[lockfile-stats] Lockfile Statistics Analysis — 2026-06-13 (246 workflows, 28.7 MB, +2.75% / 24h)

[github-actions[bot]]

Executive Summary

Analysis of 246 compiled .lock.yml workflows in .github/workflows as of 2026-06-13 (0 malformed/skipped). Aggregate size is 28.66 MB (avg 113.8 KB/file, median 115.8 KB, range 76.8–176.7 KB).

The lockfile count held steady at 246, but generated output grew +2.75% in a single day (+768 KB) and average steps-per-workflow rose +4.0 — a sign the compiler emitted more boilerplate per workflow rather than new workflows being added.

Metric	Value	Δ vs 2026-06-12
Lockfiles	246	0
Total size	28.66 MB	+768 KB (+2.75%)
Avg size	116.5 KB	+3.1 KB
Median size	115.8 KB	+3.2 KB
Total steps	27,956	+984
Total jobs	1,979	0
Avg steps/wf	113.6	+4.0

File Size Distribution

Bucket	Count	Δ
100–250 KB	229	+14
50–100 KB	17	−14

Every file is now ≥50 KB; 14 files crossed from the 50–100 KB band into 100 KB+ overnight — the day's growth was broad-based, not concentrated.

Largest & smallest files

Largest: smoke-copilot-aoai-entra (176.7 KB), smoke-copilot-aoai-apikey (176.4 KB), smoke-copilot (175.7 KB), smoke-claude (172.4 KB), smoke-copilot-arm (163.5 KB), smoke-codex (151.2 KB).

Smallest: test-workflow (76.8 KB), example-permissions-warning (77.5 KB), codex-github-remote-mcp-test (78.3 KB), firewall (78.7 KB), ace-editor (86.1 KB).

The smoke-* matrix dominates the top — multi-engine smoke tests carry the most generated scaffolding.

Trigger Analysis

Trigger	Workflows
workflow_dispatch	238
schedule	165
pull_request	33
issues	4
issue_comment	2
push	2

Top combinations: schedule + workflow_dispatch (161), workflow_dispatch only (47), pull_request + workflow_dispatch (26). 97% of workflows expose a manual workflow_dispatch dispatch.

Schedule cron frequencies (top)

Crons are well-distributed across off-peak minutes (good — avoids the :00 thundering herd). Most-shared slots appear only twice (e.g. 49 14 * * 1-5, 23 11 * * *, 38 3 * * *). A handful use */6h or */4h intervals; one hourly (23 * * * *).

Safe Outputs Analysis

⚠️ The v1 parser did not surface a safe_output_types breakdown or top-level permissions map from this lockfile schema (both returned empty). This is a known parser limitation, not evidence of zero safe-outputs — these fields are emitted in a structure the v1 regex pass doesn't capture. Flagged for a v2 schema bump (see Recommendations).

Structural Characteristics

Metric	Min	Avg	Max	Max holder
Jobs/workflow	5	8.0	12	firewall-escape
Steps/workflow	76	113.6	152	smoke-copilot

Totals: 1,979 jobs, 27,956 steps, 12,831 run-blocks. Job count is rigid (5–12, tight band) while step count grew, confirming the day's expansion was within existing jobs.

Permission Patterns

Top-level permissions parsed as empty ({}) for all 246 — same v2-parser caveat as Safe Outputs. Permission posture cannot be reliably reported from this schema pass.

Tool & MCP Patterns

MCP Server	References
github	6,552
playwright	168
sentry	64
ruflo	16
grafana	14
arxiv	6
deepwiki	6

GitHub MCP utterly dominates (≈97% of all references). A long tail of read tools (get_commit, get_file_contents, issue_read, list_commits, ...) each appears in 126 workflows — the standard read-only GitHub toolset is broadly shared.

Engine distribution: copilot 164, claude 63, codex 14, then single instances of antigravity/crush/gemini/opencode/pi.

Interesting Findings

1. Static count, growing footprint. 0 new workflows but +768 KB / +984 steps in 24h → a generator/template change inflated every file, not new authoring.
2. The whole fleet shifted up a size band — 14 files crossed 100 KB simultaneously, none crossed down. Growth is uniform, pointing at shared scaffolding.
3. smoke-* matrix is the heavyweight class — the six largest files are all multi-engine smoke tests; smoke-copilot also holds the step-count record (152).
4. GitHub MCP is near-universal — 126 workflows share an identical ~30-tool read-only GitHub surface, suggesting a common imported toolset worth auditing for least-privilege.
5. Healthy cron hygiene — schedules avoid round minutes and cluster at most 2-deep per slot, minimizing simultaneous Actions load.

Historical Trends (24h, 2026-06-12 → 2026-06-13)

Metric	06-12	06-13	Δ
Total bytes	27.89 MB	28.66 MB	+2.75%
Avg size	113.4 KB	116.5 KB	+2.75%
Total steps	26,972	27,956	+984
Max steps	148	152	+4
Jobs total	1,979	1,979	0
Triggers/engines/MCP	—	—	unchanged

A 23-day history (since 2026-05-20) is retained in cache for longer-range trending.

Recommendations

1. Bump analyzer to lockfile_stats_v2.py to correctly extract safe_output_types, discussion categories, and the top-level permissions map — these are the report's two current blind spots.
2. Investigate the +2.75%/day growth. If sustained, the fleet doubles in compiled size in ~25 days. Confirm whether a recent compiler change added per-workflow boilerplate and whether it's intentional.
3. Audit the shared 30-tool GitHub MCP surface (126 workflows) for least-privilege — most workflows likely need a small subset.
4. Track the smoke-* matrix as the size leader; trim duplicated scaffolding there for the largest aggregate savings.

Methodology Note

Single-script compact JSON analysis: one cached Python pass (lockfile_stats_v1.py) parsed all 246 lockfiles into a ~4.8 KB JSON summary; all reasoning derived from that summary plus the prior-day cached summary. 0 files skipped. Safe-output/permission fields are a known v1 schema gap (see Rec. 1).

References: §27478463071

Generated by 📊 Lockfile Statistics Analysis Agent · 73 AIC · ⌖ 12.8 AIC · ⊞ 5.2K · ◷

• expires on Jun 14, 2026, 12:44 PM UTC-08:00