[lockfile-stats] Lockfile Statistics Audit — 2026-05-29

[github-actions[bot]]

Executive Summary

Analysis of all 236 compiled .github/workflows/*.lock.yml files as of 2026-05-29. 0 malformed/skipped.

Metric	Value
Lockfiles	236
Total size	23,387,695 bytes (~22.3 MiB)
Avg / median size	99,100 B / 98,289 B
Min / max size	63,917 B / 180,608 B
Total jobs / steps / scripts	1,892 / 24,644 / 11,933
Engines in use	8 distinct
Day-over-day total size	−59,985 B (−0.26%) vs 2026-05-28

Lock files are large and remarkably uniform — every file sits in a tight band around ~99 KB, indicating compiled boilerplate dominates per-file content over workflow-specific logic.

File Size Distribution

Bucket	Count	Δ vs 05-28
50–100 KB	140	+5
100–250 KB	96	−5

No files below 50 KB or above 250 KB. Five files recompiled smaller and crossed from the 100–250 KB bucket into 50–100 KB.

Largest & smallest lockfiles

Largest: smoke-claude (180,608 B), smoke-copilot (153,757 B), smoke-copilot-arm (144,310 B), smoke-codex (131,058 B), mcp-inspector (130,309 B), issue-monster (128,778 B), deep-report (128,588 B), cloclo (126,420 B), daily-news (123,442 B), daily-performance-summary (120,864 B).

Smallest: test-workflow (63,917 B), example-permissions-warning (64,602 B), codex-github-remote-mcp-test (65,207 B), firewall (65,282 B), ace-editor (73,415 B).

Trigger Analysis

Trigger	Workflows
workflow_dispatch	228
schedule	161
pull_request	35
issues	4
issue_comment	2
push	2
workflow_run / discussion / discussion_comment / pull_request_review_comment	1 each

Dominant pattern: schedule + workflow_dispatch (157 workflows, 67%) — scheduled agents with a manual-override switch. Next: dispatch-only (39), pull_request + workflow_dispatch (28).

Schedule cron frequencies

161 scheduled triggers. Crons are well-distributed across off-peak minutes (very few land on :00/:30). Most are once-daily (M H * * *); a handful run weekday-only (* * 1-5), every 4–6 hours (*/4, */6), or hourly (23 * * * *). No two workflows share more than 2 instances of the same cron — good spread, low thundering-herd risk.

Safe Outputs Analysis

⚠️ Parser limitation this run: PyYAML was unavailable (yaml_available: false), so the analyzer used regex fallbacks. In compiled lock files, safe-output configuration is embedded as job logic / JSON env rather than as top-level YAML keys, so the safe-outputs: key scan returned no matches — this is a measurement gap, not evidence that safe outputs are unused. Discussion-category extraction was empty for the same reason. See Recommendations.

Structural Characteristics

Metric	Min	Avg	Max	Total
Jobs / workflow	5	8.02	12	1,892
Steps / workflow	68	104.42	142	24,644
Scripts (run:)	—	~50.6	—	11,933

• Most jobs: firewall-escape (12)
• Most steps: smoke-copilot (142)
• Roughly half of all steps are inline run: scripts (11,933 / 24,644 ≈ 48%).

Permission Patterns

All 236 lockfiles expose an empty top-level permissions: {} block; fine-grained per-job permissions were not captured this run (same regex-fallback limitation). Top-level posture is therefore least-privilege-by-default at the workflow root, with grants pushed into jobs.

Timeout distribution (per-job declarations)

Range (min)	Declarations
≤5	14
6–15	350
16–30	312
31–60	31
>60	3

Most timeouts cluster in the 6–30 minute range; only 3 declarations exceed 60 minutes.

Tool & MCP Patterns

MCP server	References
github	6,552
playwright	168
sentry	96
grafana	14
arxiv	6
deepwiki	6

The github MCP server dominates overwhelmingly. The flat per-tool count of 126 across dozens of distinct github tools (get_commit, get_pull_request, list_branches, issue_read, ...) shows ~126 workflows each mount the same broad github read toolset — a uniform, wide tool surface rather than per-workflow least-privilege subsets.

Engine distribution

Engine	Workflows	Share
copilot	154	65%
claude	63	27%
codex	14	6%
antigravity	1	<1%
crush	1	<1%
gemini	1	<1%
opencode	1	<1%
pi	1	<1%

Interesting Findings

1. github MCP is the backbone — 6,552 tool references vs. 168 for the next server (playwright). ~126 workflows ship an identical wide github read toolset.
2. Engine mix is copilot-led — copilot powers 65% of workflows, claude 27%, codex 6%; five exotic engines appear exactly once each (likely smoke/compat tests).
3. Scheduled-with-manual-override is the canonical shape — 67% of workflows use schedule + workflow_dispatch, and 228/236 (97%) expose workflow_dispatch.
4. Compiled boilerplate dominates size — files cluster tightly at ~99 KB with a hard 64 KB floor; even the smallest workflow carries substantial generated scaffolding.
5. Half of all steps are inline scripts — 11,933 run: steps across 24,644 total, averaging ~50 scripts per lockfile.

Historical Trends (vs 2026-05-28)

Metric	05-28	05-29	Δ
Lockfiles	236	236	0
Total bytes	23,447,680	23,387,695	−59,985 (−0.26%)
Avg size	99,354	99,100	−254
Total steps	24,550	24,644	+94
Total scripts	11,933*	11,933	+89 (11,844→11,933)
Max steps	141	142	+1 (smoke-copilot)
Engines / triggers / MCP	—	—	unchanged

Net: total byte size shrank slightly while step/script counts grew — recompilation trimmed per-file bytes even as a few workflows gained steps. 9 daily snapshots are retained (2026-05-20 → 2026-05-29).

Recommendations

1. Restore structured parsing — make the analyzer environment provide PyYAML (or have the script bootstrap it into cache). Without it, safe-output types, discussion categories, and per-scope job permissions silently fall back to empty and are not auditable. This is the highest-value fix.
2. Review github MCP tool surface — ~126 workflows mount the same broad github read toolset. Consider least-privilege per-workflow tool subsets to reduce attack surface and compiled size.
3. Investigate the ~64 KB size floor — uniform ~99 KB lock files suggest heavy shared boilerplate; evaluate whether compiled output can be slimmed.
4. Keep watching step growth — steps/scripts ticked up day-over-day; worth confirming this tracks intentional feature additions rather than template drift.

Methodology

Single-script compact JSON analysis: one cached analyzer (lockfile_stats_v1.py) parses all 236 lockfiles in a single pass into a ≤50 KB JSON summary (4,751 B this run); all reporting derives from that summary plus retained daily history snapshots. 0 files skipped. Note: PyYAML unavailable this run, so structural extraction used regex fallbacks (see Safe Outputs / Permissions caveats).

References: §26661883085

Generated by 📊 Lockfile Statistics Analysis Agent · opus48 888.4K · ◷

• expires on May 30, 2026, 9:05 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #35987.