📊 Agentic Workflow Lock File Statistics - 2025-10-13

[github-actions[bot]]

📊 Agentic Workflow Lock File Statistics - 2025-10-13

Executive Summary

• Total Lock Files: 29
• Total Size: 5.19 MB (5,447,053 bytes)
• Average File Size: 183.43 KB
• Analysis Date: 2025-10-13

This comprehensive analysis examines all .lock.yml files in the .github/workflows/ directory to identify usage patterns, popular triggers, safe outputs, and structural characteristics of agentic workflows in the gh-aw repository.

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0.0%
10-50 KB	0	0.0%
50-100 KB	0	0.0%
100-200 KB	19	65.5%
> 200 KB	10	34.5%

Statistics:

• Smallest: smoke-opencode.lock.yml (115.22 KB)
• Largest: poem-bot.lock.yml (302.94 KB)
• Median: 178.02 KB

The vast majority of lockfiles (65.5%) fall in the 100-200 KB range, indicating a relatively consistent workflow complexity across the repository. The poem-bot workflow is notably larger due to its extensive safe outputs configuration and multi-faceted functionality.

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	Percentage	Example Workflows
workflow_dispatch	23	79.3%	daily-news, dev, cli-version-checker
schedule	8	27.6%	daily-news, audit-workflows, duplicate-code-detector
issue_comment	7	24.1%	brave, poem-bot, scout
issues	6	20.7%	issue-classifier, dev, duplicate-code-detector
pull_request	3	10.3%	changeset-generator, poem-bot
push	3	10.3%	dev, go-pattern-detector
pull_request_review_comment	2	6.9%	poem-bot
discussion_comment	2	6.9%	poem-bot
discussion	2	6.9%	poem-bot
workflow_run	1	3.4%	ci-doctor

Key Insights:

• Manual trigger dominance: 79.3% of workflows support workflow_dispatch, allowing for on-demand execution
• Scheduled automation: 27.6% run on schedules, typically for daily reports and maintenance tasks
• Interactive workflows: 24.1% respond to comments, enabling conversational agent interactions
• Comprehensive coverage: The poem-bot workflow demonstrates the most trigger diversity, responding to issues, PRs, comments, and discussions

Common Trigger Combinations

The most frequent trigger combinations are:

1. schedule + workflow_dispatch (8 workflows): audit-workflows, artifacts-summary, cli-version-checker, daily-news, duplicate-code-detector, github-mcp-tools-report, lockfile-stats, unbloat-docs
2. push + workflow_dispatch (2 workflows): dev, go-pattern-detector
3. Single trigger patterns: Several workflows use only one trigger type for specific purposes

Schedule Patterns

Schedule (Cron)	Count	Description
0 9 * * 1-5	1	Daily at 9:00 AM (weekdays only) - daily-news
0 9 * * 1	1	Weekly on Mondays at 9:00 AM - artifacts-summary
0 0 * * *	1	Daily at midnight - audit-workflows
0 10 * * *	2	Daily at 10:00 AM - cli-version-checker, unbloat-docs
0 11 * * *	1	Daily at 11:00 AM - duplicate-code-detector
0 6 * * *	1	Daily at 6:00 AM - github-mcp-tools-report
0 3 * * *	1	Daily at 3:00 AM - lockfile-stats

Insights: Schedules are spread throughout the day to avoid concurrent execution, with most running during morning hours (UTC). The daily-news workflow intelligently runs only on weekdays.

Safe Outputs Analysis

Safe Output Types Distribution

Type	Count	Percentage	Example Workflows
create-issue	11	37.9%	dev, duplicate-code-detector, go-pattern-detector, smoke-*
add-comment	7	24.1%	brave, ci-doctor, pdf-summary, scout
create-pull-request	7	24.1%	cli-version-checker, q, security-fix-pr, tidy
create-discussion	6	20.7%	artifacts-summary, audit-workflows, daily-news, lockfile-stats
push-to-pull-request-branch	3	10.3%	changeset-generator, poem-bot, tidy
add-labels	2	6.9%	issue-classifier, poem-bot
upload-asset	2	6.9%	poem-bot, technical-doc-writer
notion-add-comment	1	3.4%	notion-issue-summary
create-pull-request-review-comment	1	3.4%	poem-bot
update-issue	1	3.4%	poem-bot

Note: All 29 workflows (100%) include the missing-tool safe output for reporting missing functionality.

Safe Output Patterns

Most Versatile Workflow: poem-bot.lock.yml uses 9 different safe output types, including:

• add-comment (max: 3)
• add-labels (allowed: poetry, creative, automation, ai-generated, epic, haiku, sonnet, limerick)
• create-issue (max: 2)
• create-pull-request
• create-pull-request-review-comment (max: 2)
• push-to-pull-request-branch
• update-issue (max: 2)
• upload-asset

Smoke Test Pattern: All 5 smoke test workflows (smoke-claude, smoke-codex, smoke-copilot, smoke-genaiscript, smoke-opencode) use create-issue with min: 1, max: 1, ensuring exactly one issue is created for test results.

Discussion Categories Usage

Based on workflows using create-discussion, the following categories are referenced:

• Audits: audit-workflows, lockfile-stats
• Artifacts: artifacts-summary
• Daily News: daily-news
• General: github-mcp-tools-report, repo-tree-map

Structural Characteristics

Job Complexity

• Average Jobs per Workflow: 6.7
• Median Jobs per Workflow: 6
• Maximum Jobs: 14 (poem-bot.lock.yml)
• Average Steps per Job: 7.0
• Maximum Steps in Single Job: 42 (q.lock.yml)
• Minimum Steps: Varies by job type (check-membership typically has 1-2 steps)

Typical Lock File Structure

Based on statistical analysis, a typical .lock.yml file has:

• Size: ~183 KB
• Jobs: ~7 jobs
• Steps per Job: ~7 steps
• Total Steps: ~49 steps across all jobs
• Permissions: read-all with specific permissions for contents, issues, actions
• Triggers: workflow_dispatch (79% probability) + one event-based trigger
• Timeout: Default (no explicit timeout in most workflows)
• Concurrency: Group-based concurrency control (typically gh-aw-${{ github.workflow }})

Standard Job Structure

Most workflows follow a consistent job pattern:

1. check-membership: Validates user permissions (admin, maintainer, or write)
2. activation: Checks if workflow should run based on triggers and lockfile freshness
3. agent: Runs the AI agent with configured MCP servers and safe outputs
4. collect-cache: Saves cache memory for persistence
5. handle-safe-outputs: Processes safe outputs (creates issues, comments, PRs, etc.)
6. upload-summary: Archives agent outputs as artifacts

Permission Patterns

Most Common Permissions

Permission	Count	Type
contents	29	Read/Write (typically write for committing)
read-all	28	Read-only (agent jobs)
issues	22	Write (for safe outputs)
actions	21	Write (for workflow management)
pull-requests	14	Write (for PR operations)
discussions	13	Write (for discussion creation)
models	1	Read (for AI model access)
security-events	1	Write (for security scanning)

Permission Distribution

• Read-only agent execution: 28 workflows (96.6%) use read-all for agent jobs, following the principle of least privilege
• Targeted write permissions: Write permissions are granted only to specific jobs that need them (typically handle-safe-outputs)
• Minimal global permissions: Most workflows specify permissions: {} at the global level, then grant specific permissions per job

Tool & MCP Server Patterns

Most Used MCP Servers

MCP Server	Count	Primary Use Case
github	29	GitHub API interactions (100% usage)
tavily	1	Web search (daily-news)
brave	1	Web search (brave workflow)

Insights:

• The github MCP server is universal across all workflows, providing essential GitHub API functionality
• External search MCP servers (tavily, brave) are used sparingly for specific research-oriented workflows
• Most workflows rely on built-in tools rather than external MCP servers

Common Tool Configurations

Based on lockfile structure:

• GitHub API tools: Universal across all workflows (list_issues, get_pull_request, etc.)
• Safe output tools: All workflows configure safe output mechanisms
• Web tools: Minimal usage (2 workflows use external search via MCP)
• File operations: All workflows have access to Read, Write, Edit, Glob, Grep
• Bash execution: Available in all workflows for system commands

Interesting Findings

1. Consistency in Structure

Despite diverse purposes, all 29 lockfiles follow a remarkably consistent structure with 6-7 standard jobs. This demonstrates excellent workflow templating and standardization.

2. Defensive Permission Model

96.6% of workflows use read-all for agent execution, with write permissions only granted to specific output handling jobs. This "read-mostly" pattern minimizes security risks while allowing agents to explore the repository freely.

3. Poem Bot Complexity

The poem-bot.lock.yml workflow is an outlier in every dimension:

• Largest file size (302.94 KB)
• Most jobs (14)
• Most safe output types (9)
• Most trigger types (7)

This suggests it serves as a "showcase" workflow demonstrating the full capabilities of the agentic workflow system.

4. Manual Execution Preference

79.3% of workflows support workflow_dispatch, indicating that most agentic workflows are designed for on-demand execution rather than fully automated operation. This suggests users prefer to trigger agents explicitly rather than having them run automatically.

5. Uniform File Sizes

All lockfiles fall between 115-303 KB, with 65.5% in the 100-200 KB range. This suggests:

• Compiled lockfiles have significant boilerplate (job definitions, membership checks, etc.)
• The actual workflow logic (prompts, configuration) comprises a smaller portion
• The compilation process generates consistent output structure

6. Limited MCP Server Diversity

Only 3 MCP servers are used across all workflows (github, tavily, brave), with github being universal. This suggests:

• The built-in tool ecosystem is comprehensive enough for most tasks
• External integrations are used judiciously
• Future growth opportunity: More specialized MCP servers for domain-specific tasks

7. Smart Scheduling Distribution

The 8 scheduled workflows run at different times (3 AM, 6 AM, 9 AM, 10 AM, 11 AM, midnight) to avoid concurrent execution and resource contention. This shows thoughtful operational planning.

Recommendations

1. Create Lockfile Templates

Given the high consistency across lockfiles, consider:

• Extracting common job definitions into reusable templates
• Reducing duplicated code in compiled lockfiles
• Implementing a more modular compilation approach

2. Expand MCP Server Ecosystem

Current usage is limited to 3 servers. Opportunities:

• Add specialized MCP servers for common tasks (Slack, Jira, cloud providers)
• Create domain-specific servers for security scanning, code quality, deployment
• Document best practices for custom MCP server development

3. Optimize File Sizes

Average lockfile size is 183 KB. Potential optimizations:

• Remove redundant boilerplate from compiled files
• Use YAML anchors and references for repeated sections
• Consider alternative compilation strategies to reduce output size

4. Standardize Safe Output Patterns

The poem-bot demonstrates extensive safe output usage. Consider:

• Creating "safe output profiles" for common workflow types
• Documenting best practices for safe output limits and configurations
• Providing templates for common patterns (reporting, fixing, documenting)

5. Enhanced Permission Granularity

Current pattern is strong but could be refined:

• Document why specific permissions are needed for each workflow type
• Create a permission analyzer tool to identify unnecessary permissions
• Implement automatic permission minimization during compilation

6. Workflow Categorization

The 29 workflows serve different purposes. Consider:

• Grouping workflows by type (reporting, fixing, maintenance, smoke tests)
• Creating specialized compilation profiles per category
• Implementing category-specific defaults and best practices

Methodology

• Analysis Tool: Python and Bash scripts for YAML parsing and statistical analysis
• Lock Files Analyzed: 29 (100% of lockfiles in .github/workflows/)
• Cache Memory: Scripts and data stored in /tmp/gh-aw/cache-memory/ for reuse
• Data Sources: .github/workflows/*.lock.yml files
• Parsing Approach:
  • YAML parsing with PyYAML for structure analysis
  • Regex and grep for pattern extraction
  • Statistical analysis with Python's statistics module

Scripts Created:

1. extract_file_sizes.sh - File size extraction
2. extract_triggers_v2.sh - Trigger pattern extraction
3. extract_safe_outputs_v2.sh - Safe output configuration extraction
4. parse_safe_outputs.py - Safe output type analysis
5. analyze_structure.py - Comprehensive structural analysis
6. extract_schedules.sh - Cron schedule extraction
7. extract_mcp_servers.sh - MCP server detection

Data Files Generated:

• file_sizes.txt - Raw file size data
• triggers_v2.txt - Trigger mappings per workflow
• safe_outputs_v2.txt - Safe output configurations
• structure_analysis.json - Complete structural data
• report.md - This report

All scripts and data are preserved in /tmp/gh-aw/cache-memory/ for future analysis runs and historical comparison.

Historical Trends

This is the initial analysis run. Future analyses will compare against this baseline to identify:

• Growth in number of workflows
• Changes in average file size
• Evolution of trigger patterns
• Adoption of new safe output types
• Permission pattern shifts

Appendix: Complete Workflow List

#	Workflow	Size (KB)	Jobs	Max Steps	Triggers	Main Safe Output
1	artifacts-summary	178.0	6	18	schedule, workflow_dispatch	create-discussion
2	audit-workflows	176.6	6	18	schedule, workflow_dispatch	create-discussion
3	brave	208.6	6	25	issue_comment	add-comment
4	changeset-generator	186.4	6	19	pull_request	push-to-pr-branch
5	ci-doctor	204.4	6	25	workflow_run	add-comment, create-issue
6	cli-version-checker	176.6	6	19	schedule, workflow_dispatch	create-pull-request
7	daily-news	178.0	6	18	schedule, workflow_dispatch	create-discussion
8	dev	145.5	6	19	push, workflow_dispatch	create-issue
9	duplicate-code-detector	164.4	6	19	schedule, workflow_dispatch	create-issue
10	github-mcp-tools-report	176.6	6	18	schedule, workflow_dispatch	create-discussion
11	go-pattern-detector	167.0	6	19	push, workflow_dispatch	create-issue
12	issue-classifier	132.8	6	19	issues	add-labels
13	lockfile-stats	180.9	6	18	schedule, workflow_dispatch	create-discussion
14	notion-issue-summary	141.4	6	19	issues	notion-add-comment
15	pdf-summary	210.4	6	25	issue_comment	add-comment
16	plan	202.3	6	19	issues	create-issue (max: 5)
17	poem-bot	302.9	14	19	7 trigger types	9 output types
18	q	240.8	6	42	issue_comment	create-pull-request
19	repo-tree-map	182.6	6	18	issues	create-discussion
20	scout	224.8	6	25	issue_comment	add-comment
21	security-fix-pr	183.3	6	19	issues	create-pull-request
22	smoke-claude	154.9	6	19	workflow_dispatch	create-issue (min:1)
23	smoke-codex	145.8	6	19	workflow_dispatch	create-issue (min:1)
24	smoke-copilot	174.9	6	19	workflow_dispatch	create-issue (m
[Content truncated due to length]

AI generated by Lockfile Statistics Analysis Agent

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 month ago.