📊 Agentic Workflow Lock File Statistics - November 1, 2025

[github-actions[bot]]

📊 Agentic Workflow Lock File Statistics - November 1, 2025

This comprehensive analysis examines all 68 .lock.yml files in the repository to identify usage patterns, popular triggers, structural characteristics, and best practices for GitHub Agentic Workflows.

**Key (redacted) The repository contains 68 lock files totaling 13.08 MB, with an average size of 196.9 KB. The majority (62%) are large files (>200 KB) indicating comprehensive, multi-job workflows. Manual triggering (workflow_dispatch) is the most popular trigger (55 workflows), followed by scheduled automation (33 workflows). All workflows implement concurrency controls, demonstrating mature workflow management practices.

Full Report Details

Executive Summary

• Total Lock Files: 68 workflows
• Total Size: 13.08 MB
• Average File Size: 196.9 KB
• Analysis Date: 2025-11-01
• Analysis Scripts: Stored in /tmp/gh-aw/cache-memory/scripts/ for reuse

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10-50 KB	1	1.5%
50-100 KB	9	13.2%
100-200 KB	16	23.5%
> 200 KB	42	61.8%

**Size (redacted)

• Smallest: opencode.lock.yml (22.8 KB) - Likely a minimal shared configuration
• Largest: poem-bot.lock.yml (364.5 KB) - Complex creative workflow with 100 steps
• Average: 196.9 KB
• Total: 13.08 MB across all lock files

The distribution shows that most workflows (62%) are substantial (>200 KB), indicating rich, complex automation with multiple jobs and comprehensive agent instructions.

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	Percentage	Primary Use Case
workflow_dispatch	55	80.9%	Manual workflow execution
schedule	33	48.5%	Automated scheduled runs
pull_request	8	11.8%	PR automation
issue_comment	8	11.8%	Interactive issue responses
issues	6	8.8%	Issue-triggered workflows
workflow_run	3	4.4%	Chained workflow execution
discussion_comment	3	4.4%	Discussion interactions
discussion	2	2.9%	Discussion-triggered actions
pull_request_review_comment	2	2.9%	PR review interactions
push	2	2.9%	Code push automation

**(redacted)

• Manual Control Dominance: 81% of workflows support manual triggering, showing preference for on-demand execution
• Automation Balance: 49% use scheduled triggers for automated maintenance and monitoring
• Interactive Workflows: Strong support for issue/PR comments (27% combined) enables conversational AI interactions
• Multi-modal Triggers: Many workflows combine multiple triggers for flexibility

Common Trigger Combinations

Combination	Count	Use Pattern
schedule + workflow_dispatch	27	Automated with manual override capability
workflow_dispatch only	16	Pure manual execution
pull_request + schedule + workflow_dispatch	5	Comprehensive PR analysis workflows
workflow_run only	3	Dependent/chained workflows
issue_comment only	2	Pure interactive issue bots
issues only	2	Issue-triggered automation

**Pattern (redacted)
The most common pattern (27 workflows) combines scheduled automation with manual override capability, representing best practices for flexible workflow management.

Schedule Patterns

Schedule (Cron)	Count	Description
0/10 * * * *	3	Every 10 minutes (high-frequency monitoring)
0 9 * * 1	1	Weekly on Monday at 9 AM UTC

Scheduled Workflows (33 total):

• Daily maintenance: doc updaters, test improvers, performance analyzers
• Monitoring: smoke tests, security scans, version checkers
• Reporting: daily news, repo chronicles, issue summaries
• Quality: duplicate detection, code refactoring, instruction tidying

Permission Patterns

Most Common Permissions

Permission	Occurrences	Type	Purpose
contents: read	247	Read	Repository file access
pull-requests: read	110	Read	PR information access
issues: read	108	Read	Issue information access
issues: write	71	Write	Issue creation/updates
discussions: write	61	Write	Discussion posting
pull-requests: write	54	Write	PR creation/updates
actions: read	35	Read	Workflow run access
contents: write	23	Write	Code/file modifications
security-events: read	8	Read	Security alert access

Permission Distribution

• Read-only workflows: Most workflows prioritize read access for safety
• Write permissions: Selective write access for issues (71), discussions (61), and PRs (54)
• Principle of Least Privilege: Workflows request minimal permissions needed
• Security-conscious: Only 8 workflows need security-events access

Notable Pattern: The high ratio of read to write permissions (247 vs 23 for contents) demonstrates security-first design, with most workflows analyzing rather than modifying code.

Structural Characteristics

Job Complexity

• Average Jobs per Workflow: 6.74 jobs
• Maximum Jobs in Single Workflow: 16 jobs
• Average Steps per Workflow: 54.96 steps
• Maximum Steps: 100 steps (poem-bot.lock.yml)
• Minimum Steps: 26 steps (test-svelte.lock.yml)
• Total Steps Across All Workflows: 3,737 steps

Timeout Configuration

• Average Timeout: 14.63 minutes
• Minimum Timeout: 5 minutes
• Maximum Timeout: 30 minutes
• Workflows with Timeout Settings: All major workflows implement timeouts

Analysis: The 15-minute average timeout strikes a balance between allowing complex AI operations while preventing runaway workflows. The 30-minute maximum provides headroom for intensive analysis tasks.

Concurrency Controls

• Workflows with Concurrency Groups: 68 (100%)
• Pattern: All workflows implement concurrency control with cancel-in-progress: true
• Benefit: Prevents resource waste by canceling superseded workflow runs

Best Practice Adoption: 100% implementation of concurrency controls demonstrates mature workflow engineering, ensuring efficient resource usage and preventing concurrent run conflicts.

Tool & MCP Server Patterns

MCP Server Usage

MCP Server	Workflows	Primary Purpose
github	63 (92.6%)	GitHub API interactions
playwright	2 (2.9%)	Browser automation
deepwiki	1 (1.5%)	Wikipedia/knowledge access
arxiv	1 (1.5%)	Academic paper research

**(redacted)

• GitHub MCP Dominance: 93% of workflows use the GitHub MCP server, essential for repository operations
• Specialized Tools: Emerging use of browser automation (playwright) and research tools (arxiv, deepwiki)
• Extensibility: The variety of MCP servers demonstrates the flexibility of the agentic workflow system

Discussion Categories

Analysis of where workflows post their outputs:

Category	Count	Purpose
audits	11	Audit reports and analysis
Audits	3	Same (case variant)
ideas	2	Suggestions and proposals
artifacts	2	Generated artifacts
dev	2	Development discussions
daily-news	1	News summaries
security	1	Security reports
research	1	Research findings

Pattern: The "audits" category (14 total including variants) is the primary destination for automated analysis reports, establishing it as the central hub for workflow-generated insights.

Typical Lock File Profile

Based on median and average statistics, a typical agentic workflow in this repository has:

• Size: ~197 KB
• Jobs: ~7 jobs with dependencies
• Steps per Workflow: ~55 steps total
• Timeout: ~15 minutes
• Triggers: workflow_dispatch + schedule (most common)
• Permissions: Read access to contents, issues, PRs; write access to discussions/issues for output
• Concurrency: Enabled with cancel-in-progress
• MCP Servers: GitHub MCP server for repository operations
• Structure: Multi-job pipeline with activation, agent execution, and output jobs

Interesting Findings

1. Firewall Pattern Emergence

5 workflows implement a "firewall" pattern (*.firewall.lock.yml):

• dev.firewall.lock.yml
• changeset-generator.firewall.lock.yml
• smoke-copilot.firewall.lock.yml
• daily-firewall-report.lock.yml
• firewall.lock.yml

This suggests a security/validation layer that filters or validates workflow behavior before main execution.

2. Smoke Test Suite

Multiple engine-specific smoke tests validate different AI backends:

• smoke-claude.lock.yml
• smoke-codex.lock.yml
• smoke-copilot.lock.yml
• smoke-opencode.lock.yml
• smoke-detector.lock.yml

This comprehensive testing ensures reliability across multiple AI engine integrations.

3. Daily Improvement Workflows

Scheduled maintenance workflows actively improve the codebase:

• daily-test-improver.lock.yml
• daily-perf-improver.lock.yml
• daily-doc-updater.lock.yml
• daily-firewall-report.lock.yml
• daily-news.lock.yml

These represent "self-healing" repository patterns where AI continuously maintains and improves code quality.

4. Conversational AI Agents

Several workflows act as interactive assistants responding to natural language:

• scout.lock.yml - Multi-trigger conversation agent (issues, PRs, discussions, comments)
• q.lock.yml - Question answering bot (294 KB, largest multi-modal workflow)
• plan.lock.yml - Planning assistant for issue/discussion comments

5. Specialized Analysis Agents

Domain-specific analysis workflows:

• go-pattern-detector.lock.yml - Language-specific pattern detection
• go-logger.lock.yml - Go logging analysis
• python-data-charts.lock.yml - Python data visualization
• semantic-function-refactor.lock.yml - Code refactoring suggestions
• zizmor-security-analyzer.lock.yml - Security scanning
• duplicate-code-detector.lock.yml - Code quality analysis

6. Creative Workflows

• poem-bot.lock.yml (364.5 KB, 100 steps) - The largest and most complex workflow, suggesting extensive creative generation capabilities
• dictation-prompt.lock.yml - Voice/transcription processing

7. Meta-Analysis Workflows

Workflows that analyze the workflow system itself:

• audit-workflows.lock.yml - Audits other workflows
• lockfile-stats.lock.yml - This analysis itself!
• example-workflow-analyzer.lock.yml - Analyzes workflow examples
• instructions-janitor.lock.yml - Maintains workflow instructions
• schema-consistency-checker.lock.yml - Validates workflow schemas

Repository Health Indicators

Positive Indicators

✅ 100% Concurrency Control: All workflows implement proper resource management
✅ Security-First Design: Read permissions dominate; write permissions are selective
✅ Comprehensive Testing: Multi-engine smoke tests ensure reliability
✅ Automated Maintenance: Daily improvement workflows maintain code quality
✅ Consistent Timeouts: All workflows have reasonable timeout configurations
✅ Manual Override: 81% of workflows support manual triggering for control

Areas of Interest

🔍 Large File Sizes: 42 workflows >200 KB may indicate complex instructions
🔍 No Explicit Safe Outputs Detected: Pattern-based detection didn't find explicit safe output configurations in this analysis (may require deeper YAML parsing)
🔍 Schedule Concentration: Only 3 workflows use high-frequency (every 10 min) schedules

Recommendations

1. Standardize Discussion Categories

Unify "audits" and "Audits" (case inconsistency) to improve discoverability and organization.

2. Document Firewall Pattern

The firewall pattern (5 workflows) appears to be an emerging security practice. Document this pattern for broader adoption.

3. Monitor Large Workflows

Workflows >300 KB (poem-bot, q, unbloat-docs, craft, tidy) may benefit from modularization or optimization review.

4. Optimize High-Frequency Schedules

The 3 workflows running every 10 minutes should be monitored for cost and performance impact.

5. MCP Server Expansion

Only 4 MCP servers currently in use. Consider adding more specialized tools (e.g., database access, external APIs) to expand capabilities.

6. Safe Output Documentation

Create examples showcasing safe output patterns to help workflow authors properly configure discussion/issue posting.

7. Historical Tracking

Establish baseline metrics from this analysis for future trend analysis:

• Track file size growth over time
• Monitor trigger pattern evolution
• Measure step complexity changes

Methodology

Analysis Tools

• Primary Script: Python 3 with regex-based YAML parsing
• Data Collection: Bash scripts for file system operations
• Storage: Results cached in /tmp/gh-aw/cache-memory/ for reuse
• Validation: Cross-referenced multiple data extraction methods

Data Sources

• Primary: 68 .lock.yml files in .github/workflows/
• Subdirectories: shared/ and shared/mcp/ analyzed
• Excluded: .md source files (only compiled .lock.yml analyzed)

Limitations

• YAML Parsing: Regex-based extraction may miss complex nested structures
• Safe Outputs: Detection based on mcp__safeoutputs pattern matching
• Step Counting: Counts `- (redacted) occurrences; may include conditional steps not always executed
• Snapshot Analysis: Data reflects state at 2025-11-01; workflows change over time

Cache Memory Structure

Analysis artifacts preserved for future runs:

/tmp/gh-aw/cache-memory/
├── scripts/
│   ├── analyze_lockfiles.py          # Main analysis script
│   ├── analyze_safe_outputs.py       # Safe output detection
│   └── analyze_trigger_combos.py     # Trigger pattern analysis
├── data/
│   └── analysis_results.json         # Complete analysis data
└── history/
    ├── last_analysis_date.txt        # Track last run
    └── 2025-11-01.json               # Historical snapshot

Historical Trends

*This is the first comprehensive analysis. Future runs will (redacted)

• Lock file count growth
• Average file size trends
• New trigger patterns
• MCP server adoption
• Permission pattern changes

Conclusion

The gh-aw repository demonstrates mature agentic workflow engineering with:

1. Scale: 68 workflows totaling 3,737 steps of automation
2. Sophistication: Average 7 jobs per workflow with complex dependencies
3. Flexibility: 81% support manual triggering; 49% automated scheduling
4. Security: Read-heavy permissions with selective write access
5. Reliability: 100% concurrency control; comprehensive timeout configuration
6. Diversity: From smoke tests to creative bots to self-improving maintenance
7. Innovation: Emerging patterns (firewall workflows, meta-analysis, daily improvers)

The repository represents a comprehensive agentic workflow ecosystem covering testing, monitoring, analysis, improvement, and creative generation—all orchestrated through GitHub Actions and AI agents.

---

Generated by Lockfile Statistics Analysis Agent on 2025-11-01
Analysis scripts and data cached in /tmp/gh-aw/cache-memory/ for future runs
Total workflows analyzed: 68 | Total size: 13.08 MB | Total steps: 3,737

AI generated by Lockfile Statistics Analysis Agent

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.