📊 Lock File Statistics Analysis - November 2025

[github-actions[bot]]

📊 Agentic Workflow Lock File Statistics - 2025-11-13

This report provides comprehensive statistical analysis of all agentic workflow lock files in the gh-aw repository.

Executive Summary

82 lock files analyzed representing 17.2 MB of workflow definitions. The average workflow contains 6.7 jobs with 59 steps total, structured to provide safe, controlled agent execution with read-only permissions as the default pattern.

Overview

Full Report Details

File Size Distribution

Size Range	Count	Percentage
< 100 KB	12	14.6%
100-200 KB	6	7.3%
200-300 KB	60	73.2%
> 300 KB	4	4.9%

Statistics:

• Total Files: 82
• Total Size: 17.2 MB
• Average Size: 215.3 KB
• Smallest: opencode.lock.yml (22.8 KB)
• Largest: poem-bot.lock.yml (393.1 KB)

Trigger Analysis

Most Popular Triggers

Trigger Type	Count	Percentage
schedule	3	3.7%
issues	3	3.7%
issue_comment	3	3.7%
pull_request	3	3.7%
push	3	3.7%
workflow_dispatch	3	3.7%

Trigger Patterns

The vast majority of lock files (79 files, 96.3%) don't explicitly define triggers in the analyzed sections, suggesting they use:

• Workflow dispatch (manual triggering)
• Called/reusable workflows
• Internal workflow orchestration

The 3 files that do define triggers are shared workflow components in .github/workflows/shared/, which support multiple trigger types for flexibility.

Safe Outputs Analysis

Safe outputs are the controlled mechanisms for agent workflows to interact with GitHub resources.

Safe Output Types Distribution

Type	Count	Percentage
create-discussion	30	36.6%
create-pull-request	21	25.6%
create-issue	20	24.4%
add-comment	19	23.2%
create-pull-request-review-comment	4	4.9%
update-issue	2	2.4%

Safe Output Insights

• Most Popular: create-discussion (30 workflows, 36.6%) - used for reporting and insights
• Second Most Popular: create-pull-request (21 workflows, 25.6%) - used for code changes
• Third Most Popular: create-issue (20 workflows, 24.4%) - used for bug reports and tasks
• Files Without Safe Outputs: 14 (17.1%) - typically test or utility workflows

Multiple Safe Output Usage

15 workflows (18.3%) use multiple safe output types:

• lockfile-stats.lock.yml - 6 types: create-discussion, create-issue, add-comment, create-pull-request, create-pull-request-review-comment, update-issue
• poem-bot.lock.yml - 5 types: create-issue, add-comment, create-pull-request, create-pull-request-review-comment, update-issue
• pr-nitpick-reviewer.lock.yml - 4 types: create-discussion, add-comment, create-pull-request, create-pull-request-review-comment

Structural Characteristics

Job Complexity

• Average Jobs per Workflow: 6.8
• Average Steps per Workflow: 56.7
• Average Steps per Job: 9.1
• Maximum Steps: 101 (in poem-bot.lock.yml)
• Minimum Steps: 26
• Maximum Jobs: 16
• Minimum Jobs: 2

Average Lock File Profile

Based on statistical analysis, a typical .lock.yml file has:

• Size: ~215 KB
• Jobs: ~7 jobs
• Steps: ~57 steps
• Steps per Job: ~9 steps
• Permissions: Read-only (contents, issues, pull-requests)
• Safe Outputs: 1-2 types
• MCP Servers: 1 (typically github)

Permission Patterns

Most Common Permissions

Permission	Count	Percentage
contents:read	78	95.1%
pull-requests:read	71	86.6%
issues:read	68	82.9%
actions:read	32	39.0%
discussions:read	7	8.5%
security-events:read	5	6.1%
repository-projects:read	3	3.7%
issues:write	2	2.4%
attestations:read	2	2.4%
checks:read	2	2.4%

Permission Distribution

• Read-only permissions: 278 instances (99.3%)
• Write permissions: 2 instances (0.7%)

Security Insight: The overwhelming majority (99.3%) of permissions are read-only, demonstrating a security-first approach where agents primarily observe and report rather than directly modify resources.

Most Common Permission Sets

The standard permission triple appears in most workflows:

• contents:read + issues:read + pull-requests:read = Base pattern for most workflows
• Extended with actions:read for workflows that need to analyze GitHub Actions data
• Rarely includes write permissions, only for specific safe outputs

Tool & MCP Patterns

MCP Server Usage

MCP Server	Count	Percentage
mcp__github	78	95.1%
mcp__playwright	3	3.7%
mcp__context7	1	1.2%
mcp__deepwiki	1	1.2%
mcp__arxiv	1	1.2%

MCP Server Insights:

• mcp__github: Universal - present in 78 workflows (95.1%)
• Workflows with MCP servers: 78 (95.1%)
• Specialized servers: playwright (3), context7 (1), deepwiki (1), arxiv (1) for specific research/testing needs

Interesting Findings

1. Consistency in Structure

The lock files show remarkable consistency:

• 95% use GitHub MCP server
• 95% have read-only permissions
• 84% have safe outputs configured
• Average file size varies by only ±50% from mean

2. Size Extremes

Smallest workflow (shared/opencode.lock.yml at 23 KB):

• Minimal shared workflow component
• 9 jobs, 26 steps
• No safe outputs (utility workflow)

Largest workflow (poem-bot.lock.yml at 393 KB):

• Complex multi-function bot
• 16 jobs, 101 steps
• 5 different safe output types

3. Workflow Purposes

By analyzing safe outputs, workflows break down into categories:

• Reporting/Analysis (30 workflows): create-discussion
• Code Changes (21 workflows): create-pull-request
• Issue Management (20 workflows): create-issue
• Commentary (19 workflows): add-comment
• Testing/Utilities (14 workflows): No safe outputs

4. Security Patterns

• Write permissions (issues:write) appear in only 2 workflows
• All write operations are channeled through safe outputs
• MCP servers provide controlled API access
• Firewall workflows (4) enforce security boundaries

5. Shared Components

3 files in .github/workflows/shared/ serve as reusable components:

• Smaller size (23-82 KB vs. 220 KB average)
• Explicit trigger definitions
• Designed for composition

Complexity Distribution

Complexity Tier	Job Count	Workflow Count	Percentage
Simple	1-3 jobs	9	11.0%
Medium	4-7 jobs	48	58.5%
Complex	8+ jobs	25	30.5%

Complexity Insight: Most workflows (48, 58.5%) fall into the medium complexity range, suggesting a sweet spot of 4-7 jobs provides sufficient capability without excessive complexity.

Recommendations

1. Size Optimization

• Average file size of 215 KB is reasonable
• Consider investigating workflows >300 KB for potential modularization
• 4 workflows exceed this threshold

2. Safe Output Patterns

• The create-discussion → create-pr → create-issue pattern works well
• Consider standardizing on discussion posts for reporting (most popular at 37%)
• Multiple safe outputs (15 workflows) provide flexibility

3. Permission Model

• Current read-only default is excellent security practice
• 99% read permissions validates security-first design
• Maintain this pattern for new workflows

4. MCP Integration

• GitHub MCP server near-universal adoption (95%) is good for consistency
• Specialized servers (playwright, context7, etc.) add valuable capabilities
• Consider documenting MCP server selection patterns

5. Complexity Management

• Target 4-7 jobs for most workflows (the 68% majority pattern)
• Reserve 8+ jobs for genuinely complex scenarios
• Simple 1-3 job workflows for utilities and tests

Methodology

• Analysis Tool: Python 3 with regex parsing
• Lock Files Analyzed: 82
• Cache Memory: /tmp/gh-aw/cache-memory/ for script persistence
• Data Sources: .github/workflows/**/*.lock.yml
• Analysis Date: 2025-11-13

---

Generated by Lockfile Statistics Analysis Agent on 2025-11-13T03:30:23.598962

AI generated by Lockfile Statistics Analysis Agent

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.