[lockfile-stats] π Lockfile Statistics Analysis β 2026-07-11 (256 workflows, 29.2 MB) #45009
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Lockfile Statistics Analysis Agent. A newer discussion is available at Discussion #45136. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
π Lockfile Statistics Analysis β 2026-07-11
Aggregate analysis of all compiled agentic workflow lockfiles (
.github/workflows/*.lock.yml).Overview: 256 lockfiles Β· 29.2 MB total Β· 0 malformed/skipped Β· YAML-parsed. Corpus essentially unchanged day-over-day (+3.8 KB), but up +23 workflows / +7.4 MB (~+37%) since 2026-05-20.
example-permissions-warning) / 181.3 KB (smoke-copilot-aoai-entra)π¦ File size distribution
Lockfiles are large and tightly clustered β every file exceeds 79 KB, reflecting the substantial boilerplate (safe-output plumbing, MCP setup, prompt embedding) the compiler emits per workflow. Largest are the multi-engine
smoke-*test workflows (161β181 KB).β° Trigger analysis
Top combinations:
schedule + workflow_dispatch(171),workflow_dispatchonly (44),pull_request + workflow_dispatch(27). Nearly all workflows (248/256, 97%) expose a manualworkflow_dispatchhandle, and 68% are scheduled. Cron times are well-jittered across the clock (mostly off :00/:30 minutes), indicating good fleet-scheduling hygiene to avoid API stampedes.π€ Safe outputs analysis
Five runtime/infrastructure outputs are present in essentially every safe-output-enabled workflow (251):
noop,missing-data,missing-tool,report-incomplete,create-report-incomplete-issue. The user-configured output mix:Long tail (β€5): close-issue, assign-to-agent, dispatch-workflow, slack/notion integrations, code-scanning-alert, project updates, etc.
Discussion categories:
auditsdominates (76), thenannouncements(5),artifacts(2),dev(2),daily-news(1),research(1).ποΈ Structural characteristics
release)smoke-copilot)Total run-scripts across the fleet: 13,561 (avg ~53/workflow). Job/step floors of 4/79 confirm a heavy fixed compiler scaffold on every workflow.
π Permission patterns
Read is granted broadly and uniformly β
actionsandcontentsread on all 256;pull-requests(225) andissues(219) read on most.issues: writeis nearly universal (249/256) β driven by the safe-output incident-reporting path (create-report-incomplete-issue) baked into most workflows. Sensitive scopes stay rare:id-token(2),security-events(3),packages/statuses/attestations(1 each). Timeouts: all 256 jobs sit in the 31β60 min band, with 28 also having short 6β15 min jobs and 2 with β€5 min.π§° Tool & MCP patterns
Engines:
other(115),copilot(64),claude(60),codex(14), plus one eachantigravity,gemini,opencode. (otherreflects engine markers the text-scan couldn't attribute to a named engine.)MCP servers:
githubleads by far (100), thenserena(24),tavily(5),sentry(5),grafana(3),markitdown(3), and a diverse tail (brave-search, ast-grep, arxiv, deepwiki, notion, datadog, microsoftdocs, semgrep, agentdb, context7, memory).π Interesting findings
issues:writeis the default footprint. 97% carry it β almost entirely for automated failure-reporting, not core function. A worthwhile audit target for least-privilege.githubMCP appears in ~39% of workflows; all other MCP servers combined appear in fewer. External integrations remain experimental/one-off.π Historical trends
Engines, MCP servers, discussion categories, and trigger mix are all identical to 2026-07-10 β a fully stable day.
β Recommendations
issues:writenecessity β 249 workflows hold it; scope down any where incident-reporting to issues isn't actually used.otherengine bucket β 115 workflows lack a clearly named engine in the text scan; refine detection or standardize the engine marker for cleaner telemetry.Methodology: single-script compact JSON analysis. One cached Python analyzer (
lockfile_stats_v1.py) parsed all 256 lockfiles withyaml.safe_load(with regex fallback for permissions/categories/safe-outputs) into a β€50 KB summary; the report is derived solely from that JSON plus 51 days of cached historical snapshots. 0 files skipped.Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions