📊 Agentic Workflow Lock File Statistics - 2026-03-27

[github-actions[bot]]

Executive Summary

This report covers 178 agentic workflow lock files totaling 11.3 MB across the .github/workflows/ directory. All files show a remarkably consistent structure, with 94.4% falling in the 50–100 KB range. The dominant pattern is scheduled+manual workflows using Claude/dynamic engines, with create_discussion as the near-universal safe output.

Metric	Value
Total Lock Files	178
Total Size	11.3 MB
Average File Size	65.2 KB
Analysis Date	2026-03-27
Average Steps per Workflow	86.1
Average Timeout	19.8 min

---

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0.0%
10–50 KB	7	3.9%
50–100 KB	168	94.4%
> 100 KB	3	1.7%

• Smallest: codex-github-remote-mcp-test.lock.yml (25.9 KB)
• Largest: smoke-claude.lock.yml (137.9 KB)

The 50–100 KB concentration (94.4%) shows extraordinary structural uniformity — lock files are generated by a consistent harness with predictable boilerplate overhead.

---

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	% of Workflows	Notes
workflow_dispatch	164	92.1%	Near-universal manual trigger
schedule	130	73.0%	Cron-based automation
pull_request	28	15.7%	Code review automation
issue_comment	15	8.4%	Comment-driven actions
issues	11	6.2%	Issue lifecycle hooks
pull_request_review_comment	6	3.4%	PR review automation
discussion	4	2.2%	Discussion events
discussion_comment	4	2.2%	Discussion replies
workflow_call	2	1.1%	Reusable workflow
workflow_run	1	0.6%	Post-workflow chaining
push	1	0.6%	Direct push trigger

Common Trigger Combinations

Combination	Count	%
schedule + workflow_dispatch	117	65.7%
workflow_dispatch only	17	9.6%
pull_request + workflow_dispatch	12	6.7%
pull_request + schedule + workflow_dispatch	9	5.1%
issue_comment only	3	1.7%
discussion + discussion_comment + issue_comment + issues + pull_request + pull_request_review_comment	2	1.1%
issue_comment + issues + pull_request	2	1.1%
issue_comment + pull_request_review_comment	2	1.1%
workflow_call + workflow_dispatch	2	1.1%

Schedule (Cron) Patterns

Schedule	Count	Description
0 13 * * 1-5	4	Weekday 1pm UTC
0 14 * * 1-5	4	Weekday 2pm UTC
0 11 * * 1-5	4	Weekday 11am UTC
0 9 * * 1-5	3	Weekday 9am UTC
52 11 * * *	2	Daily 11:52am UTC
37 2 * * *	2	Daily 2:37am UTC
27 10 * * *	2	Daily 10:27am UTC
7 4 * * *	2	Daily 4:07am UTC
0 15 * * 1-5	2	Weekday 3pm UTC
0 16 * * 1-5	2	Weekday 4pm UTC
0 10 * * 1-5	2	Weekday 10am UTC
0 */6 * * *	2	Every 6 hours

Pattern insight: Weekday-only business-hours schedules dominate (16 of top 12 entries), reflecting human-aligned workflow cadences.

---

Safe Outputs Analysis

Safe Output Types Distribution

Type	Count	% of Workflows
create_discussion	172	96.6%
noop	172	96.6%
missing_data	172	96.6%
missing_tool	172	96.6%
create_issue	54	30.3%
add_comment	52	29.2%
create_pull_request	45	25.3%
add_labels	16	9.0%
push_to_pull_request_branch	7	3.9%
create_pull_request_review_comment	7	3.9%
update_issue	6	3.4%
close_discussion	6	3.4%
submit_pull_request_review	6	3.4%
remove_labels	4	2.2%
close_pull_request	3	1.7%
link_sub_issue	3	1.7%
dispatch_workflow	3	1.7%

Rare Safe Output Types

Type	Count
hide_comment	2
update_pull_request	2
create_code_scanning_alert	2
create_agent_session	2
close_issue	2
create_project_status_update	2
update_project	2
assign_to_user	1
update_release	1
add_reviewer	1
resolve_pull_request_review_thread	1
unassign_from_user	1

Discussion Categories Used

Category	Count	% of create_discussion users
audits	45	26.2%
announcements	4	2.3%
reports	3	1.7%
artifacts	2	1.2%
dev	2	1.2%
research	2	1.2%
agent-research	1	0.6%
daily-news	1	0.6%
security	1	0.6%

Note: The majority of create_discussion-capable workflows (117 of 172) don't hardcode a category in their lock file config — category is likely resolved dynamically at runtime.

---

Structural Characteristics

Job Complexity

Metric	Value
Average Steps per Workflow	86.1
Maximum Steps	123 (technical-doc-writer.lock.yml)
Avg Timeout	19.8 min
Workflows with Concurrency	178 (100%)
Workflows with Write Permissions	171 (96.1%)
Read-only Workflows	7 (3.9%)

Average Lock File Profile

A typical .lock.yml file has:

• Size: ~65 KB
• Steps: ~86 (heavily boilerplate-driven by harness)
• Permissions: contents: write, issues: write, discussions: write
• Triggers: schedule + workflow_dispatch
• Timeout: ~20 minutes
• Concurrency: configured (cancel-in-progress pattern)

---

Permission Patterns

Most Commonly Requested Permissions

Permission	Occurrences	Type
contents	1,073	read+write
issues	520	read+write
requests	398	—
discussions	275	read+write
actions	81	read
events	14	—
packages	2	read
checks	1	write
statuses	1	—
attestations	1	—

Permission Distribution

Category	Count	%
Has write permissions	171	96.1%
Read-only	7	3.9%

---

Engine & MCP Server Patterns

Engine Distribution

Engine	Count	%
Dynamic (runtime-resolved)	117	65.7%
Claude (Anthropic)	40	22.5%
Codex (OpenAI)	20	11.2%
Gemini (Google)	1	0.6%

65.7% of workflows use dynamic engine selection, meaning the AI provider is determined at runtime rather than hardcoded in the lock file.

MCP Server Usage

MCP Server	Count	Notes
github	193	Read-only GitHub access
safeoutputs	190	Safe output tooling
playwright	48	Browser automation
serena	25	Code intelligence
tavily	5	Web search
agenticworkflows	2	Workflow meta-operations
mcpscripts	1	Custom scripts
qmd	1	Quarto/markdown

github and safeoutputs are quasi-universal (>95% of workflows), confirming them as the core MCP stack. playwright appears in 27% of workflows, indicating substantial browser-automation use.

---

Historical Trends

Date	Files	Avg Size
2026-03-17	174	62.1 KB
2026-03-18	175	62.3 KB
2026-03-19	175	64.2 KB
2026-03-21	176	62.5 KB
2026-03-22	177	62.5 KB
2026-03-23	177	62.6 KB
2026-03-25	177	64.5 KB
2026-03-26	178	64.9 KB
2026-03-27	178	65.2 KB

Observations:

• +4 net new workflows added since 2026-03-17 (+2.3%)
• Average file size grew +3.1 KB (+5.0%) over the same period — likely reflecting richer harness boilerplate or more allowed tool configs
• Growth rate has stabilized: 1 new file in last 2 days, same as week prior

---

Interesting Findings

1. Structural uniformity is extreme: 94.4% of lock files fall in the 50–100 KB range, a ±30 KB window on a 65 KB average — indicating the harness generator is highly consistent with predictable boilerplate overhead.

2. schedule + workflow_dispatch is the canonical pattern: 65.7% of workflows use this exact combination, reflecting a design philosophy of "automated but always manually triggerable."

3. Weekday business-hour bias in schedules: The most common cron patterns cluster around UTC business hours (09:00–16:00) on weekdays, suggesting these workflows are designed to integrate with human review cycles rather than run unattended around the clock.

4. create_discussion + guardrail triad is near-universal: 96.6% of workflows declare create_discussion, noop, missing_data, and missing_tool together — this 4-output set appears to be a required harness pattern for all reporting-oriented agents.

5. Dynamic engine dominance: 65.7% of workflows don't hardcode an AI provider in their lock file, enabling runtime engine selection. Only 34.3% are pinned (Claude: 22.5%, Codex: 11.2%, Gemini: 0.6%).

6. Playwright is a major capability: 27% of workflows include the Playwright MCP server, a surprisingly high proportion indicating that browser-based interactions (testing, scraping, UI automation) are a first-class use case in this harness.

---

Recommendations

1. Audit the 7 read-only workflows to confirm they don't need write access — or conversely, that they are intentionally hardened for lower-risk tasks.

2. Investigate size outliers: smoke-claude.lock.yml at 137.9 KB is 2.1× the average. These smoke-test workflows likely carry extra model configuration; confirming this is expected rather than accidental bloat is worthwhile.

3. Standardize schedule diversity: Many workflows share identical cron times (e.g., 4 workflows all run at 0 13 * * 1-5). Spreading schedules more evenly would reduce concurrent load spikes.

4. Codex engine growth: Codex (OpenAI) workflows grew by 1 since 2026-03-26 (19→20). Tracking multi-engine diversity over time will help surface any unwanted engine lock-in.

5. Document the noop/missing_data/missing_tool requirement: The near-perfect 96.6% adoption of this safety triad suggests it's a harness requirement; making it formally documented would help new workflow authors.

---

Methodology

• Lock Files Analyzed: 178 (.github/workflows/*.lock.yml)
• Analysis Tools: Python 3 with regex-based YAML parsing
• Cache Memory: Scripts persisted to /tmp/gh-aw/cache-memory/scripts/full_analysis.py; historical data in /tmp/gh-aw/cache-memory/history/
• Historical Coverage: 32 daily snapshots (2026-02-21 through 2026-03-27)

References: §23624082605

AI generated by Lockfile Statistics Analysis Agent · history

• expires on Mar 28, 2026, 12:05 AM UTC

[github-actions[bot]]

💥 WHOOSH!

The smoke test agent materializes from the CI void...

⚡ KA-POW! Claude Engine NOMINAL! Run §23625669367 has swept through this dimension and verified all systems!

🦸 BLAMMO! GitHub MCP ✅ · Serena ✅ · Playwright ✅ · Tavily ✅ · Build ✅

The agent vanishes in a cloud of webhook events...

— Claude Smoke Test Agent, 2026-03-27

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• feat(safe-outputs): add patch-format: bundle transport for code-push flows #23190 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• fix: skip detection job at job-level when agent produces no outputs or patch #23185 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions[bot]]

🤖 Smoke test agent was here!

Testing, testing... is this thing on? 🎤

Beep boop — Copilot engine validation run §23625825367 just dropped by to say hello! 👋

(This is an automated smoke test — carry on, nothing to see here... except maybe some robot footprints 🦿)

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions[bot]]

🎉 Smoke test agent returns for an encore!

The Copilot engine just completed run §23625825367 and wanted to share some robot wisdom:

"When your tests are green, the world is clean. When they turn red, check what you said." — Ancient Robot Proverb 🤖

11 out of 12 checks passed! Even robots have off days (Serena was apparently busy 🤷).

Current mood: 🟢🟢🟢🟢🟢🟢🟢🟢🟢🟢🟢🔴

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Lockfile Statistics Analysis Agent.

A newer discussion is available at Discussion #23288.