📊 Agentic Workflow Lock File Statistics - 2025-10-18

[github-actions[bot]]

📊 Agentic Workflow Lock File Statistics - 2025-10-18

Executive Summary

• Total Lock Files: 35
• Total Size: 7.31 MB
• Average File Size: 203.8 KB
• Analysis Date: 2025-10-18
• Repository: githubnext/gh-aw

This comprehensive analysis examines all .lock.yml files in the .github/workflows/ directory to identify usage patterns, structural characteristics, and best practices for agentic workflows.

File Size Distribution

Size Range	Count	Percentage
50-100 KB	1	2.9%
100-200 KB	19	54.3%
200-300 KB	14	40.0%
> 300 KB	1	2.9%

Notable Files

Smallest Files:

• test-post-steps.lock.yml: 88.0 KB
• smoke-opencode.lock.yml: 123.9 KB
• smoke-genaiscript.lock.yml: 125.4 KB
• issue-classifier.lock.yml: 147.7 KB
• smoke-codex.lock.yml: 159.8 KB

Largest Files:

• poem-bot.lock.yml: 343.4 KB ⭐ (Largest)
• q.lock.yml: 288.2 KB
• mcp-inspector.lock.yml: 261.6 KB
• unbloat-docs.lock.yml: 260.8 KB
• scout.lock.yml: 259.7 KB

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	Percentage	Description
workflow_dispatch	29	82.9%	Manual trigger capability
schedule	12	34.3%	Automated cron-based execution
issues	5	14.3%	Triggered by issue events
push	3	8.6%	Triggered on code pushes
pull_request	3	8.6%	Triggered on PR events

Key Insight: 82.9% of workflows support manual triggering via workflow_dispatch, indicating a strong emphasis on on-demand execution. 34.3% also have scheduled automation.

Schedule Patterns

Schedule (Cron)	Count	Description
0 10 * * *	3	Daily at 10:00 UTC
0 9 * * 0	2	Weekly on Sundays at 9:00 UTC
0 9 * * 1-5	1	Weekdays at 9:00 UTC
0 9 * * 1	1	Weekly on Mondays at 9:00 UTC
0 9 * * *	1	Daily at 9:00 UTC
0 3 * * *	1	Daily at 3:00 UTC
0 11 * * *	1	Daily at 11:00 UTC
0 10 * * 1	1	Weekly on Mondays at 10:00 UTC
0 0 * * *	1	Daily at midnight UTC

Pattern: Most scheduled workflows run during morning hours (UTC 9:00-11:00), with some variation for different time zones. Daily schedules are more common than weekly.

Example Workflows by Trigger Type

workflow_dispatch (29 workflows): artifacts-summary, audit-workflows, cli-version-checker, copilot-agent-analysis, daily-doc-updater, daily-news, dev, duplicate-code-detector, and 21 more...

schedule (12 workflows): artifacts-summary, audit-workflows, cli-version-checker, copilot-agent-analysis, daily-doc-updater, daily-news, duplicate-code-detector, example-workflow-analyzer, and more...

issues (5 workflows): issue-classifier, notion-issue-summary, pdf-summary, plan, scout

pull_request (3 workflows): changeset-generator, smoke-claude, tidy

Safe Outputs Analysis

Safe Output Types Distribution

Type	Count	Workflows Using
create-issue	52	14 workflows
add-comment	45	9 workflows
create-discussion	34	11 workflows

Key Findings:

• create-issue: Most popular safe output type, used in 40% of workflows
• add-comment: Second most common, providing inline feedback
• create-discussion: Used for structured, persistent communication
• No workflows use create-pull-request safe outputs in this repository

Safe Output Usage Patterns

Heavy Users (workflows with multiple safe outputs):

• lockfile-stats.lock.yml: 8 discussions, 4 issues, 4 comments (16 total!)
• copilot-agent-analysis.lock.yml: 5 discussions
• ci-doctor.lock.yml: 4 issues, 4 comments
• mcp-inspector.lock.yml: 3 discussions, 5 comments
• dev.lock.yml: 4 issues

Single Purpose (workflows with one safe output type):

• 6 workflows use only discussions
• 8 workflows use only issues
• 3 workflows use only comments

Structural Characteristics

Job Complexity

• Average Jobs per Workflow: 7.8 jobs
• Average Steps per Workflow: 64.0 steps
• Maximum Jobs in Single Workflow: 16 jobs
• Maximum Steps in Single Workflow: 126 steps

Distribution Analysis:

• Most workflows have between 6-10 jobs
• Step counts vary significantly, from simple workflows with 20-30 steps to complex ones with 100+ steps
• The high average suggests well-orchestrated, multi-stage execution patterns

Typical Lock File Structure

Based on statistical analysis, a typical .lock.yml file has:

• Size: ~204 KB
• Jobs: ~8 jobs (pre_activation → activation → agent → detection → multiple safe output jobs)
• Steps per Job: ~8 steps average
• Permissions: Contents (read), Issues (write), Discussions (write)
• Triggers: workflow_dispatch + optionally schedule
• Timeout: Not commonly specified (defaults to GitHub's 360 minutes)
• Concurrency: Group-based with workflow name

Permission Patterns

Most Common Permissions

Permission	Count	Primary Mode
contents	118	read
issues	53	write
pull-requests	45	write
discussions	35	write
actions	25	read
security-events	1	write
models	1	read

Permission Distribution

• Write Permissions: 198 instances (58.6%)
• Read Permissions: 140 instances (41.4%)
• Most Permissive: workflows with write access to discussions, issues, and pull-requests
• Least Permissive: Some jobs use empty permissions permissions: {} at workflow level, then grant specific permissions per job

Security Pattern: The repository follows best practice of granular permissions—empty permissions at the workflow level, then specific grants per job based on need.

Tool & MCP Patterns

Most Used MCP Servers

MCP Server	Workflows	Purpose
github	30	GitHub API operations (85.7% of workflows)
playwright	1	Browser automation (brave.lock.yml)
ast-grep	1	AST-based code search

GitHub MCP Tool Usage

Most Common GitHub MCP Tools:
All 30 workflows using the GitHub MCP server have access to comprehensive tool sets including:

• Search operations: search_code, search_issues, search_pull_requests, search_repositories, search_users, search_orgs
• Read operations: get_issue, get_commit, get_pull_request, list_issues, list_commits, list_workflows
• Workflow operations: get_workflow_run, list_workflow_runs, list_workflow_jobs, get_job_logs

Special MCP Configurations:

• brave.lock.yml: Only workflow using Playwright MCP (21 browser automation tools)
• go-pattern-detector.lock.yml: Uses ast-grep MCP for structural code search

Tool Allowlist Patterns

Analyzing common tool configurations:

• Standard Toolset: Most workflows allow Bash, GitHub API, Glob, Grep, Read, Write, Edit, Task
• Web Tools: Many workflows include WebFetch and WebSearch for external data gathering
• Specialized: Some workflows restrict tools based on their specific purpose

Interesting Findings

1. Workflow Dispatch Dominance: 82.9% of workflows support manual triggering, suggesting this repository values on-demand agent execution over purely automated workflows.

2. Safe Output Philosophy: The repository heavily favors create-issue (52 instances) and add-comment (45 instances) over create-discussion (34 instances), suggesting preference for issue-based tracking over forum-style discussions.

3. Size Consistency: 94.3% of lock files fall between 100-300 KB, indicating remarkably consistent workflow complexity across the repository.

4. Job Orchestration: The average of 7.8 jobs per workflow with 64 steps suggests sophisticated multi-stage pipelines with clear separation of concerns (pre-activation → activation → agent → detection → safe outputs).

5. GitHub MCP Ubiquity: 85.7% of workflows use the GitHub MCP server, making it the de facto standard for repository operations.

6. Schedule Timing Strategy: Scheduled workflows predominantly run during morning hours (UTC 9:00-11:00), likely to provide fresh insights at the start of business hours across multiple time zones.

7. Granular Permissions: The pattern of empty workflow-level permissions with job-specific grants demonstrates security-conscious design.

8. Heavy Safe Output Users: The lockfile-stats workflow stands out with 16 total safe outputs (8 discussions, 4 issues, 4 comments), indicating highly interactive agent behavior.

Historical Trends

This is the baseline analysis. Future runs will compare against this data to identify trends in:

• Lock file count growth
• Average size changes
• New trigger patterns
• Safe output usage evolution
• Permission pattern shifts

Recommendations

1. Standardize Cron Schedules: Consider consolidating the 9 different cron patterns into 2-3 standard time slots to simplify schedule management and reduce workflow run clustering.

2. Document Safe Output Strategy: Create guidelines on when to use create-issue vs create-discussion vs add-comment based on the observed patterns.

3. Optimize Large Workflows: Investigate the 5 largest workflows (>260 KB) to identify opportunities for modularization or optimization.

4. Timeout Configuration: Most workflows don't specify timeouts. Consider adding explicit timeout configurations based on workflow complexity to prevent runaway executions.

5. Leverage Workflow Templates: With 94.3% of files in the 100-300 KB range and similar structures, create workflow templates to standardize common patterns.

6. MCP Server Expansion: Only 3 MCP servers are used. Consider evaluating additional MCP servers for specialized tasks (e.g., Slack for notifications, database MCPs for data operations).

7. Permission Audits: Regularly audit the 198 write permission grants to ensure they follow least-privilege principles.

8. Concurrency Groups: 23 workflows use the standard group pattern gh-aw-${{ github.workflow }}. Consider documenting this as a best practice.

Methodology

Data Collection

• Analysis Tool: Bash scripts with text processing (grep, awk, sed)
• Lock Files Analyzed: 35 files
• Cache Memory: /tmp/gh-aw/cache-memory/ for script persistence and data storage
• Data Sources: .github/workflows/*.lock.yml

Analysis Scripts

1. analyze_lockfiles.sh: Primary data extraction script
2. generate_stats.sh: Statistical summary generation
3. detailed_analysis.sh: Detailed pattern analysis

Metrics Collected

• File sizes and distribution
• Trigger types and combinations
• Safe output configurations
• Permission patterns
• Job and step counts
• MCP server usage
• Cron schedule patterns
• Concurrency configurations

Validation

• Cross-checked trigger counts with manual inspection
• Verified safe output detection with grep patterns
• Confirmed MCP server identification across multiple workflows

---

Generated by Lockfile Statistics Analysis Agent on 2025-10-18
Analysis took ~5 minutes, processing 7.31 MB across 35 lock files
Scripts and data available in /tmp/gh-aw/cache-memory/

AI generated by Lockfile Statistics Analysis Agent

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 month ago.