📊 Lockfile Statistics Report - October 24, 2025

[github-actions[bot]]

📊 Agentic Workflow Lock File Statistics - October 24, 2025

This report analyzes all .lock.yml files in the .github/workflows/ directory to understand usage patterns, structural characteristics, and automation strategies in this repository.

Executive Summary

The repository contains 51 agentic workflow lock files totaling 9.56 MB. These workflows are sophisticated automation pipelines with an average of 5.5 jobs and 57.2 steps per workflow. The majority (90.2%) are large files over 100KB, indicating complex, multi-stage automation processes.

Key Findings:

• 51 lock files analyzed (100% coverage)
• 2,916 total steps across all workflows
• 281 total jobs (avg 5.5 per workflow)
• 84.3% use workflow_dispatch (manual triggering)
• 51.0% use scheduled triggers (automated runs)
• 52.9% are "smoke test" workflows (5 jobs standard pattern)
• All workflows specify permissions (0% with default permissions)

Full Report Details

File Size Distribution

Size Range	Count	Percentage	Description
< 10 KB	0	0.0%	None - all workflows are complex
10-50 KB	0	0.0%	None
50-100 KB	5	9.8%	Minimal workflows
> 100 KB	46	90.2%	Standard complex workflows

Size Statistics:

• Smallest: test-post-steps.lock.yml (74.90 KB)
• Largest: poem-bot.lock.yml (347.08 KB)
• Average: 191.93 KB
• Total: 9.56 MB

Top 10 Largest Workflows

Rank	Workflow	Size	Steps	Jobs
1	poem-bot.lock.yml	347.08 KB	101	14
2	q.lock.yml	281.59 KB	84	8
3	unbloat-docs.lock.yml	266.83 KB	87	9
4	daily-test-improver.lock.yml	251.15 KB	69	8
5	daily-perf-improver.lock.yml	250.27 KB	69	8
6	scout.lock.yml	249.89 KB	74	7
7	tidy.lock.yml	247.80 KB	71	7
8	technical-doc-writer.lock.yml	244.38 KB	83	8
9	brave.lock.yml	239.75 KB	64	7
10	pdf-summary.lock.yml	239.35 KB	66	7

Trigger Analysis

Most Popular Triggers

Workflows can be triggered by various GitHub events. Here's the distribution:

Trigger Type	Count	Percentage	Description
workflow_dispatch	43	84.3%	Manual trigger (user-initiated)
schedule	26	51.0%	Automated cron-based triggers
issue_comment	7	13.7%	Triggered by issue comments
issues	5	9.8%	Triggered by issue events
workflow_run	3	5.9%	Triggered by other workflow completions
pull_request	3	5.9%	Triggered by PR events
discussion	2	3.9%	Triggered by discussion events
discussion_comment	2	3.9%	Triggered by discussion comments
pull_request_review_comment	2	3.9%	Triggered by PR review comments
push	2	3.9%	Triggered by repository pushes

Trigger Strategy Insights

• 84.3% support manual triggering via workflow_dispatch, enabling on-demand execution
• 51.0% are scheduled for automated recurring runs
• 62.7% use multiple triggers, combining automated and manual execution
• 23.5% are manual-only, requiring explicit user action

Common Trigger Combinations

Combination	Count	Percentage	Use Case
schedule + workflow_dispatch	25	49.0%	Scheduled with manual override option
workflow_dispatch only	12	23.5%	Manual execution only
workflow_run only	3	5.9%	Triggered by other workflows
Other combinations	11	21.6%	Various event-driven patterns

Schedule Patterns

26 workflows use cron schedules:

Most Common Schedule:

• Every 6 hours (0 0,6,12,18 * * *): 5 workflows
  • All smoke test workflows (smoke-claude, smoke-copilot, smoke-codex, smoke-genaiscript, smoke-opencode)
  • Ensures continuous health monitoring

Daily Schedules by Time (UTC):

• Midnight-Morning (0:00-9:00): 13 workflows

  • 0:00 - audit-workflows
  • 2:00 - daily-test-improver, daily-perf-improver (weekdays), schema-consistency-checker
  • 3:00 - lockfile-stats
  • 6:00 - daily-doc-updater, dictation-prompt + artifacts-summary (Sunday)
  • 8:00 - semantic-function-refactor
  • 9:00 - instructions-janitor, daily-news (weekdays), example-workflow-analyzer (Monday)

• Afternoon-Evening (12:00-22:00): 8 workflows

  • 12:00 - go-logger, blog-auditor (Wednesday), github-mcp-tools-report (Sunday)
  • 15:00 - cli-version-checker, weekly-issue-summary (Monday)
  • 18:00 - copilot-agent-analysis, mcp-inspector (Monday)
  • 21:00 - duplicate-code-detector
  • 22:00 - unbloat-docs

Weekly Patterns:

• Weekday-only (1-5): 3 workflows (daily-test-improver, daily-perf-improver, daily-news)
• Weekly (specific days): 5 workflows spread across different days to balance load
• Daily: 18 workflows run every day

Structural Characteristics

Job Complexity

Metric	Value	Notes
Total Jobs	281	Across all workflows
Average Jobs per Workflow	5.51	Most common: 5 jobs
Maximum Jobs	14	poem-bot.lock.yml
Minimum Jobs	2	5 workflows

Jobs per Workflow Distribution

Job Count	Workflows	Percentage	Pattern
2 jobs	5	9.8%	Minimal workflows
3 jobs	1	2.0%	Rare
5 jobs	27	52.9%	Standard smoke test pattern
6 jobs	6	11.8%	Extended workflows
7 jobs	6	11.8%	Complex workflows
8 jobs	4	7.8%	Very complex
9 jobs	1	2.0%	unbloat-docs
14 jobs	1	2.0%	poem-bot (most complex)

Insight: The dominant pattern is 5 jobs per workflow (52.9%), suggesting a standardized structure likely used for smoke tests across different engines.

Step Complexity

Metric	Value	Notes
Total Steps	2,916	Across all workflows
Average Steps per Workflow	57.18	Median complexity
Average Steps per Job	10.38	Typical job size
Maximum Steps (single workflow)	101	poem-bot.lock.yml

Complexity Distribution

Category	Count	Percentage	Definition
Small (<30 steps)	3	5.9%	Simple workflows
Medium (30-60 steps)	27	52.9%	Standard workflows
Large (60+ steps)	21	41.2%	Complex workflows

Insight: The majority (94.1%) are medium-to-large workflows, indicating sophisticated automation beyond simple CI/CD.

Top 10 Most Complex Workflows (by steps)

Rank	Workflow	Steps	Jobs	Size	Complexity Score*
1	poem-bot.lock.yml	101	14	347.08 KB	1414
2	unbloat-docs.lock.yml	87	9	266.83 KB	783
3	q.lock.yml	84	8	281.59 KB	672
4	technical-doc-writer.lock.yml	83	8	244.38 KB	664
5	mcp-inspector.lock.yml	75	7	238.00 KB	525
6	scout.lock.yml	74	7	249.89 KB	518
7	tidy.lock.yml	71	7	247.80 KB	497
8	daily-test-improver.lock.yml	69	8	251.15 KB	552
9	daily-perf-improver.lock.yml	69	8	250.27 KB	552
10	pdf-summary.lock.yml	66	7	239.35 KB	462

*Complexity Score = Steps × Jobs

Permission Patterns

All workflows explicitly specify permissions, demonstrating security-conscious design following the principle of least privilege.

Permission Strategy Distribution

Strategy	Count	Percentage	Security Posture
Specific permissions	40	78.4%	✅ Most secure - minimal permissions
read-all	11	21.6%	⚠️ Broad read access
No permissions specified	0	0.0%	❌ None (would use defaults)

Most Common Permissions

Permission	Count	Type	Purpose
contents: read	40	Read	Repository content access
actions: read	37	Read	Workflow artifacts/logs
_all: read-all	11	Read	All read permissions
pull-requests: read	7	Read	PR information access
issues: read	3	Read	Issue data access
models: read	3	Read	AI model access
security-events: read	3	Read	Security scan results
id-token: write	2	Write	OIDC token generation
attestations: read	2	Read	Artifact attestations
checks: read	2	Read	Check run status

Write Permissions: Only 2 workflows use write permissions (id-token: write), maintaining a strong read-only posture.

Permission Best Practices Observed

1. ✅ 100% explicit permission specification - No workflows rely on default permissions
2. ✅ 78.4% use minimal permissions - Specific scopes rather than broad access
3. ✅ Minimal write access - Only 2 workflows need write permissions
4. ✅ Consistent patterns - contents:read + actions:read is the standard baseline

Timeout Configuration

Metric	Value
Workflows with timeout	45 (88.2%)
Standard timeout	10 minutes (uniform across all workflows)
Average timeout	10 minutes
Min timeout	10 minutes
Max timeout	10 minutes

Insight: Uniform 10-minute timeout across all workflows with timeouts configured, suggesting a standardized safety limit for agent execution.

Average Lock File Profile

Based on statistical analysis, a typical .lock.yml file has:

Characteristic	Value
Size	~192 KB
Jobs	~5-6 jobs
Steps per Job	~10 steps
Total Steps	~57 steps
Triggers	schedule + workflow_dispatch
Permissions	contents:read + actions:read
Timeout	10 minutes
Complexity	Medium-Large

Interesting Findings

1. Standardized Smoke Test Pattern

The most common pattern (52.9% of workflows) is a 5-job structure running every 6 hours:

• smoke-claude.lock.yml
• smoke-copilot.lock.yml
• smoke-codex.lock.yml
• smoke-genaiscript.lock.yml
• smoke-opencode.lock.yml

This suggests a robust multi-engine testing strategy ensuring compatibility across different AI providers.

2. Strategic Schedule Distribution

Workflows are deliberately scheduled at different times throughout the day to:

• Avoid concurrent execution conflicts
• Balance CI/CD resource usage
• Match workflow purpose to appropriate time (e.g., "daily-news" at 9 AM)

3. Security-First Design

• 100% permission specification rate (unprecedented in many repos)
• 98% read-only workflows (only 2 use write)
• 78% use minimal scoped permissions rather than broad access
• Demonstrates mature security practices

4. No Safe Outputs Detected

Unlike typical GitHub Actions workflows, these lockfiles don't use the traditional githubnext/safe-outputs action pattern. This suggests:

• Lock files may represent a different execution model
• Output handling may be embedded in the engine logic
• Alternative safety mechanisms in place

5. Size Uniformity

90.2% of workflows exceed 100KB, with tight clustering around 192KB average. This suggests:

• Consistent template or generation process
• Similar levels of embedded documentation/configuration
• Standardized structure across the repository

6. Poem Bot Stands Out

poem-bot.lock.yml is an outlier:

• 14 jobs (vs. 5.5 avg)
• 101 steps (vs. 57 avg)
• 347 KB (vs. 192 KB avg)
• Demonstrates the flexibility of the platform for complex creative tasks

7. Weekday vs. Weekend Split

• Maintenance tasks run on weekdays (test improver, perf improver, daily news)
• Summary/reporting tasks run on weekends (weekly summary, artifacts summary, dictation prompt)
• Shows thoughtful separation of continuous improvement from periodic reporting

Recommendations

Based on this analysis, here are optimization opportunities:

1. Schedule Optimization

• ✅ Current: Good distribution across 24-hour cycle
• 💡 Consider: Grouping related workflows (e.g., all "improver" workflows together) for batch processing

2. Timeout Standardization

• ✅ Current: Consistent 10-minute timeout
• 💡 Monitor: Track if any workflows frequently approach timeout (may need adjustment)

3. Permission Audit

• ✅ Excellent: 78% use minimal permissions
• 💡 Improve: Review the 11 workflows using read-all to see if specific permissions would suffice

4. Complexity Management

• ⚠️ Alert: 21 workflows have 60+ steps
• 💡 Consider: Breaking down complex workflows or documenting why complexity is necessary
• 💡 Focus: Review poem-bot.lock.yml (101 steps) for potential modularization

5. Documentation

• 💡 Add: Create a workflow catalog documenting the purpose of each lockfile
• 💡 Add: Document the 5-job smoke test pattern as a standard template
• 💡 Add: Schedule visualization showing when all workflows run

6. Testing Strategy

• ✅ Strong: Robust smoke testing across 5 engines every 6 hours
• 💡 Consider: Add integration tests between workflows (some use workflow_run already)

7. Resource Monitoring

• 💡 Track: Monitor peak concurrent workflow execution times
• 💡 Track: Measure actual execution times vs. 10-minute timeout
• 💡 Track: Token usage across smoke tests to optimize costs

Methodology

• Analysis Tool: Python 3 with PyYAML for parsing
• Lock Files Analyzed: 51 (100% coverage)
• Data Sources: .github/workflows/*.lock.yml
• Cache Memory: Used for script persistence and historical tracking
• Analysis Script: /tmp/gh-aw/cache-memory/scripts/analyze_lockfiles.py
• Historical Data: Saved to /tmp/gh-aw/cache-memory/history/2025-10-24.json

Files Analyzed

All 51 lockfiles in .github/workflows/:

• artifacts-summary.lock.yml, audit-workflows.lock.yml, blog-auditor.lock.yml
• brave.lock.yml, changeset-generator.lock.yml, ci-doctor.lock.yml
• cli-version-checker.lock.yml, commit-changes-analyzer.lock.yml, copilot-agent-analysis.lock.yml
• daily-doc-updater.lock.yml, daily-news.lock.yml, daily-perf-improver.lock.yml
• daily-test-improver.lock.yml, dev-hawk.lock.yml, dev.firewall.lock.yml
• dev.lock.yml, dictation-prompt.lock.yml, duplicate-code-detector.lock.yml
• example-workflow-analyzer.lock.yml, github-mcp-tools-report.lock.yml, go-logger.lock.yml
• go-pattern-detector.lock.yml, instructions-janitor.lock.yml, issue-classifier.lock.yml
• lockfile-stats.lock.yml, mcp-inspector.lock.yml, notion-issue-summary.lock.yml
• pdf-summary.lock.yml, plan.lock.yml, poem-bot.lock.yml
• q.lock.yml, repo-tree-map.lock.yml, research.lock.yml
• schema-consistency-checker.lock.yml, scout.lock.yml, security-fix-pr.lock.yml
• semantic-function-refactor.lock.yml, smoke-claude.lock.yml, smoke-codex.lock.yml
• smoke-copilot.lock.yml, smoke-detector.lock.yml, smoke-genaiscript.lock.yml
• smoke-opencode.lock.yml, technical-doc-writer.lock.yml, test-jqschema.lock.yml
• test-post-steps.lock.yml, test-svelte.lock.yml, tidy.lock.yml
• unbloat-docs.lock.yml, video-analyzer.lock.yml, weekly-issue-summary.lock.yml

---

Generated by Lockfile Statistics Analysis Agent on 2025-10-24 03:26:44 UTC

Next scheduled run: Daily at 3:00 UTC (automated via lockfile-stats workflow)

AI generated by Lockfile Statistics Analysis Agent

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 month ago.