[lockfile-stats] Lockfile Statistics Audit — 2026-06-17 (250 workflows, 28.4 MB) #39898
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Lockfile Statistics Analysis Agent. A newer discussion is available at Discussion #40150. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Executive Summary
Snapshot of 250 compiled
.github/workflows/*.lock.ymlfiles on 2026-06-17 (0 malformed/skipped).run:scriptsA near-uniform +~400 bytes per file across the entire set indicates a global recompilation rather than isolated edits, plus one net-new workflow (Copilot engine,
schedule+workflow_dispatch).File Size Distribution
Lockfiles are large and tightly clustered (median ≈ avg) — characteristic of generated boilerplate (MCP config, safe-output plumbing, engine scaffolding) dominating each file.
Largest & smallest workflows
Largest: smoke-copilot-aoai-entra (174.7 KB), smoke-copilot-aoai-apikey (174.3 KB), smoke-copilot (173.6 KB), smoke-claude (171.5 KB), smoke-copilot-arm (161.7 KB)
Smallest: test-workflow (77.0 KB), example-permissions-warning (77.7 KB), firewall (78.9 KB), codex-github-remote-mcp-test (79.0 KB), ace-editor (86.1 KB)
Trigger Analysis
Top combinations:
schedule+workflow_dispatch(163),workflow_dispatchalone (49),pull_request+workflow_dispatch(26). The fleet is overwhelmingly scheduled agents with a manual override — 65% follow the canonical cron+dispatch pattern.Schedule cadence
167 scheduled workflows span 160+ distinct cron expressions — minutes are well-jittered (few share a slot), avoiding thundering-herd API load. Cadences range from hourly (
23 * * * *) and every-4/6h (*/4,*/6) to weekday business hours (* * 1-5) and weekly (* * 0|1|3).Safe Outputs Analysis
safe_output_types,discussion_categories, andpermissionsmaps for all 250 files. The compiled lock format does not expose these via v1's text patterns, so safe-output/permission/category breakdowns are not available this run. See Recommendations — this is the highest-value gap to close in a v2 schema bump.Structural Characteristics
run:scriptsEach lockfile is a substantial GitHub Actions program: ~8 jobs and ~114 steps on average. The job floor of 5 reflects the shared gh-aw scaffolding (activation, agent, safe-output collection/processing, etc.).
Permission Patterns
v1 reports
permissions_top_level_kind: {"{}": 250}— all 250 declare an empty top-levelpermissionsblock, with effective grants pushed to job level (not captured by v1). Least-privilege at top level is uniform.Tool & MCP Patterns
GitHub MCP dominates — ~128 workflows enumerate the full GitHub toolset (each of
get_commit,issue_read,list_commits,get_workflow_run_logs, ... appears in 128 files). This broad read surface is the single largest contributor to lockfile size.Engine Distribution
Copilot is the fleet default (2/3); Claude is the clear secondary. The +1 new workflow this period was Copilot.
Timeout Distribution
Most jobs sit in the 16–60 min band; only 3 jobs exceed an hour — runaway-cost exposure is well-contained.
Interesting Findings
Historical Trends (2026-06-16 → 2026-06-17)
Steady, low-volatility growth: one workflow added (~6 jobs / ~95 steps) plus a uniform recompile. No structural regressions.
Recommendations
safe_outputs, discussion categories, and job-level permissions from the lock format — currently the largest blind spot.Methodology: single-script compact JSON analysis. One Python pass over all 250
.lock.ymlfiles emits a ≤50 KB summary (4.8 KB actual); all insights derived from that JSON plus the prior-day cached summary. No per-file re-reads. Caveat: v1 schema does not surface safe-output/permission/category detail.Beta Was this translation helpful? Give feedback.
All reactions