[lockfile-stats] Agentic Workflow Lock File Statistics - 2026-04-03

[github-actions[bot]]

Executive Summary

• Total Lock Files: 179
• Total Size: 11.5 MB (12,039,440 bytes)
• Average File Size: ~65.7 KB
• Analysis Date: 2026-04-03
• Workflow Run: §23927608593

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10–50 KB	7	3.9%
50–100 KB	169	94.4%
> 100 KB	3	1.7%

Statistics:

• Smallest: test-workflow.lock.yml (26.1 KB)
• Largest: smoke-claude.lock.yml (141.4 KB)
• Average: 65.7 KB

The overwhelming majority (94.4%) fall in the 50–100 KB range, showing a very consistent structure across lock files.

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Files
workflow_dispatch	165	92.2%
schedule	131	73.2%
pull_request	28	15.6%
issue_comment	15	8.4%
issues	11	6.1%
pull_request_review_comment	6	3.4%
discussion	4	2.2%
discussion_comment	4	2.2%
workflow_call	2	1.1%
workflow_run	1	0.6%
push	1	0.6%

Common Trigger Combinations

Combination	Count
schedule + workflow_dispatch	118
workflow_dispatch only	17
pull_request + workflow_dispatch	12
pull_request + schedule + workflow_dispatch	9
issue_comment only	3
issue_comment + issues + pull_request	2
discussion + discussion_comment + issue_comment + issues + pull_request + pull_request_review_comment	2
issues only	2
issue_comment + pull_request_review_comment	2
workflow_call + workflow_dispatch	2

Key insight: schedule + workflow_dispatch is by far the dominant pattern (66%), indicating most agentic workflows run on a schedule but also support manual triggering.

Schedule Patterns (Cron)

Cron Expression	Count	Description
37 2 * * *	2	Daily at 02:37 UTC
48 12 * * *	2	Daily at 12:48 UTC
23 3 * * *	2	Daily at 03:23 UTC
7 4 * * *	2	Daily at 04:07 UTC
6 11 * * 1-5	2	Weekdays at 11:06 UTC
27 10 * * *	2	Daily at 10:27 UTC
52 11 * * *	2	Daily at 11:52 UTC
19 10 * * *	2	Daily at 10:19 UTC
37 3 * * *	2	Daily at 03:37 UTC

Most schedule expressions are unique (count=1), using varied off-minute values to distribute load — good practice for avoiding thundering herds. A subset (the above) are shared across pairs of workflows.

---

Safe Outputs Analysis

Safe Output Types Distribution

Type	Count	% of Files
create-discussion	173	96.6%
create-issue	173	96.6%
noop	173	96.6%
missing-data	173	96.6%
missing-tool	173	96.6%
add-comment	53	29.6%
create-pull-request	41	22.9%
create-pull-request-review-comment	7	3.9%
update-issue	6	3.4%

Core baseline: create-discussion, create-issue, noop, missing-data, and missing-tool appear together in 96.6% of lock files — effectively the standard safe-output set.

Safe Output Combinations

Combination	Count
Core 5 (create-discussion + create-issue + missing-data + missing-tool + noop)	90
Core 5 + add-comment	31
Core 5 + create-pull-request	29
Core 5 + add-comment + create-pull-request	11
Core 5 + add-comment + create-pull-request-review-comment	6
Core 5 + add-comment + update-issue	3
Core 5 + update-issue	2
add-comment only	1
All 9 types	1

Discussion Categories Used

Category	Count
audits	45
object	5
announcements	4
reports	3
artifacts	2
dev	2
research	2
agent-research	1
daily-news	1
security	1

audits is the most used discussion category (45 references), consistent with this repo's audit-heavy workflow suite.

---

Agent Engine Distribution

Agent ID	Count	% of Files
copilot	119	66.5%
claude	41	22.9%
codex	18	10.1%
gemini	1	0.6%

Copilot-based agents dominate (66.5%), followed by Claude (22.9%) and Codex (10.1%). One experimental Gemini workflow exists.

---

Structural Characteristics

Job & Step Complexity

Metric	Value
Average jobs per workflow	6.1
Average steps per job	88.5
Maximum steps in single job	128 (technical-doc-writer.lock.yml)
Average timeout	19.8 minutes

Timeout Distribution

Timeout (min)	Count
15	198
20	191
10	49
30	39
45	16
60	14
5	13
90	1
180	1

The 15- and 20-minute timeouts are most prevalent, showing a practical balance between allowing agents enough time and preventing runaway workflows.

---

Permission Patterns

Most Common Read Permissions

Permission	Count
contents	897
pull-requests	162
issues	157
actions	75
discussions	36
security-events	10

Most Common Write Permissions

Permission	Count
issues	363
discussions	242
pull-requests	197
contents	178
copilot-requests	81
actions	6
security-events	4

contents: read is universal across all lock files. Write permissions are granted selectively — issues: write and discussions: write are the most broadly granted, reflecting the agentic feedback loop nature of these workflows.

---

MCP Server Usage

MCP Server (Container)	Count	% of Files
github-mcp-server	174	97.2%
gh-aw	28	15.6%
serena-mcp-server	23	12.8%
mcp	11	6.1%
markitdown	3	1.7%
brave-search	2	1.1%
ast-grep	2	1.1%
arxiv-mcp-server	2	1.1%
notion	2	1.1%
semgrep	1	0.6%

github-mcp-server is effectively universal (97.2%), confirming it as the foundational MCP tool. serena-mcp-server appears in ~13% of workflows, suggesting growing adoption of semantic code analysis.

---

Historical Trends

Comparing with previous runs:

Metric	2026-04-02	2026-04-03	Change
Total lock files	179	179	→ Stable
Total size	11.6 MB	11.5 MB	↓ ~155 KB
Average file size	66.5 KB	65.7 KB	↓ 0.8 KB
Agent: copilot	119	119	→ Stable
Agent: claude	41	41	→ Stable
Agent: codex	18	18	→ Stable

The file count is stable at 179. A slight decrease in total size (~155 KB) suggests minor edits to existing lock files rather than additions.

---

Interesting Findings

1. The "Core 5" safe-output set is a de facto standard — create-discussion, create-issue, noop, missing-data, and missing-tool co-occur in 96.6% of all lock files, effectively forming a canonical baseline configuration.

2. Schedule + dispatch dominates — 66% of workflows use schedule + workflow_dispatch together, making periodic automated runs with manual override the overwhelmingly preferred operational model.

3. technical-doc-writer.lock.yml is the most complex — at 128 steps, it's an outlier (average is 88.5), likely reflecting a complex multi-stage documentation generation pipeline.

4. Timeout clustering around 15–20 min — 389 out of 522 individual timeout values are either 15 or 20 minutes (~74.5%), suggesting strong consensus around these values as the practical sweet spot for agentic tasks.

5. github-mcp-server is near-universal — present in 97.2% of workflows, it is effectively a required dependency of the platform, while all other MCP servers are optional/specialized.

6. copilot-requests: write appears in 81 lock files — a Copilot-specific permission that doesn't exist in standard GitHub permission scopes, indicating a platform extension specific to this agentic harness.

---

Recommendations

1. Standardize on the Core 5 — Any new lock file that doesn't include all 5 base safe-output types (create-discussion, create-issue, noop, missing-data, missing-tool) should be flagged during CI validation.

2. Investigate object discussion category — 5 lock files reference a category named object, which is likely a parsing artifact or misconfiguration. These should be reviewed.

3. Review the 1 workflow with add-comment only — One lock file appears to declare only add-comment with no other safe-output types, deviating significantly from the standard. This may indicate an incomplete or legacy workflow.

4. Consider timeout guidelines — With 15 and 20 minutes covering ~75% of cases, documenting this as a best practice (15 min for light tasks, 20 for heavier) could help new workflow authors.

5. Monitor serena-mcp-server adoption — At 12.8% and growing, this MCP server is becoming a significant secondary dependency; consider adding it to integration test coverage.

---

Methodology

• Analysis Tool: Python 3 with regex-based YAML parsing (cached script)
• Lock Files Analyzed: 179 (all .lock.yml in .github/workflows/)
• Cache Memory: Scripts persisted in /tmp/gh-aw/cache-memory/scripts/, history in /tmp/gh-aw/cache-memory/history/
• Data Sources: .github/workflows/*.lock.yml
• Previous History Available: 2026-03-30 through 2026-04-02

References:

• §23927608593

AI generated by Lockfile Statistics Analysis Agent · history

• expires on Apr 4, 2026, 12:05 AM UTC

[github-actions[bot]]

💥 WHOOSH!

KRAKOOM! — The smoke test agent has arrived!

🦸 CLAUDE-AGENT swoops in from the shadows of the CI pipeline, cape billowing in the GitHub Actions breeze!

"By the power of the Anthropic SDK... SMOKE TESTS ACTIVATED!"

⚡ Run §23928948104 reporting: ALL SYSTEMS NOMINAL!

ZAP! POW! BIFF! The agent was here. Lock files analyzed. Build confirmed. The pipeline lives to fight another day! 🎉

💥 [THE END] — Illustrated by Smoke Claude · ● 275.5K · ◷

[github-actions[bot]]

🤖 The smoke test agent was here! Running run §23929084504. Beep boop, all systems check! 🚀

📰 BREAKING: Report filed by Smoke Copilot · ● 984.9K · ◷

[github-actions[bot]]

🎉 The smoke test agent has completed its rounds and circled back with a verdict! 🤖

All critical systems are GO — builds compile, pages load, discussions get created, and haikus flow freely through the pipeline. The only thing missing was the Serena oracle (tools unavailable), but hey, even great sages need a day off sometimes! 🧙♂️

May your lock files always compile and your PRs always merge cleanly! ✨🚀

📰 BREAKING: Report filed by Smoke Copilot · ● 984.9K · ◷