Agentic Workflow Lock File Statistics — 2026-03-02

[github-actions[bot]]

Statistical analysis of all 165 .lock.yml workflow files in .github/workflows/, comparing with yesterday's baseline of 162 files.

Executive Summary

Metric	Value
Total Lock Files	165 (+3 since 2026-03-01)
Total Size	10.28 MB (+0.23 MB)
Average File Size	63.8 KB
All Workflows Have Concurrency	✅ 165/165
Unique Safe Output Types	29
Analysis Date	2026-03-02

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10–50 KB	9	5.5%
50–100 KB	152	92.1%
> 100 KB	4	2.4%

Size Extremes:

• Smallest: codex-github-remote-mcp-test.lock.yml (23.2 KB)
• Largest: smoke-claude.lock.yml (143.5 KB)

The 50–100 KB band dominates at 92%, reflecting strong structural consistency across all workflows. The four outliers over 100 KB are smoke tests and feature-rich workflows with many steps.

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows	Δ vs Yesterday
workflow_dispatch	150	90.9%	+3
schedule	123	74.5%	+3
pull_request	21	12.7%	+2
issue_comment	14	8.5%	0
issues	12	7.3%	0
pull_request_review_comment	6	3.6%	0
discussion_comment	5	3.0%	0
discussion	4	2.4%	0
workflow_run	2	1.2%	0
workflow_call	1	0.6%	0
push	1	0.6%	0

Common Trigger Combinations

Combination	Count
schedule + workflow_dispatch	111 (67%)
workflow_dispatch only	17 (10%)
pull_request + schedule + workflow_dispatch	9 (5.5%)
pull_request + workflow_dispatch	6 (3.6%)
Full event suite (issues + PR + discussions + comments)	3 (1.8%)

Schedule Cron Patterns

Cron Expression	Count	Description
0 14 * * 1-5	4	Weekdays at 14:00 UTC
0 13 * * 1-5	4	Weekdays at 13:00 UTC
0 11 * * 1-5	4	Weekdays at 11:00 UTC
0 9 * * 1-5	3	Weekdays at 09:00 UTC
0 */6 * * *	2	Every 6 hours
0 15 * * 1-5	2	Weekdays at 15:00 UTC
0 10 * * 1-5	2	Weekdays at 10:00 UTC
0 16 * * 1-5	2	Weekdays at 16:00 UTC
12 9 * * *	2	Daily at 09:12 UTC

Most schedules target business hours on weekdays, suggesting these are operational workflows rather than pure CI.

---

Engine Distribution

Engine	Count	% of Workflows	Δ vs Yesterday
Copilot	113	68.5%	+4
Claude	40	24.2%	0
Codex	11	6.7%	-1
Gemini	1	0.6%	0

Copilot maintains a strong majority. Claude remains the second-largest engine at roughly 1-in-4 workflows. Codex dropped by 1 workflow.

---

Safe Outputs Analysis

All 165 workflows configure missing_data and missing_tool handlers — 100% compliance with the safe-output obligation pattern.

Safe Output Types (primary, excluding missing_data/missing_tool)

Type	Workflows	%
create_discussion	60	36.4%
create_issue	52	31.5%
add_comment	39	23.6%
create_pull_request	34	20.6%
add_labels	15	9.1%
push_to_pull_request_branch	7	4.2%
create_pull_request_review_comment	7	4.2%
update_issue	6	3.6%
close_discussion	6	3.6%
submit_pull_request_review	6	3.6%
remove_labels	4	2.4%
create_project_status_update	3	1.8%
dispatch_workflow	3	1.8%
close_pull_request	3	1.8%
link_sub_issue	3	1.8%
update_project	3	1.8%
hide_comment	2	1.2%
create_agent_session	2	1.2%
create_code_scanning_alert	2	1.2%
update_pull_request	2	1.2%
close_issue	2	1.2%
assign_to_user	1	0.6%
set_issue_type	1	0.6%
add_reviewer	1	0.6%
update_release	1	0.6%
resolve_pull_request_review_thread	1	0.6%
unassign_from_user	1	0.6%

Total unique safe output types in use: 29 (including missing_data, missing_tool)

Discussion Output Settings

Setting	Count
fallback_to_issue: true	60 (all discussion workflows)
close_older_discussions: true	53
expires: 24h	43
expires: 72h	9
expires: 168h (7d)	5
expires: 2h	2

Discussion Categories

Category	Count
audits	43
announcements	3
reports	3
artifacts	2
dev	2
research	2
agent-research	1
daily-news	1
security	1

73% of discussion-posting workflows target the audits category.

Top Safe Output Combinations

Combination	Count
create_discussion only	42
create_issue only	23
create_pull_request only	19
add_comment only	8
add_comment + create_pull_request	6
close_discussion + create_discussion	5
add_comment + add_labels + create_issue	3
create_discussion + create_issue	3
None (only missing_data/tool)	2
create_issue + create_pull_request	2

The most notable outlier is poem-bot.lock.yml — the most capable workflow with 11 distinct safe output types: add_comment, add_labels, close_pull_request, create_agent_session, create_discussion, create_issue, create_pull_request, create_pull_request_review_comment, link_sub_issue, push_to_pull_request_branch, and update_issue.

---

Structural Characteristics

Workflow Complexity

Metric	Value
Average Jobs per Workflow	5.07
Average Total Steps per Workflow	73.2
Median Steps per Workflow	72
Max Steps (single workflow)	105 (daily-copilot-token-report.lock.yml)
Min Steps	35
Average Max Steps in Single Job	40.8
Max Steps in Single Job	60 (daily-copilot-token-report.lock.yml)

Step Distribution

Steps per Workflow	Count
< 40	5 (3%)
40–60	6 (4%)
60–80	111 (67%)
80–100	41 (25%)
> 100	2 (1%)

67% of workflows fall into the 60–80 total-steps band, again reflecting a highly consistent structural template.

Job Distribution

Jobs per Workflow	Count
2	5
3	1
4	41
5	66
6	36
7	15
8	1

5 jobs per workflow is the mode (40%), followed by 4 (25%) and 6 (22%).

Standard Job Names

Every workflow includes both an activation and agent job (165/165). Standard jobs observed:

Job Name	Count	Purpose
activation	165	Pre-run setup/authorization
agent	165	Core AI agent execution
conclusion	158	Post-run state update
safe_outputs	158	GitHub action publishing
update_cache_memory	72	Persistent memory update
pre_activation	57	Pre-checks before activation
upload_assets	23	Artifact publishing
push_repo_memory	22	Repo-based memory commit

Top 10 Largest & Most Complex Workflows

By File Size:

Workflow	Size	Engine	Total Steps
smoke-claude.lock.yml	143.5 KB	claude	93
smoke-copilot.lock.yml	114.2 KB	copilot	94
smoke-copilot-arm.lock.yml	113.2 KB	copilot	94
poem-bot.lock.yml	102.4 KB	copilot	79
smoke-project.lock.yml	90.1 KB	copilot	67
daily-performance-summary.lock.yml	87.4 KB	copilot	90
cloclo.lock.yml	86.0 KB	claude	82
smoke-codex.lock.yml	85.3 KB	codex	87
bot-detection.lock.yml	85.2 KB	copilot	62
mcp-inspector.lock.yml	85.1 KB	copilot	88

By Total Steps:

Workflow	Steps	Engine
daily-copilot-token-report.lock.yml	105	copilot
daily-news.lock.yml	103	copilot
audit-workflows.lock.yml	98	claude
copilot-pr-nlp-analysis.lock.yml	97	copilot
deep-report.lock.yml	97	copilot

---

Permission Patterns

Permission Distribution

Permission	Count
contents:read	661
issues:write	348
discussions:write	242
pull-requests:write	192
contents:write	164
issues:read	149
pull-requests:read	147
actions:read	73
copilot-requests:write	41
discussions:read	34
security-events:read	10
actions:write	6
security-events:write	4

contents:read is the most commonly granted permission (661 grants across all jobs). Write permissions are widely used — issues:write appears in 348 job-permission blocks.

Write Permission Scope

Write Permission	Job Count
issues	348
discussions	242
pull-requests	192
contents	164
copilot-requests	41
actions	6
security-events	4

---

Timeout & Concurrency

Timeout Distribution

Timeout	Workflows
5 min	2
10 min	23
15 min	158 (95.8%)

An overwhelming 95.8% of workflows use a 15-minute timeout. This is clearly the standard configuration enforced by the workflow template.

Concurrency

• 100% of workflows (165/165) define a concurrency group
• 16 workflows use cancel-in-progress: true
• 3 workflows use cancel-in-progress: false (explicit opt-out)
• Primary group pattern: gh-aw-(workflow-id) (78% of workflows)
• Variant: gh-aw-(workflow-id)-(run-id) (19%)

---

Interesting Findings

1. 100% Concurrency Coverage — Every single workflow defines a concurrency group, ensuring no duplicate runs. This is a strong infrastructure discipline signal.

2. 29 Distinct Safe Output Types — The safe-outputs system has grown to support 29 different action types. poem-bot.lock.yml holds the record with 11 types configured simultaneously, suggesting it functions as a comprehensive workflow orchestrator.

3. 72 Workflows Use Cache Memory — Nearly half (43.6%) of all workflows include an update_cache_memory job, enabling persistent state across runs. An additional 22 use push_repo_memory for repository-level persistence.

4. Exotic Output Types Emerging — Novel safe output types like create_agent_session (2), dispatch_workflow (3), create_code_scanning_alert (2), and set_issue_type (1) suggest active expansion of the agentic action surface.

5. Strong Template Discipline — The 60–80 step band for 67% of workflows, 15-minute timeout for 96%, and the universal activation/agent/conclusion/safe_outputs job structure indicate a well-enforced shared template generates most lockfiles.

6. Scheduling Clusters Around Business Hours — The majority of scheduled workflows fire between 09:00–16:00 UTC on weekdays, aligning with typical work hours for human oversight and review of agent outputs.

7. Claude Smoke Test Size Anomaly — smoke-claude.lock.yml at 143.5 KB is 27% larger than the next largest file, suggesting Claude-engine workflows require significantly more configuration or produce richer lock data.

---

Historical Trends

Comparison with 2026-03-01 baseline:

Metric	2026-03-01	2026-03-02	Change
Total files	162	165	+3
Total size	10.05 MB	10.28 MB	+0.23 MB
Avg size	63 KB	64 KB	+1 KB
Avg steps/workflow	72.6	73.2	+0.6
Max steps	101	105	+4
Copilot workflows	109	113	+4
Claude workflows	40	40	0
Codex workflows	12	11	-1

Growth is steady at ~3 new workflows/day. All 3 new workflows are Copilot-engine (+4 copilot, accounting for -1 codex net to +3 total files). The average workflow complexity is slightly increasing (+0.6 steps).

---

Recommendations

1. Standardize the expires field — Only 59 of 60 discussion workflows set an expiry. The single missing expiry could lead to stale discussions accumulating. A template-level default of 24h would close this gap.

2. Investigate the 2 workflows with no primary safe output — Two workflows configure only missing_data/missing_tool with no primary action type. These may be utility/orchestration workflows, but should be audited to ensure they have appropriate output paths.

3. Review the 5 min-timeout workflows — The 2 workflows with 5-minute timeouts (`vs. the 15-min standard) may be at risk of premature cancellation as workloads grow.

4. Monitor smoke test file sizes — The smoke-claude.lock.yml file at 143.5 KB is a significant outlier. If it continues growing, it may indicate scope creep in the smoke test definition.

5. Consider cache memory adoption — 57 workflows use pre_activation but only 72 use update_cache_memory. Workflows with pre_activation that don't persist cache state may be doing redundant setup work on each run.

---

Methodology

• Lock Files Analyzed: 165 (all .lock.yml in .github/workflows/)
• Parsing: PyYAML for YAML structure, regex for config strings
• Engine Detection: GH_AW_INFO_ENGINE_ID environment variable
• Safe Output Detection: GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG JSON extraction
• Historical Data: Cache at /tmp/gh-aw/cache-memory/history/
• Script Cache: /tmp/gh-aw/cache-memory/scripts/analyze_lockfiles.sh

References:

• §22585850530

AI generated by Lockfile Statistics Analysis Agent

• expires on Mar 3, 2026, 4:50 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-03T16:50:45.133Z.

Closed by Workflow