[lockfile-stats] Agentic Workflow Lock File Statistics - 2026-04-16

[github-actions[bot]]

Overview

This report analyzes 191 .lock.yml files across .github/workflows/, covering triggers, safe outputs, agent distribution, MCP usage, permissions, and structural metrics. A notable new finding today: upload_asset safe-output capability appeared for the first time (21 workflows), reflecting rapid ecosystem evolution. Lock file sizes continue to grow (+15.9% avg since March 30), reflecting expanding workflow complexity.

• Total Lock Files: 191
• Total Size: 14.3 MB (15,005,796 bytes)
• Average File Size: 76.7 KB
• Analysis Date: 2026-04-16
• Run: §24484767664

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10–50 KB	6	3.1%
50–100 KB	178	93.2%
> 100 KB	7	3.7%

Statistics:

• Smallest: codex-github-remote-mcp-test.lock.yml (31.0 KB)
• Largest: smoke-claude.lock.yml (159.4 KB)
• All files exceed 10 KB — lock files are uniformly substantial documents

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows	Notes
workflow_dispatch	176	92.1%	Manual trigger dominates
schedule	130	68.1%	Most pair with dispatch
pull_request	31	16.2%	Code review automation
issue_comment	15	7.9%	Reactive comment bots
issues	12	6.3%	Issue lifecycle triggers
pull_request_review_comment	6	3.1%	Review thread agents
discussion	4	2.1%	Discussion monitors
discussion_comment	4	2.1%	Discussion reply agents
workflow_call	2	1.0%	Composable sub-workflows
workflow_run	1	0.5%	Post-run analysis
push	1	0.5%	Direct push trigger

Common Trigger Combinations

Combination	Count	%
schedule + workflow_dispatch	125	65.4%
pull_request + workflow_dispatch	21	11.0%
workflow_dispatch only	19	9.9%
issue_comment only	3	1.6%
issue_comment + issues + pull_request	2	1.0%
Full event set (discussion, comment, issue, PR, review)	2	1.0%
issues only	2	1.0%
issue_comment + pull_request_review_comment	2	1.0%
workflow_call + workflow_dispatch	2	1.0%

Schedule Pattern Details (30 unique cron schedules)

Schedule	Count	Pattern Type
37 2 * * *	2	Daily ~2am
48 12 * * *	2	Daily ~12pm
23 3 * * *	2	Daily ~3am
7 4 * * *	2	Daily ~4am
6 11 * * 1-5	2	Weekdays ~11am
27 10 * * *	2	Daily ~10am
6 10 * * *	2	Daily ~10am
52 11 * * *	2	Daily ~11am
19 10 * * *	2	Daily ~10am
37 3 * * *	2	Daily ~3am
27 */6 * * *	1	Every 6 hours
25 */6 * * *	1	Every 6 hours
49 */4 * * *	1	Every 4 hours
7 8 * * 1	1	Weekly Monday
33 5 * * 0	1	Weekly Sunday
26 11 * * 3	1	Weekly Wednesday
5 14 * * 1-5	1	Weekdays ~2pm
49 14 * * 1-5	1	Weekdays ~2pm
7 13 * * 1-5	1	Weekdays ~1pm
5 13 * * 1-5	1	Weekdays ~1pm
5 15 * * 1-5	1	Weekdays ~3pm
6 10 * * 1-5	1	Weekdays ~10am
(10 more daily/off-peak)	1 each	Daily at staggered times

Schedule frequency distribution: 118 daily, 8 weekday-only, 2 every-6h, 1 every-4h, 3 weekly

---

Safe Outputs Analysis

Safe Output Types Distribution

Baseline tools (missing_tool, missing_data, noop) are present in 185/191 workflows (96.9%).

Safe Output (consolidated)	Total Workflows	Notes
create_discussion (all variants)	64	33.5% of all workflows
create_issue (all variants)	~60	Issue creation w/ rate limits
create_pull_request (all variants)	41	Code automation
add_comment (all variants)	~46	Highest variant diversity
upload_asset (all variants)	21	NEW today — not in Apr 15
add_labels (all variants)	~16	Label management
push_to_pull_request_branch	8	Branch pushes
submit_pull_request_review	7	Formal PR reviews
create_pull_request_review_comment (all)	7	Inline review comments
create_code_scanning_alert	3	Security tooling
dispatch_workflow	3	Workflow chaining
remove_labels	4	Label cleanup
update_issue (all variants)	5	Issue state management
External integrations (send_slack_message, notion_add_comment, etc.)	~6	Third-party integrations

Safe Output Combos (Top 15)

Combination	Count
create_discussion only	30
create_issue only	26
create_pull_request only	24
create_discussion + upload_asset(max:5)	14 (new!)
add_comment(max:2) only	6
add_comment only	5
create_discussion + upload_asset(max:3)	4 (new!)
add_comment + create_pull_request	3
create_issue + create_pull_request	2
create_code_scanning_alert only	2
create_issue(max:10) only	2
create_discussion + create_pull_request	2
add_comment + add_labels	2
add_comment(max:10) + create_discussion(max:2) + create_issue(max:5)	1
create_discussion + create_issue	1

Discussion Categories

Category	Count	% of Discussion Workflows
audits	46	62.2%
announcements	5	6.8%
(dynamic category object)	5	6.8%
reports	3	4.1%
artifacts	2	2.7%
dev	2	2.7%
research	2	2.7%
agent-research	1	1.4%
daily-news	1	1.4%

---

Structural Characteristics

Job Complexity

Metric	Value
Average jobs per workflow	7.4
Average steps per job	92.7
Maximum steps in single job	127 (copilot-token-audit.lock.yml)
Minimum steps	39 (codex-github-remote-mcp-test.lock.yml)
Total steps across all workflows	17,707
Average timeout	19.1 minutes

Timeout Distribution

Timeout (min)	Count	Usage
20	212	Most common (standard timeout)
15	212	Tied — short jobs
10	54	Quick tasks
30	46	Extended jobs
45	17	Complex workflows
5	13	Smoke tests
60	4	Long-running analysis
25	2	Moderate
180	1	Exceptional (3h)
90	1	Very long (1.5h)

Typical Lock File Profile

A typical .lock.yml in this repository has:

• Size: ~76.7 KB
• Jobs: ~7.4 jobs
• Steps per job: ~92.7 steps
• Triggers: schedule + workflow_dispatch
• Timeout: 15–20 minutes
• Engine: copilot (66%) or claude (28%)
• Safe output: create_discussion (single output most common)

---

Agent Engine Distribution

Engine	Count	%	Trend (since Mar 30)
copilot	126	66.0%	+8 (+6.8%)
claude	53	27.7%	+13 (+32.5%) ↑
codex	11	5.8%	-8 (-42.1%) ↓
gemini	1	0.5%	stable

---

Permission Patterns

Most Common Permissions

Permission	Read	Write
contents	996	142
issues	166	387
discussions	38	250
pull-requests	172	207
actions	271	6
copilot-requests	—	101
security-events	11	9

Observations:

• issues:write (387) exceeds issues:read (166) — agents write more issues than they just read
• discussions:write (250) is high relative to discussions:read (38) — primarily write-only discussion publishing
• actions:read (271) is common for introspection without modification
• copilot-requests:write (101) used exclusively by copilot-engine workflows

---

MCP Server Usage

MCP Server	Workflows	%
github-mcp-server	185	96.9%
gh-aw	30	15.7%
serena-mcp-server	25	13.1%
mcp (generic)	11	5.8%
markitdown	3	1.6%
brave-search	2	1.0%
ast-grep	2	1.0%
arxiv-mcp-server	2	1.0%
notion	2	1.0%
semgrep	1	0.5%
context7	1	0.5%
python	1	0.5%
memory	1	0.5%
node	1	0.5%

github-mcp-server is near-universal. gh-aw (repo-specific tooling) and serena-mcp-server are the leading specialty servers.

---

Historical Trends

Full trend data (2026-03-30 to 2026-04-16)

Date	Files	Avg KB	Copilot	Claude	Codex	Gemini	Scheduled
2026-03-30	178	66.2	118	40	19	1	130
2026-04-02	179	66.5	119	41	18	1	131
2026-04-04	184	65.7	124	41	18	1	134
2026-04-06	181	68.1	120	43	17	1	133
2026-04-07	182	70.0	120	50	11	1	134
2026-04-09	187	70.5	123	52	11	1	136
2026-04-12	187	74.0	123	52	11	1	136
2026-04-13	187	75.6	123	52	11	1	136
2026-04-15	191	75.4	126	53	11	1	130
2026-04-16	191	76.7	126	53	11	1	130

Key trends (Mar 30 → Apr 16):

• +7.3% file growth (178 → 191, +13 workflows in 17 days)
• +15.9% avg size growth (66.2 KB → 76.7 KB) — lock files are getting larger as workflows become more complex
• Claude +32.5% (40 → 53) — fastest-growing engine
• Codex -42.1% (19 → 11) — significant migration away from codex
• Schedule triggers stable at ~130 despite file count growth — new workflows prefer dispatch-only

---

Interesting Findings

1. upload_asset is brand new: 21 workflows gained upload_asset safe-output capability today (not present in April 15 data). The dominant combo is create_discussion + upload_asset(max:5) (14 workflows), suggesting a new pattern for attaching artifacts to discussion posts.

2. Copilot dominates but Claude is growing fastest: Copilot holds 66% share but grew only +6.8% since March 30. Claude grew +32.5% in the same period, while Codex lost -42.1% of its workflows — suggesting active migration from codex to Claude.

3. The "schedule + dispatch" pair is the dominant architecture: 65.4% of all workflows use exactly this combination. Pure dispatch-only (9.9%) is the second pattern, reflecting workflows that only run on demand.

4. Average file complexity is accelerating: avg steps jumped from 89.7 (Apr 15) to 92.7 (Apr 16), and avg size from 75.4 KB to 76.7 KB in a single day — likely due to upload_asset configuration being added to existing large workflows.

5. audits is the dominant discussion category: 62.2% of all create_discussion workflows target audits, making it the primary output channel for agentic reporting. The next categories (announcements, reports) are far behind at ~6% each.

6. Issues:write (387) vastly exceeds issues:read (166): Most workflows grant issue-write permissions but don't explicitly request read permissions, relying on implicit access. This reflects the pattern where agents create/update issues as their primary output without needing to search issue history.

7. github-mcp-server is near-universal (96.9%): Only 6 of 191 workflows don't use it. serena-mcp-server (25 workflows, 13.1%) is emerging as a popular supplement for semantic code analysis.

---

Recommendations

1. Adopt upload_asset broadly: The new upload_asset capability in 21 workflows suggests it's production-ready. Workflows that currently output large JSON/CSV data as embedded discussion content would benefit from switching to attachments for better readability.

2. Audit the 6 workflows without baseline safe-outputs: These 6 workflows lack missing_tool, missing_data, and noop — they risk failing silently. A compliance check should be run to identify and fix them.

3. Consider migrating remaining Codex workflows: With Codex down to 11 workflows (-42% since March 30) and Claude growing, the remaining Codex workflows may benefit from migration review, especially since codex-github-remote-mcp-test.lock.yml is already the smallest file (31 KB) suggesting minimal configuration.

4. Monitor size growth trajectory: At the current rate (+15.9% in 17 days), average file size could reach ~85–90 KB by end of April. Lock file parsers and cache systems should be validated for files approaching 200+ KB.

5. Formalize the audits category: 62.2% of reporting goes to audits, but 5 workflows use dynamic category objects rather than string literals. Standardizing to string literals would improve consistency and tooling compatibility.

---

Methodology

• Analysis Tool: Python 3 with regex-based YAML parsing (analyze_lockfiles.py)
• Lock Files Analyzed: 191
• Cache Memory: Scripts and history persisted at /tmp/gh-aw/cache-memory/
• Historical Data: 17 days of daily snapshots (2026-03-30 to 2026-04-16)
• Data Sources: .github/workflows/*.lock.yml

References:

• §24484767664

Generated by Lockfile Statistics Analysis Agent · ● 122.7K · ◷

• expires on Apr 17, 2026, 12:10 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-04-17T00:10:16.013Z.

Closed by Workflow