You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Schedule frequency — cron expressions appear well-jittered across minutes (no 0 * or 0 9 clustering observed in top samples), consistent with anti-thundering-herd guidance. Examples: 49 14 * * 1-5, 38 3 * * *, 27 */6 * * *, 40 17 * * 1.
Safe Outputs Analysis
Methodology caveat: the current cached analyzer (lockfile_stats_v1.py) returned an empty safe_output_types bucket for this run, though the 2026-05-20 snapshot recorded type counts. The schema marker is unchanged, but detection appears regressed — flagging for script maintenance. Comparable totals from 2026-05-20: 233 workflows declared create_discussion/create_issue/missing_tool; 227 declared noop; add_comment 71; push_to_pull_request_branch 57; create_pull_request 56; add_labels 23; upload_assets 22.
Structural Characteristics
Metric
Value
Total jobs across all lockfiles
1,870
Total steps
24,078
Total github-script blocks
11,576
Jobs per workflow (min / avg / max)
5 / 7.99 / 12
Steps per workflow (min / avg / max)
67 / 102.9 / 140
Workflow with most jobs
firewall-escape.lock.yml (12)
Workflow with most steps
smoke-copilot.lock.yml (140)
Per-job timeout distribution (across 683 jobs with explicit timeouts)
Bucket (min)
Job count
≤ 5
14
6 – 15
320
16 – 30
317
31 – 60
29
> 60
3
Permission Patterns
All 234 lockfiles declare top-level permissions: {} (empty/none). Permissions are therefore scoped at the job level, not workflow-wide — consistent with least-privilege per-job grants. The analyzer's per-key read/write tallies were not populated this run (top-level only).
Tool & MCP Patterns
Engine distribution:
Engine
Workflows
Share
copilot
154
65.8%
claude
62
26.5%
codex
13
5.6%
pi
2
0.9%
crush
1
0.4%
gemini
1
0.4%
opencode
1
0.4%
MCP server usage (occurrences across all workflows):
Server
Occurrences
github
6,448
playwright
168
sentry
96
grafana
14
arxiv
6
deepwiki
6
Top GitHub MCP tools by reference count
The GitHub MCP server's read tools dominate — each of the following appears in 124 workflows (≈53% of corpus): download_workflow_run_artifact, get_code_scanning_alert, get_commit, get_dependabot_alert, get_discussion, get_discussion_comments, get_file_contents, get_job_logs, get_label, get_latest_release, get_me, get_notification_details, get_pull_request, get_pull_request_comments, get_pull_request_diff, get_pull_request_files, get_pull_request_review_comments, get_pull_request_reviews, get_pull_request_status, get_release_by_tag, get_secret_scanning_alert, get_tag, get_workflow_run, get_workflow_run_logs, get_workflow_run_usage, issue_read, list_branches, list_code_scanning_alerts, list_commits, list_dependabot_alerts.
The uniform 124-count signature suggests these are pulled via a shared bundle (likely the default GitHub MCP read toolset), not selected per workflow.
Interesting Findings
workflow_dispatch is effectively universal — 226 of 234 workflows (96.6%) accept manual dispatch. Only 8 workflows omit it.
smoke-claude.lock.yml is the heaviest at 173.7 KB — about 2.85× the smallest (test-workflow.lock.yml, 60.9 KB).
Schedule jitter is healthy — sampled cron expressions use non-zero, non-:30 minutes (e.g., :23, :38, :49), reducing API-burst risk against the Anthropic and GitHub APIs.
GitHub MCP read tools form a near-uniform 124-workflow plateau — strongly suggests a shared toolset bundle rather than per-workflow selection. Worth verifying that workflows pulling the full bundle actually need every tool, since each adds to compiled lockfile size.
firewall-escape.lock.yml carries 12 jobs — the maximum, well above the 7.99 average. Worth a look to confirm the job sprawl is intentional.
Historical Trends
Comparing the last three daily snapshots:
Date
Lockfiles
Total MB
Avg KB
Jobs
Steps
Scripts
workflow_dispatch
schedule
2026-05-20
233
21.35
93.8
1,423*
24,002
11,518
225
159
2026-05-21
233
21.50
94.5
1,858
23,931
11,518
225
159
2026-05-22
234
21.54
94.3
1,870
24,078
11,576
226
160
*The 2026-05-20 job total used a different counting method; the 2026-05-21→2026-05-22 delta is the directly comparable figure.
Day-over-day deltas (vs. 2026-05-21):
+1 lockfile, +41,852 bytes (+0.19%)
+12 jobs (+0.65%), +147 steps (+0.61%), +58 scripts (+0.50%)
+1 workflow_dispatch, +1 schedule (one new workflow joined both)
copilot engine: 153 → 154 (+1)
All other engine counts unchanged
No workflows were removed; growth is purely additive and modest.
Recommendations
Audit the GitHub MCP "124-tool plateau" — if a shared bundle is being pulled into half the corpus, verify each workflow actually invokes those tools. Trimming unused tools should reduce average lockfile size meaningfully.
Repair lockfile_stats_v1.py safe-output detection — current snapshot returned empty safe_output_types and discussion_categories despite known usage. Worth bumping the script to v2 once detection is fixed so historical comparisons remain accurate.
Investigate firewall-escape.lock.yml (12 jobs) — confirm the outlier job count is intentional; consider consolidation if not.
Spot-check the 39 workflow_dispatch-only workflows — these never run automatically; some may be stale.
No action needed on cron jitter — schedule distribution looks healthy and well-spread.
Methodology Note
Single-script compact JSON analysis. The cached analyzer (/tmp/gh-aw/cache-memory/scripts/lockfile_stats_v1.py) is executed once, emits /tmp/gh-aw/agent/lockfile-stats-summary.json (~4.7 KB), and all report reasoning is derived from that summary plus two prior daily snapshots in /tmp/gh-aw/cache-memory/history/. No per-lockfile re-reading. Total bash turns used: 2.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Executive Summary
Analyzed 234
.github/workflows/*.lock.ymlfiles totaling 22.59 MB (avg 94.3 KB per lockfile). All files parsed cleanly — 0 malformed.File Size Distribution
Top 10 largest lockfiles
5 smallest lockfiles
Trigger Analysis
Top trigger combinations
Schedule frequency — cron expressions appear well-jittered across minutes (no
0 *or0 9clustering observed in top samples), consistent with anti-thundering-herd guidance. Examples:49 14 * * 1-5,38 3 * * *,27 */6 * * *,40 17 * * 1.Safe Outputs Analysis
Structural Characteristics
firewall-escape.lock.yml(12)smoke-copilot.lock.yml(140)Per-job timeout distribution (across 683 jobs with explicit timeouts)
Permission Patterns
All 234 lockfiles declare top-level
permissions: {}(empty/none). Permissions are therefore scoped at the job level, not workflow-wide — consistent with least-privilege per-job grants. The analyzer's per-key read/write tallies were not populated this run (top-level only).Tool & MCP Patterns
Engine distribution:
MCP server usage (occurrences across all workflows):
Top GitHub MCP tools by reference count
The GitHub MCP server's read tools dominate — each of the following appears in 124 workflows (≈53% of corpus):
download_workflow_run_artifact,get_code_scanning_alert,get_commit,get_dependabot_alert,get_discussion,get_discussion_comments,get_file_contents,get_job_logs,get_label,get_latest_release,get_me,get_notification_details,get_pull_request,get_pull_request_comments,get_pull_request_diff,get_pull_request_files,get_pull_request_review_comments,get_pull_request_reviews,get_pull_request_status,get_release_by_tag,get_secret_scanning_alert,get_tag,get_workflow_run,get_workflow_run_logs,get_workflow_run_usage,issue_read,list_branches,list_code_scanning_alerts,list_commits,list_dependabot_alerts.The uniform 124-count signature suggests these are pulled via a shared bundle (likely the default GitHub MCP read toolset), not selected per workflow.
Interesting Findings
workflow_dispatchis effectively universal — 226 of 234 workflows (96.6%) accept manual dispatch. Only 8 workflows omit it.smoke-claude.lock.ymlis the heaviest at 173.7 KB — about 2.85× the smallest (test-workflow.lock.yml, 60.9 KB).:23,:38,:49), reducing API-burst risk against the Anthropic and GitHub APIs.firewall-escape.lock.ymlcarries 12 jobs — the maximum, well above the 7.99 average. Worth a look to confirm the job sprawl is intentional.Historical Trends
Comparing the last three daily snapshots:
*The 2026-05-20 job total used a different counting method; the 2026-05-21→2026-05-22 delta is the directly comparable figure.
Day-over-day deltas (vs. 2026-05-21):
No workflows were removed; growth is purely additive and modest.
Recommendations
lockfile_stats_v1.pysafe-output detection — current snapshot returned emptysafe_output_typesanddiscussion_categoriesdespite known usage. Worth bumping the script tov2once detection is fixed so historical comparisons remain accurate.firewall-escape.lock.yml(12 jobs) — confirm the outlier job count is intentional; consider consolidation if not.workflow_dispatch-only workflows — these never run automatically; some may be stale.Methodology Note
Single-script compact JSON analysis. The cached analyzer (
/tmp/gh-aw/cache-memory/scripts/lockfile_stats_v1.py) is executed once, emits/tmp/gh-aw/agent/lockfile-stats-summary.json(~4.7 KB), and all report reasoning is derived from that summary plus two prior daily snapshots in/tmp/gh-aw/cache-memory/history/. No per-lockfile re-reading. Total bash turns used: 2.References: §26311059602
Beta Was this translation helpful? Give feedback.
All reactions