📊 Agentic Workflow Lock File Statistics - October 23, 2025

[github-actions[bot]]

📊 Agentic Workflow Lock File Statistics - October 23, 2025

This report provides comprehensive statistical analysis of all .lock.yml files in the githubnext/gh-aw repository, revealing usage patterns, structural characteristics, and interesting insights about agentic workflows.

Executive Summary

• Total Lock Files: 50
• Total Size: 9.34 MB
• Average File Size: 191.34 KB
• Analysis Date: October 23, 2025
• Repository: githubnext/gh-aw

Key findings reveal that 90% of lock files are large (>100KB), schedule-based automation dominates triggers (48%), and the GitHub MCP server is overwhelmingly the most popular tool integration (1,486 uses).

Full Report Details

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0.0%
10-50 KB	0	0.0%
50-100 KB	5	10.0%
> 100 KB	45	90.0%

Statistics:

• Smallest: test-post-steps.lock.yml (74.67 KB)
• Largest: poem-bot.lock.yml (346.82 KB)
• Average: 191.34 KB
• Total: 9.34 MB

Observation: All lock files are substantial in size, with 90% exceeding 100KB. This indicates that agentic workflows contain extensive configuration, prompt instructions, and tooling definitions. The smallest files (test workflows) are still ~75KB, suggesting a significant baseline complexity even for simple workflows.

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	Percentage	Description
schedule	24	48.0%	Cron-based automated runs
workflow_dispatch	12	24.0%	Manual trigger capability
issue_comment	5	10.0%	Comment-triggered workflows
workflow_run	3	6.0%	Triggered by other workflows
issues	2	4.0%	Issue event triggers
discussion	2	4.0%	Discussion-based triggers
push	1	2.0%	Push event triggers
pull_request	1	2.0%	PR event triggers

Key Insights:

• Schedule dominance: Nearly half (48%) of workflows run on automated schedules, indicating strong emphasis on proactive automation
• Manual control: 24% include workflow_dispatch, allowing on-demand execution
• Interactive workflows: 10% respond to issue comments, enabling conversational agent interactions
• Event-driven: Remaining workflows respond to repository events (issues, PRs, discussions)

Common Trigger Combinations

Based on analysis, most workflows use single triggers, but several notable patterns exist:

• Schedule + workflow_dispatch: Common for daily automation that can also be manually triggered
• Issues + issue_comment: For workflows that handle both new issues and comments
• Multiple event types: Some workflows respond to pull_requests, issues, and workflow_runs

Schedule Patterns

Schedule (Cron)	Count	Description
0 0,6,12,18 * * *	5	Every 6 hours (midnight, 6am, noon, 6pm)
0 6 * * 0	2	Weekly on Sunday at 6am
0 2 * * 1-5	2	Weekdays at 2am
0 9 * * 1-5	1	Weekdays at 9am
0 9 * * 1	1	Monday at 9am
0 8 * * *	1	Daily at 8am
0 6 * * *	1	Daily at 6am
0 3 * * *	1	Daily at 3am
0 22 * * *	1	Daily at 10pm
Others	9	Various daily, weekly, and custom schedules

Patterns Observed:

• Multiple daily runs: 5 workflows run 4 times per day (every 6 hours)
• Business hours: Several workflows run during typical work hours (6am-9am)
• Weekday focus: Multiple workflows target weekdays only (Monday-Friday)
• Weekly summaries: Sunday morning runs for weekly aggregations

Example Workflows by Trigger Type

Schedule triggers:

• artifacts-summary.lock.yml
• audit-workflows.lock.yml
• blog-auditor.lock.yml
• cli-version-checker.lock.yml
• copilot-agent-analysis.lock.yml

Issue comment triggers (conversational agents):

• brave.lock.yml
• pdf-summary.lock.yml
• plan.lock.yml
• q.lock.yml
• scout.lock.yml

Issue triggers:

• issue-classifier.lock.yml
• notion-issue-summary.lock.yml

Pull request triggers:

• changeset-generator.lock.yml
• commit-changes-analyzer.lock.yml

Safe Outputs Analysis

Safe outputs are the mechanism by which agentic workflows produce externally visible results in GitHub.

Safe Output Types Distribution

All 50 workflows (100%) are configured with safe output capabilities:

Type	Workflows	Description
create_discussion	45	Create GitHub Discussions
create_issue	45	Create GitHub Issues
add_comment	45	Add comments to issues/PRs
missing_tool	45	Report missing tool capabilities

Key Findings:

• Universal support: Nearly all workflows support multiple safe output types
• Flexible reporting: Workflows can choose the most appropriate output mechanism
• Discussion preference: The "create_discussion" type is universally supported, suggesting discussions are the primary output channel
• Issue creation: All workflows can create issues for tracking work or reporting problems
• Comment capability: Universal support for adding comments enables conversational workflows

Discussion Categories

Based on workflow configuration, discussions are primarily used for:

• Audits: Audit reports and analysis results
• Reports: General reporting and summaries
• Agent Output: Direct agent responses and findings
• Updates: Status updates and notifications

Structural Characteristics

Job Complexity

• Average Jobs per Workflow: 5.70
• Average Steps per Job: Not accurately measurable due to parsing complexity
• Maximum Jobs in Single Workflow: 15 (poem-bot.lock.yml)
• Minimum Jobs: 1 (several test workflows)

Typical Job Structure:

1. pre_activation: Optional pre-checks
2. activation: Workflow validation and setup
3. agent: Main agent execution
4. detection: Result detection and processing
5. create_discussion/create_issue/add_comment: Output jobs
6. missing_tool: Tool reporting

Average Lock File Structure

Based on statistical analysis, a typical .lock.yml file has:

• Size: ~191 KB
• Jobs: ~6 jobs
• Permissions: Read-all with selective write permissions
• Triggers: Schedule (48%) or workflow_dispatch (24%)
• Timeout: ~12 minutes average
• Concurrency Group: Workflow-specific to prevent concurrent runs

Workflow Complexity Distribution

Complexity Level	Job Count	Example Workflows
Simple	1-3 jobs	test-post-steps (1), test-svelte (1)
Medium	4-6 jobs	Most workflows (~60%)
Complex	7-10 jobs	technical-doc-writer (8), tidy (8), unbloat-docs (10)
Very Complex	11+ jobs	poem-bot (15)

Permission Patterns

Most Common Permissions

Permission	Count	Type	Usage
contents	39	read	Repository content access
actions	36	read	Workflow and action metadata
pull-requests	6	read	PR information access
security-events	3	read	Security scanning results
models	3	read	AI model access
issues	3	read	Issue information
discussions	2	read/write	Discussion access
statuses	2	read	Commit status checks
repository-projects	2	read	Project board access
pages	2	read	GitHub Pages access
packages	2	read	Package registry access
id-token	2	write	OIDC token generation
deployments	2	read	Deployment status
checks	2	read	Check run status
attestations	2	read	Artifact attestations

Permission Distribution

• Read-only workflows: Most workflows use read permissions
• Write permissions: Primarily granted to specific jobs (activation, output jobs) rather than entire workflows
• Minimal permissions: 34 workflows (68%) use read-all as default, then grant specific write permissions to jobs that need them
• Most common write: discussions:write (for creating discussions), issues:write (for creating/commenting on issues)

Security Posture: The permission model follows the principle of least privilege:

• Workflows default to read-only at the workflow level
• Individual jobs request write permissions only when needed
• Write permissions are scoped to specific resources (issues, discussions, PRs)

Tool & MCP Patterns

Most Used MCP Servers

MCP Server	Approximate Uses	Description
github	1,486	GitHub API integration (issues, PRs, discussions)
playwright	84	Browser automation and web scraping
deepwiki	6	Wikipedia and knowledge base access
arxiv	6	Academic paper research
tavily	~5	Web search capabilities
serena	~4	Code analysis
markitdown	~3	Markdown processing
notion	~2	Notion integration
microsoft-docs	~2	Microsoft documentation access
brave	~2	Alternative web search
context7	~2	Documentation context
ast-grep	~2	AST-based code search

Insights:

• GitHub dominance: The GitHub MCP server is by far the most used (1,486 uses), reflecting the repository-centric nature of these workflows
• Web research: Playwright (84 uses) enables web browsing and data extraction
• Knowledge access: Multiple knowledge sources (deepwiki, arxiv, microsoft-docs) for research tasks
• Diverse tooling: 12+ different MCP servers indicate rich integration ecosystem

Common Tool Configurations

• GitHub API tools: Universal - all workflows interact with GitHub
• Bash tools: Widely used for scripting and automation
• Web tools: fetch/search capabilities in research-focused workflows
• File operations: Read, Write, Edit tools for code manipulation
• Task management: TodoWrite tool for tracking agent progress

GitHub Actions Used

Action	Count	Purpose
actions/github-script	586	JavaScript automation and GitHub API access
actions/upload-artifact	399	Artifact storage
actions/download-artifact	271	Artifact retrieval
actions/setup-node	95	Node.js environment setup
actions/checkout	80	Repository checkout
actions/cache	17	Dependency caching
actions/setup-go	8	Go environment setup
actions/setup-python	6	Python environment setup
astral-sh/setup-uv	4	UV package manager setup
actions/ai-inference	2	AI model inference

Observation: Heavy reliance on github-script (586 uses) for programmatic GitHub interactions, and extensive use of artifacts (670 combined upload/download) for data persistence between jobs.

Timeout Patterns

Timeout Configuration

• Average Timeout: 11.81 minutes
• Median Timeout: 10 minutes
• Min Timeout: 5 minutes
• Max Timeout: 60 minutes
• Workflows with Timeout: 235 job-level timeout configurations

Distribution:

• Most workflows use 10-minute timeouts (median)
• Conservative timeout settings prevent runaway processes
• Longer timeouts (30-60 minutes) for complex analysis workflows
• Shorter timeouts (5 minutes) for simple validation jobs

Concurrency Patterns

Concurrency Groups

Pattern	Count	Purpose
gh-aw-VARIABLE	47	Workflow-level concurrency control
gh-aw-copilot-VARIABLE	32	Copilot engine isolation
gh-aw-claude-VARIABLE	32	Claude engine isolation
gh-aw-custom-VARIABLE	4	Custom engine isolation
gh-aw-codex-VARIABLE	4	Codex engine isolation
dev-workflow-VARIABLE	2	Development workflow isolation
tidy-VARIABLE	1	Tidy workflow isolation

Insights:

• Workflow isolation: Each workflow uses a unique concurrency group to prevent self-interference
• Engine-specific concurrency: Some workflows further isolate by AI engine (claude, copilot, codex)
• Event-specific concurrency: Many include event context (issue number, PR number) in the group name
• Purpose: Prevents concurrent runs on the same resource (e.g., same issue, same PR)

Workflow Categorization

By Function

Testing & Quality (11 workflows):

• smoke-claude, smoke-copilot, smoke-codex, smoke-genaiscript, smoke-opencode
• smoke-detector, test-jqschema, test-post-steps, test-svelte
• daily-test-improver
• Smoke tests validate different AI engines and integrations

Daily Automation (4 workflows):

• daily-doc-updater, daily-news, daily-perf-improver, daily-test-improver
• Proactive maintenance and improvement workflows

Code Analysis (8 workflows):

• cli-version-checker, commit-changes-analyzer, duplicate-code-detector
• example-workflow-analyzer, go-pattern-detector, mcp-inspector
• schema-consistency-checker, video-analyzer
• Static analysis and pattern detection

Development Tools (5 workflows):

• dev, dev-hawk, dev.firewall, plan, research
• Interactive development assistance

Documentation & Reporting (6+ workflows):

• audit-workflows, blog-auditor, technical-doc-writer, unbloat-docs
• github-mcp-tools-report, weekly-issue-summary, artifacts-summary
• Content analysis and documentation generation

Code Modification (4 workflows):

• changeset-generator, semantic-function-refactor, security-fix-pr, tidy
• Automated code changes and refactoring

Interactive Agents (6+ workflows):

• brave, q, scout, pdf-summary, plan, issue-classifier
• Conversational workflows responding to user requests

Specialized (6 workflows):

• poem-bot, dictation-prompt, notion-issue-summary, video-analyzer
• go-logger, repo-tree-map
• Domain-specific tools

Shared Imports Analysis

Most Common Imports

Import	Count	Purpose
shared/reporting.md	9	Common reporting functionality
shared/jqschema.md	7	JSON schema utilities
shared/mcp/tavily.md	5	Tavily web search configuration
shared/mcp/serena.md	4	Serena code analysis
shared/mcp/gh-aw.md	4	GitHub AW-specific tools
shared/mcp/markitdown.md	3	Markdown processing
shared/mcp/notion.md	2	Notion integration
shared/mcp/microsoft-docs.md	2	Microsoft docs access
shared/mcp/deepwiki.md	2	Wikipedia integration
shared/mcp/context7.md	2	Documentation context
shared/mcp/brave.md	2	Brave search integration
shared/mcp/ast-grep.md	2	AST pattern matching
shared/mcp/arxiv.md	2	Academic paper research

Observation: Strong reuse of shared configuration, particularly for reporting (9 uses) and common utilities (jqschema with 7 uses). This promotes consistency across workflows.

Interesting Findings

1. Massive Scale of Configuration: Lock files average 191KB each, totaling 9.34MB for 50 workflows. This represents substantial compiled configuration, suggesting complex prompt engineering and tooling setup.

2. Schedule-First Design: 48% of workflows use cron schedules, indicating this repository embraces proactive, autonomous automation rather than purely reactive workflows. Daily and 6-hour intervals are most common.

3. GitHub as Primary Integration: With 1,486 uses, the GitHub MCP server is the overwhelmingly dominant tool. This makes sense given these are GitHub Actions workflows, but the scale shows deep integration with issues, PRs, discussions, and repository metadata.

4. Universal Safe Output Support: All 50 workflows support multiple safe output types (discussions, issues, comments), showing mature patterns for agent-to-human communication.

5. Complex Job Orchestration: Average of 5.7 jobs per workflow with sophisticated dependency graphs (visible in mermaid diagrams in lock files). The most complex workflow (poem-bot) has 15 jobs.

6. Engine Diversity: Evidence of multiple AI engines (claude, copilot, codex, genaiscript, opencode) with dedicated smoke tests for each, suggesting a multi-engine strategy.

7. Concurrency Isolation: Sophisticated concurrency controls prevent interference, with both workflow-level and engine-level isolation patterns.

8. Artifact-Heavy Workflows: 670 combined artifact upload/download operations across 50 workflows suggest heavy use of artifacts for state persistence and dat
   [Content truncated due to length]

AI generated by Lockfile Statistics Analysis Agent

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 month ago.