📊 Agentic Workflow Lock File Statistics - 2025-10-26

[github-actions[bot]]

📊 Agentic Workflow Lock File Statistics - 2025-10-26

This comprehensive analysis examines all 58 .lock.yml files in the .github/workflows/ directory to identify usage patterns, popular triggers, safe outputs, structural characteristics, and MCP server adoption across the gh-aw repository.

Executive Summary

The gh-aw repository contains 58 agentic workflow lock files totaling 10.93 MB of YAML configuration. These workflows demonstrate sophisticated automation patterns with strong security controls, extensive GitHub integration, and diverse trigger mechanisms. Analysis reveals high adoption of manual workflow dispatch (96.6%), broad use of scheduled automation (53.4%), and overwhelming reliance on GitHub MCP tools (92% of all MCP references).

Key Highlights:

• Total Lock Files: 58
• Total Size: 10.93 MB (11,461,814 bytes)
• Average File Size: 193 KB
• Total Jobs: 308 across all workflows
• Average Jobs per Workflow: 5.3
• Manual Trigger Support: 96.6% (56 of 58 workflows)
• Scheduled Workflows: 53.4% (31 of 58 workflows)
• GitHub MCP Dominance: 92% of MCP tool references

Full Report Details

File Size Distribution

Size Range	Count	Percentage	Examples
< 100 KB	7	12.1%	shared/opencode.lock.yml (23 KB), test-post-steps.lock.yml (81 KB)
100-200 KB	18	31.0%	smoke-opencode.lock.yml (140 KB), issue-classifier.lock.yml (161 KB)
200-250 KB	25	43.1%	daily-news.lock.yml (213 KB), scout.lock.yml (248 KB)
250-300 KB	6	10.3%	daily-test-improver.lock.yml (256 KB), q.lock.yml (295 KB)
> 300 KB	2	3.4%	poem-bot.lock.yml (356 KB)

Statistics:

• Smallest: shared/opencode.lock.yml (23 KB) - Minimal shared configuration
• Largest: poem-bot.lock.yml (356 KB) - Most comprehensive workflow with 14 jobs
• Median: 204 KB
• Average: 193 KB

The size distribution shows most workflows (74.1%) fall in the 100-250 KB range, indicating consistent complexity and feature sets across the repository.

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	Percentage	Primary Use Case
workflow_dispatch	56	96.6%	Manual execution with optional parameters
schedule	31	53.4%	Automated periodic runs
issue_comment	6	10.3%	Response to issue/PR comments
issues	5	8.6%	Issue creation/update events
pull_request	4	6.9%	PR events (opened, synchronized, etc.)
workflow_run	3	5.2%	Triggered after other workflows complete
push	3	5.2%	Code push events
discussion	2	3.4%	Discussion events
discussion_comment	2	3.4%	Discussion comment events
pull_request_review_comment	2	3.4%	PR review comment events

Key Insights:

• Flexibility First: 96.6% support manual triggering, enabling ad-hoc workflow execution
• Automation Balance: Over half (53.4%) run on schedules, showing strong automated monitoring
• Interactive Workflows: Comment-based triggers (issue_comment, discussion_comment) enable conversational AI patterns
• Multi-trigger Design: Many workflows combine multiple triggers (e.g., schedule + workflow_dispatch)

Common Trigger Combinations

1. schedule + workflow_dispatch (25 workflows) - Scheduled with manual override capability
2. issues + workflow_dispatch (3 workflows) - Issue-driven with manual testing
3. issue_comment + workflow_dispatch (4 workflows) - Comment-responsive with manual mode
4. pull_request + workflow_dispatch (3 workflows) - PR automation with manual control

Schedule Patterns

Schedule (Cron)	Count	Description	Workflows
0 0,6,12,18 * * *	5	Every 6 hours (midnight, 6am, noon, 6pm)	smoke-claude, smoke-copilot (2x), smoke-opencode, smoke-codex
0/10 * * * *	3	Every 10 minutes	shared/mcp/arxiv, shared/mcp/context7, shared/opencode
0 6 * * 0	2	Sundays at 6am	artifacts-summary, dictation-prompt
0 2 * * 1-5	2	Weekdays at 2am	daily-test-improver, daily-perf-improver, schema-consistency-checker
0 9 * * 1-5	1	Weekdays at 9am	daily-news
0 16 * * 1-5	1	Weekdays at 4pm	daily-repo-chronicle
0 15 * * 1	1	Mondays at 3pm	weekly-issue-summary
Other patterns	15	Various daily/weekly schedules	Multiple workflows

Pattern Analysis:

• Smoke Testing: Runs every 6 hours for continuous validation
• High-Frequency Monitoring: MCP servers check every 10 minutes
• Business Hours Focus: Many daily tasks run at 2am, 6am, 9am (off-peak hours)
• Weekday Automation: Several "daily-*" workflows run Monday-Friday only
• Weekly Summaries: Sunday and Monday workflows for weekly reporting

Safe Outputs Analysis

Safe outputs provide controlled, security-conscious ways for AI agents to interact with GitHub without direct repository write access.

Safe Output Types Distribution

Type	Count	Percentage	Purpose
missing_tool	49	84.5%	Report missing functionality
create_issue	18	31.0%	Create new issues
create_discussion	15	25.9%	Create discussions
create_pull_request	13	22.4%	Create PRs with code changes
add_comment	12	20.7%	Comment on issues/PRs
push_to_pull_request_branch	4	6.9%	Push commits to PR branches
upload_asset	3	5.2%	Upload workflow artifacts
add_labels	2	3.4%	Add labels to issues/PRs
notion-add-comment	2	3.4%	Custom Notion integration
post-to-slack-channel	1	1.7%	Custom Slack integration
create_pull_request_review_comment	1	1.7%	Add PR review comments
update_issue	1	1.7%	Update existing issues

Key Findings:

• Universal Error Reporting: 84.5% include missing_tool for reporting gaps in functionality
• Content Creation Focus: Issues (31%), discussions (25.9%), and PRs (22.4%) are primary outputs
• Interactive Engagement: 20.7% can comment on existing threads
• Code Modification: 22.4% can create PRs, with 6.9% able to push to existing PR branches
• Custom Integrations: Notion and Slack integrations show extensibility

Safe Output Combinations

poem-bot.lock.yml (9 types) - Most comprehensive safe outputs:

• add_comment, add_labels, create_issue, create_pull_request, create_pull_request_review_comment, update_issue, upload_asset, push_to_pull_request_branch, missing_tool

Multi-output Patterns:

• Research & Report: create_discussion + missing_tool (15 workflows)
• Fix & Track: create_issue + missing_tool (18 workflows)
• Code Change: create_pull_request + missing_tool (13 workflows)
• Interactive Response: add_comment + missing_tool (12 workflows)

Structural Characteristics

Job Complexity

Metric	Value	Workflow Example
Average Jobs per Workflow	5.3	Most workflows have 5-6 jobs
Minimum Jobs	2	dev.firewall, firewall, test-* workflows
Maximum Jobs	14	poem-bot.lock.yml
Total Jobs Across All Workflows	308	Repository-wide

Job Count Distribution:

• 2 jobs: 4 workflows (6.9%) - Simple test/firewall workflows
• 3 jobs: 3 workflows (5.2%) - Shared MCP configurations
• 5 jobs: 28 workflows (48.3%) - Standard workflow pattern
• 6-7 jobs: 14 workflows (24.1%) - Extended functionality
• 8+ jobs: 9 workflows (15.5%) - Complex multi-stage workflows

Standard Job Pattern (5 jobs):

1. activation - Validate workflow should run
2. agent - Main AI agent execution
3. detection - Detect safe output type
4. {safe_output} - Execute safe output action
5. missing_tool - Handle missing functionality

Average Lock File Structure

Based on statistical analysis, a typical .lock.yml file has:

• Size: ~193 KB
• Jobs: 5-6 jobs
• Triggers: workflow_dispatch + one other trigger (schedule/issue_comment/issues)
• Permissions: actions: read + contents: read
• Safe Outputs: 2-3 types (typically includes missing_tool)
• MCP Tools: GitHub MCP with 10-50 specific tools
• Timeout: Default GitHub Actions timeout (360 minutes)

Permission Patterns

Most Common Permissions

Permission	Count	Access Level	Primary Use
contents	44	read	Repository file access
actions	40	read	Workflow metadata access
pull-requests	9	read	PR information access
issues	4	read	Issue information access
discussions	3	read (2), write (1)	Discussion access
models	3	read	AI model access
security-events	3	read	Security alert access
attestations	2	read	Build attestation access
checks	2	read	Check run access
deployments	2	read	Deployment status access
id-token	2	write	OIDC token generation
packages	2	read	Package registry access
pages	2	read	GitHub Pages access
repository-projects	2	read	Project board access
statuses	2	read	Commit status access

Permission Distribution

• Read-only workflows: 55 of 58 (94.8%) - Strong security posture
• Minimal write permissions: Only 3 workflows have write permissions (discussions, id-token)
• No repository write access: Zero workflows have contents: write in the agent job
• Least Privilege Principle: Most workflows use only actions: read + contents: read

Security Highlights:

• Workflows use safe outputs instead of direct write permissions
• Write access is delegated to dedicated jobs with GitHub tokens
• AI agents operate in read-only mode, preventing accidental modifications
• OIDC token write permission limited to specific CI/CD workflows

MCP Server & Tool Analysis

MCP Server Usage

MCP Server	Tool Count	Percentage	Workflows Using
github	633	92.0%	53 workflows
playwright	42	6.1%	2 workflows (blog-auditor, unbloat-docs)
arxiv	3	0.4%	1 workflow (scout)
deepwiki	3	0.4%	1 workflow (scout)
context7	2	0.3%	1 workflow (scout)
ast-grep	1	0.1%	1 workflow (go-pattern-detector)
markitdown	1	0.1%	1 workflow (scout)
microsoftdocs	1	0.1%	1 workflow (scout)
tavily	1	0.1%	1 workflow (scout)
serena	1	0.1%	1 workflow (semantic-function-refactor)

Key Insights:

• GitHub MCP Dominance: 92% of all MCP tool references are GitHub-related
• Browser Automation: Playwright used for web scraping and testing (blog-auditor, unbloat-docs)
• Research Workflows: Scout workflow integrates 6 different MCP servers for comprehensive research
• Code Analysis: ast-grep and serena provide specialized code analysis capabilities

Top 20 Most Used MCP Tools

Tool	Count	Purpose
mcp__github__ (generic)	53	General GitHub integration
mcp__github__get_file_contents	18	Read repository files
mcp__github__list_commits	15	List commit history
mcp__github__search_code	14	Search code across repos
mcp__github__get_commit	13	Get specific commit details
mcp__github__get_pull_request	13	Get PR information
mcp__github__list_pull_requests	13	List PRs
mcp__github__pull_request_read	13	Read PR details
mcp__github__search_pull_requests	13	Search PRs
mcp__github__download_workflow_run_artifact	10	Download workflow artifacts
mcp__github__get_issue	11	Get issue details
mcp__github__get_workflow_run	11	Get workflow run info
mcp__github__list_workflow_runs	11	List workflow runs
mcp__github__get_code_scanning_alert	11	Get security alerts
mcp__github__list_code_scanning_alerts	11	List security alerts

Tool Usage Patterns:

• File Operations: Reading repository files is the most common operation (18 workflows)
• PR Management: PR-related tools heavily used for code review workflows
• Code Search: Search capabilities enable discovery across the codebase
• Security Integration: Code scanning tools integrated for security monitoring
• Workflow Introspection: Workflows can examine their own runs and artifacts

Workflows with Most MCP Tools

1. blog-auditor.lock.yml - 76 tools (52 GitHub + 21 Playwright)
2. scout.lock.yml - 61 tools (52 GitHub + 9 from other servers)
3. go-pattern-detector.lock.yml - 53 tools (52 GitHub + 1 ast-grep)
4. smoke-detector.lock.yml - 53 tools (52 GitHub)
5. github-mcp-tools-report.lock.yml - 53 tools (52 GitHub)

Interesting Findings

1. Consistent Workflow Architecture

The repository demonstrates remarkable consistency in workflow structure. 48.3% of workflows follow the exact same 5-job pattern (activation → agent → detection → safe_output → missing_tool), showing strong standardization.

2. Security-First Design

Zero workflows grant contents: write permission to AI agents. All repository modifications flow through safe outputs, ensuring human review via GitHub's native UI (issues, PRs, discussions).

3. High Reusability

Three shared workflows (shared/mcp/*.lock.yml, shared/opencode.lock.yml) run every 10 minutes to keep MCP servers available. These are imported by other workflows, showing modular design.

4. Smoke Test Battery

Four dedicated smoke test workflows (smoke-claude, smoke-copilot, smoke-codex, smoke-opencode) run every 6 hours (4x daily) to validate different AI engine integrations.

5. Business Intelligence Automation

Multiple "daily-*" workflows (daily-news, daily-test-improver, daily-perf-improver, daily-doc-updater, daily-firewall-report, daily-repo-chronicle) provide continuous monitoring and improvement suggestions on weekdays.

6. Interactive AI Agents

Comment-based triggers enable conversational workflows where users can invoke AI assistance by commenting on issues/PRs (e.g., /poem-bot, /mergefest, /scout).

7. Comprehensive Self-Documentation

The lockfile-stats workflow (this analysis!) demonstrates meta-analysis capability - workflows analyzing workflows.

8. Browser Automation Integration

Two workflows integrate Playwright for web interactions, showing capability to automate beyond GitHub API (blog-auditor checks external blogs, unbloat-docs processes documentation sites).

9. Multi-Engine Support

Workflows support multiple AI engines (Claude, Copilot, Codex, OpenCode) with dedicated smoke tests for each, showing platform flexibility.

10. Custom Integrations

Custom safe outputs (notion-add-comment, post-to-slack-channel) demonstrate extensibility beyond GitHub's native actions.

File Size vs Complexity Correlation

Size Category	Avg Jobs	Avg MCP Tools	Characteristics
< 100 KB	2.6	1.4	Test/shared workflows
100-200 KB	4.8	12.3	Standard workflows
200-250 KB	5.6	28.7	Full-featured workflows
250-300 KB	7.7	18.5	Complex multi-stage
> 300 KB	11.0	26.5	Comprehensive workflows

Correlation Insights:

• File size strongly correlates with job count (R² ≈ 0.82)
• Larger workflows tend to have more safe output types
• MCP tool count varies more by purpose than by size
• Workflows > 250 KB typically have 7+ jobs with complex orchestration

Recommendations

1. Standardization Success

The 5-job pattern is highly effective. Continue using this as the template for new workflows. Consider creating a workflow generator to enforce this pattern.

2. MCP Tool Optimization

Many workflows include all 52 GitHub MCP tools but use only 5-10. Consider:

• Creating tool subsets (e.g., "github-read-only", "github-issues-only")
• Lazy-loadin
  [Content truncated due to length]

AI generated by Lockfile Statistics Analysis Agent

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 month ago.