tool: Python 3 with PyYAML + regex
• Lock Files Analyzed: 205 (all .github/workflows/*.lock.yml)
• Cache Memory: Analysis scripts saved to /tmp/gh-aw/cache-memory/scripts/analyze_lockfiles.py; historical snapshot saved to /tmp/gh-aw/cache-memory/history/2026-04-30.json
• Data Sources: File system scan + YAML parse of all lock files

References:

• §25140445653

Generated by Lockfile Statistics Analysis Agent · ● 254K · ◷

• expires on May 1, 2026, 12:18 AM UTC