[lockfile-stats] Lockfile Statistics Audit — 2026-06-16

[github-actions[bot]]

Audit of all .github/workflows/*.lock.yml files in github/gh-aw. Single-script compact JSON analysis; day-over-day deltas vs 2026-06-15.

Executive summary

Metric	Value	Δ vs 2026-06-15
Lockfiles	249	0
Malformed/skipped	0	0
Total size	28.2 MB (29,613,640 B)	−59,330 B (−0.2%)
Avg size	118,930 B	−238 B
Median size	118,269 B	−119 B
Min / Max	78,429 / 178,467 B	leaner
Jobs (total)	2,002	0
Steps (total)	28,279	−494
Script blocks (total)	12,483	−495

The corpus is stable in count but got marginally leaner: identical job count (2,002) while steps and script blocks both dropped ~500, i.e. step-level trimming in regenerated lockfiles.

File size distribution

Bucket	Count
100–250 KB	238
50–100 KB	11

95.6% of lockfiles fall in 100–250 KB — generated boilerplate dominates and sizes are tightly clustered (avg ≈ median ≈ 118 KB). One file shifted from the 100–250 KB into the 50–100 KB bucket since yesterday.

Largest / smallest

• Largest: smoke-copilot-aoai-entra (178,467 B), smoke-copilot-aoai-apikey (178,058), smoke-copilot (177,315), smoke-claude (175,147), smoke-copilot-arm (165,122).
• Smallest: test-workflow (78,429 B), example-permissions-warning (79,154), firewall (80,363), codex-github-remote-mcp-test (80,456), ace-editor (87,707).

Trigger analysis

Trigger	Workflows
workflow_dispatch	241
schedule	167
pull_request	33
issues	4
issue_comment	2
push	2
workflow_run / discussion / discussion_comment / pull_request_review_comment	1 each

Top combinations: schedule+workflow_dispatch (163), workflow_dispatch only (48), pull_request+workflow_dispatch (26). 97% (241/249) expose manual dispatch and 67% (167) are scheduled — a heavily cron-driven, manually-overridable automation fleet. No trigger or cron-frequency changes vs prior day.

Safe outputs analysis

Not captured by the current analyzer (safe_output_types / discussion_categories returned empty in this run). Flagged as a known gap — see Recommendations.

Structural characteristics

Metric	min	avg	max	max workflow
Jobs / workflow	5	8.04	12	firewall-escape
Steps / workflow	76	113.57	152	smoke-copilot

Steps/workflow average fell 115.55 → 113.57; max steps 154 → 152. Jobs/workflow unchanged.

Permission patterns

Top-level permissions: parsed as empty ({}) for all 249 — the analyzer did not resolve per-permission read/write levels this run. Reported as a gap, not as "no permissions."

Timeout distribution

Bucket (min)	Count
≤5	16
6–15	122
16–30	333
31–60	282
>60	3

(Counts exceed 249 because they aggregate per-job timeout-minutes across multiple jobs per workflow.)

Tool & MCP patterns

Engine	Workflows
copilot	166
claude	64
codex	14
antigravity / crush / gemini / opencode / pi	1 each

MCP server	References
github	6,656
playwright	168
sentry	96
grafana	28
ruflo	16
arxiv	6
deepwiki	6

The GitHub MCP server dominates (~97% of all MCP references). Each individual github::* read tool appears exactly 128 times, indicating ~128 workflows embed a uniform full GitHub read toolset (~52 github tools each).

Interesting findings

1. Uniform GitHub toolset fingerprint — every sampled github::* tool shows up exactly 128×, evidence of a shared, copy-identical MCP toolset block across ~half the fleet rather than per-workflow tailoring.
2. Copilot is the default engine (166/249, 67%); Claude second (64, 26%); six other engines appear once each — long-tail experimentation.
3. Manual-override-everywhere — 97% carry workflow_dispatch, almost always paired with a schedule (163 of 167 scheduled workflows also allow dispatch).
4. Lockfiles got leaner without losing jobs — identical 2,002 jobs but −494 steps / −495 scripts day-over-day, suggesting a compiler change that trims redundant steps.
5. Tight size band — 95.6% within a single 100–250 KB bucket; the largest files are all smoke-* engine matrix tests.

Historical trends (vs 2026-06-15)

Stable corpus. Net change: total size −0.2%, steps −494, script blocks −495, steps/workflow −1.98. Trigger mix, engine mix, MCP usage, job count, and timeout distribution all unchanged. One file migrated down a size bucket.

Recommendations

1. Restore safe-output, discussion-category and permission metrics in the analyzer — these three sections were empty this run and are high-value for governance audits. Bump to lockfile_stats_v2.py when the schema changes.
2. De-duplicate the shared GitHub toolset — the identical 128× toolset is a large contributor to the ~118 KB uniform file size; scoping tools per workflow would shrink lockfiles.
3. Watch the smoke-* matrix — it accounts for all top-5 largest files (>165 KB); confirm the size is intentional given the engine-matrix coverage.

Methodology

Single-script compact JSON analysis: one cached Python analyzer (lockfile_stats_v1.py) parses all 249 lockfiles in one pass and emits a compact JSON summary; this report reasons only from that summary plus the prior-day cached summary. 0 malformed files skipped.

Generated by 📊 Lockfile Statistics Analysis Agent · ◷

• expires on Jun 17, 2026, 1:19 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #39898.