📊 Agentic Workflow Lock File Statistics — 2026-04-01

[github-actions[bot]]

Executive Summary

Analysis of 178 .lock.yml files across .github/workflows/ — all compiled at schema version v3, with a combined size of 11.5 MB (avg 66.1 KB each). The corpus shows a highly standardized, mature workflow framework: nearly every file shares the same MCP infrastructure, concurrency patterns, and permission model, while trigger and safe-output configurations vary meaningfully by workflow purpose.

Key Stats:

• Total Lock Files: 178 (stable — unchanged from 2026-03-30 and 2026-03-31)
• Total Size: 11.5 MB (12,056,483 bytes), down from 11.77 MB on 2026-03-30 (avg file compaction)
• Average File Size: 66.1 KB
• Schema Version: v3 (100% adoption)
• Analysis Date: 2026-04-01 | Workflow Run: §23825144392

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0.0%
10–50 KB	7	3.9%
50–100 KB	168	94.4%
> 100 KB	3	1.7%

Statistics:

• Smallest: codex-github-remote-mcp-test.lock.yml (26.6 KB)
• Largest: smoke-claude.lock.yml (144.7 KB)
• The 94.4% concentration in the 50–100 KB band reflects how standardized the compiled lock format is — the shared infrastructure (firewall, MCP gateway, safeoutputs scaffolding) accounts for a near-fixed base size.

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows
workflow_dispatch	164	92.1%
schedule	130	73.0%
pull_request	28	15.7%
issue_comment	15	8.4%
issues	11	6.2%
pull_request_review_comment	6	3.4%
discussion / discussion_comment	4 each	2.2%
workflow_call	2	1.1%
workflow_run / push	1 each	0.6%

Common Trigger Combinations

Combination	Count
schedule + workflow_dispatch	117
workflow_dispatch only	17
pull_request + workflow_dispatch	12
pull_request + schedule + workflow_dispatch	9
issue_comment only	3
issue_comment + issues + pull_request	2
Full event listener (6 event types)	2
workflow_call + workflow_dispatch	2

The schedule + workflow_dispatch pairing dominates (65.7% of all workflows), reflecting the predominance of automated daily/weekly agent tasks that also support manual triggering.

Schedule Patterns Detail

Distribution by Time of Day (UTC):

Hour (UTC)	Scheduled Runs
02–05	14
06–08	9
09–12	49 (peak)
13–16	14
17–20	12
21–23	17
Interval (*/N)	13

Schedule Frequency:

• Daily (all days): 86 workflows
• Weekdays only (Mon–Fri): 23 workflows
• Other/custom: 21 workflows

Most Common Cron Expressions:

• 0 14 * * 1-5 — 4 workflows (2pm UTC weekdays)
• 0 13 * * 1-5 — 4 workflows
• 0 11 * * 1-5 — 4 workflows
• 0 9 * * 1-5 — 3 workflows
• 0 */6 * * * — 2 workflows (every 6 hours)

Business-hours UTC clustering (09:00–12:00) suggests the majority of scheduled workflows are designed to run during active engineering hours, likely for report delivery and review.

---

Safe Outputs Analysis

Safe Output Types Distribution

These are the action types configured in each workflow's safeoutputs/config.json. missing_data, missing_tool, and noop are present in 96.6% of all workflows (172/178) as standard framework signals.

Output Type	Count	% of Workflows
missing_data	172	96.6%
missing_tool	172	96.6%
noop	172	96.6%
create_discussion	63	35.4%
create_issue	54	30.3%
add_comment	42	23.6%
create_pull_request	39	21.9%
push_repo_memory	25	14.0%
upload_asset	24	13.5%
add_labels	16	9.0%
push_to_pull_request_branch	7	3.9%
create_pull_request_review_comment	7	3.9%
close_discussion	6	3.4%
update_issue	6	3.4%
submit_pull_request_review	6	3.4%

Less Common Output Types

Output Type	Count
remove_labels	4
mentions	3
dispatch_workflow	3
close_pull_request	3
link_sub_issue	3
assign_to_agent	3
create_project_status_update	2
update_project	2
create_code_scanning_alert	2
send-slack-message	2
create_agent_session	2
update_pull_request	2
hide_comment	2
close_issue	2
notion-add-comment	2
call_workflow, assign_to_user, reply_to_pull_request_review_comment, set_issue_type, update_release, and others	1 each

Top Safe Output Combinations

Combination	Count
create_discussion + framework signals	23
create_issue + framework signals	21
create_pull_request + framework signals	20
add_comment + framework signals	10
create_discussion + upload_asset + framework	9
create_discussion + push_repo_memory + upload_asset + framework	6
No safe outputs configured	6

Discussion Categories

Category	Count
audits	45
announcements	4
reports	3
artifacts	2
research	2
dev	2
daily-news	1
security	1
agent-research	1

audits dominates discussion output (74% of categorized discussions), consistent with the monitoring and reporting nature of many scheduled workflows.

---

Structural Characteristics

Job Complexity

Metric	Value
Average jobs per workflow	6.1
Minimum jobs	2
Maximum jobs	10
Average steps per workflow	87.5
Minimum steps	37
Maximum steps	128 (technical-doc-writer)

Typical Lock File Profile

A representative .lock.yml file has:

• Size: ~66 KB
• Jobs: ~6 (activation, setup, checkout, MCP prep, agent run, safeoutputs)
• Steps per workflow: ~88
• Permissions: contents: read, issues: write, discussions: write
• Triggers: schedule + workflow_dispatch
• Timeout: 15–20 min (activation), 20–30 min (agent job)
• Concurrency: gh-aw-$\{\{ github.workflow }}

Runner Distribution

Runner	Count (job-level)
ubuntu-slim	716 (74.7%)
ubuntu-latest	359 (37.5%)
aw-gpu-runner-T4	12 (1.3%)
ubuntu-24.04-arm	1

ubuntu-slim is the dominant runner for agent jobs, while ubuntu-latest is used in setup/auxiliary jobs.

Timeout Distribution

Timeout (min)	Occurrences
15	197
20	187
10	50
30	39
45	15
60	14
5	12
90	1

Average: 19.8 minutes. The 15–20 min cluster aligns with typical agent task durations.

---

Agent Engine Distribution

Agent	Count	%
copilot	118	66.3%
claude	40	22.5%
codex	19	10.7%
gemini	1	0.6%

Copilot is the dominant engine. The presence of Gemini (1 workflow) represents an experimental integration.

---

Permission Patterns

Most Common Permissions

Permission	Total Uses	Read	Write
contents	1,067	889	178
issues	516	156	360
discussions	275	36	239
pull-requests	355	161	194
actions	81	75	6
copilot-requests	81	0	81
security-events	14	10	4

Permission Summary

• Workflows with ANY write permission: 171 (96.1%)
• contents write is granted in all 178 workflows (1 per workflow in the PR/branch jobs), while contents: read appears in most activation/setup jobs
• copilot-requests: write appears in 81 workflows (45.5%) — the Copilot-agent workflows
• discussions: write in 239 job occurrences indicates discussion-oriented outputs are widely used

---

Tool & MCP Infrastructure

Core MCP Container Images

Container	Occurrences	% of Workflows
ghcr.io/github/github-mcp-server	363	~204% (multiple jobs)
ghcr.io/github/gh-aw-mcpg	356	~200%
ghcr.io/github/gh-aw-firewall/agent	345	~194%
ghcr.io/github/gh-aw-firewall/api-proxy	345	~194%
ghcr.io/github/gh-aw-firewall/squid	345	~194%
ghcr.io/github/serena-mcp-server	48	27.0%
ghcr.io/zizmorcore/zizmor	2	1.1%
ghcr.io/boostsecurityio/poutine	2	1.1%

The firewall stack (agent + api-proxy + squid) runs in virtually every workflow — a 3-container network security layer. The serena-mcp-server appears in 27% of workflows as an optional semantic code intelligence tool.

External MCP Services

Service	Count
api.githubcopilot.com	7
mcp.tavily.com	5
mcp.deepwiki.com	2
learn.microsoft.com	2
mcp.datadoghq.com	1
slack.com	1

Top GitHub Actions Used

Action	Uses
actions/github-script	3,314 (~18.6/workflow)
actions/checkout	1,624 (~9.1/workflow)
./actions/setup (local)	1,065 (~6.0/workflow)
actions/upload-artifact	1,038 (~5.8/workflow)
actions/download-artifact	889 (~5.0/workflow)
actions/setup-node	151
actions/cache/restore	105
actions/cache/save	85
actions/setup-go	41
docker/setup-buildx-action	30

actions/github-script averaging ~18.6 calls per workflow illustrates how heavily this framework uses JavaScript for dynamic step logic.

---

Interesting Findings

1. GPU Runners for 12 Workflows: The aw-gpu-runner-T4 runner is used by a targeted cluster of document/content workflows: daily-doc-updater, weekly-blog-post-writer, daily-doc-healer, technical-doc-writer, unbloat-docs, developer-docs-consolidator, glossary-maintainer, daily-news, daily-issues-report, daily-fact, dev, and dictation-prompt. GPU acceleration appears focused on content generation tasks.

2. "Daily" Prefix Dominates (34 workflows): The most common workflow name prefix is daily, followed by smoke (18) for CI testing. This shows the platform is heavily oriented toward recurring scheduled automation.

3. Extremely Standardized Infrastructure: 178/178 files use schema v3; 172/178 include the standard missing_data/missing_tool/noop framework signals; 173/178 use github-mcp-server; 178/178 use gh-aw-mcpg. The lock file format is highly consistent.

4. Copilot-Requests Permission is Highly Specific: The copilot-requests: write permission appears in exactly 81 workflows — precisely the set that uses copilot as the agent engine (118 Copilot workflows minus 37 that don't need direct API access). This tight correlation shows precise least-privilege scoping.

5. Slack and Notion Integrations Emerging: send-slack-message, post-to-slack-channel, post_slack_message (2 each) and notion-add-comment (2) appear as niche but real integrations beyond GitHub, suggesting early expansion beyond the GitHub ecosystem.

6. Ultra-rich Safe Output API: 41 distinct safe output action types are configured across the corpus — from assign_to_agent and link_sub_issue to create_code_scanning_alert and update_release. The variety indicates a maturing, comprehensive agent-action surface.

---

Historical Trends

Metric	2026-03-30	2026-03-31	2026-04-01	Trend
Total Files	178	178	178	Stable
Total Size	11.77 MB	11.76 MB	11.50 MB	↓ Slight compaction
Avg Size (KB)	66.2	66.1	66.1	Stable
Avg Steps	87.1	87.5	87.5	Stable
Max Steps	126	128	128	+2
Avg Timeout (min)	19.8	19.8	19.8	Stable

The repository is in a stable, mature state. No new workflows were added over the 3-day window. The slight total size decrease (~250 KB) with the same file count suggests minor compilation optimizations or prompt revisions.

---

Recommendations

1. Consolidate "workflow_dispatch only" workflows: 17 workflows have only workflow_dispatch as a trigger with no schedule. Consider whether these should be scheduled or if they can be merged into parameterized, multi-purpose workflows.

2. Audit the 6 workflows with no safe outputs configured: These files lack any safeoutputs/config.json and may be incomplete or legacy. Verify they are intentional (e.g., pure test/smoke workflows) or add appropriate output configurations.

3. External MCP services are low-adoption: Only 6 unique external MCP endpoints are used, across 16 total workflow references. If Tavily, DeepWiki, or Datadog integrations are strategically important, consider expanding their adoption.

4. Standardize the noop report-as-issue behavior: Several workflows configure "report-as-issue":"true" on noop, which means no-op completions surface as GitHub issues. Review whether this is the intended signal vs. a discussion post to prevent issue noise.

5. GPU runner expansion could benefit more doc workflows: Only 12 of the 34+ "daily" workflows use the GPU runner. If content-heavy doc agents benefit from GPU acceleration, evaluate expanding this to other documentation workflows.

---

Methodology

• Analysis Tool: Python 3 with regex-based YAML parsing
• Lock Files Analyzed: 178 (all .github/workflows/*.lock.yml)
• Cache Memory: Historical data stored in /tmp/gh-aw/cache-memory/history/
• Data Sources: .github/workflows/*.lock.yml
• Comparison Data: 2026-03-30 and 2026-03-31 history files

References:

• §23825144392

AI generated by Lockfile Statistics Analysis Agent · history

• expires on Apr 2, 2026, 12:19 AM UTC

[github-actions[bot]]

🤖 Beep boop! The smoke test agent has materialized from the digital ether!

I've been dispatched to validate that the Copilot engine is alive and well — and spoiler: it is! 🎉

178 lock files, 66KB each, 87.5 steps on average... this repository has more automation than a sci-fi factory floor. 🏭✨

If workflows were coffee, this repo would be running on pure espresso. ☕

— Your friendly neighborhood smoke test agent, run §23826098153

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #23974.