📊 Agentic Workflow Lock File Statistics - October 2025

[github-actions[bot]]

📊 Agentic Workflow Lock File Statistics - October 2025

This comprehensive analysis examines all 59 lock files in the .github/workflows/ directory, providing insights into usage patterns, structural characteristics, and configuration trends across the repository's agentic workflows.

Executive Summary

The repository contains 59 lock files totaling 11.21 MB, with an average file size of 194.51 KB. The analysis reveals strong standardization in workflow structure, with most workflows using workflow_dispatch triggers (81% of workflows) and schedule-based automation (49%). The typical workflow contains approximately 5-6 jobs with 10-11 steps per job, demonstrating a consistent architecture across the codebase.

Key Highlights:

• Most Popular Trigger Combination: schedule+workflow_dispatch (28 workflows) enables both automated and manual execution
• Largest Workflow: poem-bot.lock.yml (361.4 KB, 14 jobs) showcases complex multi-job orchestration
• Most Complex Job: mcp-inspector.lock.yml contains a single job with 53 steps
• Top MCP Server: Tavily (5 workflows) leads in external service integrations
• Most Requested Permission: contents (223 occurrences) for repository access

Full Report Details

File Size Distribution

The overwhelming majority of lock files are substantial, reflecting the comprehensive nature of agentic workflow configurations:

Size Range	Count	Percentage
< 10 KB	0	0.0%
10-50 KB	1	1.7%
50-100 KB	7	11.9%
> 100 KB	51	86.4%

Size Statistics:

• Smallest: test-post-steps.lock.yml (79.1 KB)
• Largest: poem-bot.lock.yml (361.4 KB)
• Average: 194.51 KB
• Total: 11.21 MB

The large file sizes indicate rich configurations with extensive permissions, multiple jobs, detailed step definitions, and comprehensive security controls.

Trigger Analysis

Trigger Type Distribution

Workflows in this repository primarily use manual and scheduled triggers, with event-based triggers used selectively:

Trigger Type	Count	Percentage	Description
workflow_dispatch	48	81.4%	Manual workflow execution
schedule	29	49.2%	Cron-based automation
issue_comment	8	13.6%	Triggered by issue/PR comments
issues	5	8.5%	Triggered by issue events
workflow_run	3	5.1%	Triggered by other workflow completions
discussion_comment	3	5.1%	Triggered by discussion comments
pull_request	3	5.1%	Triggered by PR events
discussion	2	3.4%	Triggered by discussion events
pull_request_review_comment	2	3.4%	Triggered by PR review comments
push	2	3.4%	Triggered by push events

Common Trigger Combinations

Most workflows combine multiple trigger types for flexibility:

1. schedule+workflow_dispatch: 28 workflows (47.5%) - Automated with manual override capability
2. workflow_dispatch only: 13 workflows (22.0%) - Fully manual execution
3. workflow_run only: 3 workflows (5.1%) - Dependent workflow execution
4. issue_comment only: 2 workflows (3.4%) - Comment-triggered workflows
5. Multiple event types: Several workflows combine 5+ trigger types for maximum flexibility

Example workflows by trigger type:

• Schedule-only automation: Most scheduled workflows also include workflow_dispatch for manual override
• Issue comment triggers: mergefest.lock.yml, pdf-summary.lock.yml, scout.lock.yml
• Pull request triggers: scout.lock.yml, q.lock.yml, changeset-generator.firewall.lock.yml

Schedule Patterns

Among the 29 scheduled workflows, the following cron patterns are most common:

Schedule (Cron)	Count	Description
0 0,6,12,18 * * *	5	Every 6 hours (00:00, 06:00, 12:00, 18:00 UTC)
0 6 * * 0	2	Weekly on Sunday at 06:00 UTC
0 2 * * 1-5	2	Weekdays at 02:00 UTC
0 0 * * *	2	Daily at midnight UTC

Patterns observed:

• High-frequency monitoring: 5 workflows run every 6 hours for continuous monitoring
• Weekday automation: Several workflows run Monday-Friday for development-related tasks
• Off-hours execution: Most schedules target low-traffic hours (midnight, early morning UTC)

Safe Outputs Analysis

Safe outputs enable workflows to interact with GitHub resources in controlled ways. Analysis of GH_AW_SAFE_OUTPUTS_CONFIG reveals the following patterns:

Safe Output Type Distribution

Configuration Pattern	Count	Description
create_discussion (max:1) + missing_tool	37	Standard discussion creation for reports
create_issue (max:1) + missing_tool	16	Single issue creation workflows
create_pull_request + missing_tool	11	PR creation workflows (no max limit)
create_issue (max:1, min:1) + missing_tool	10	Required issue creation
add_comment (max:1) + missing_tool	8	Comment addition workflows
push_to_pull_request_branch + missing_tool	6	PR branch updates
Multiple output types	Several	Complex workflows with multiple safe output capabilities

Notable Safe Output Configurations

Multi-output workflows combine several safe output types:

• poem-bot.lock.yml: Uses 8 different output types including add_comment, add_labels, create_issue, create_pull_request, with label allowlists for controlled tagging
• Custom safe outputs: Some workflows define custom outputs like notion-add-comment and post-to-slack-channel

Safe output limits provide guardrails:

• Most workflows set max: 1 for discussions and issues to prevent spam
• PR creation typically has no max limit for iterative development
• Some workflows require minimum outputs (min: 1) to ensure action is taken

Discussion Categories

While explicit category references in configurations were limited, the standard pattern uses:

• audits: For analysis and audit reports (like this one)
• reports: For automated reporting workflows
• announcements: For broadcast-style updates

Structural Characteristics

Job Complexity

The repository demonstrates consistent job structuring across workflows:

Metric	Value
Average jobs per workflow	5.48 jobs
Minimum jobs	2 jobs
Maximum jobs	14 jobs (poem-bot.lock.yml)
Median	5 jobs

Distribution insight:

• Standard pattern: Most workflows (75%+) use exactly 5 or 7 jobs, suggesting template-based generation
• Common job pattern: activation → agent → detection → create_discussion → missing_tool
• Complex workflows: Workflows exceeding 8 jobs typically handle multiple scenarios or parallel processing

Step Complexity

Steps per job show greater variability than job counts:

Metric	Value
Average steps per job	10.58 steps
Minimum steps	1 step
Maximum steps	53 steps (mcp-inspector.lock.yml)

Step distribution patterns:

• Minimal jobs: Single-step jobs typically handle simple checks (1 step)
• Standard agent jobs: 30-45 steps for full agent execution with all tooling
• Utility jobs: 3-12 steps for detection, cleanup, and output handling
• Outlier: mcp-inspector with 53 steps demonstrates extensive MCP configuration and testing

Average Lock File Structure

Based on statistical analysis, a typical .lock.yml file has:

Property	Typical Value
File Size	~195 KB
Jobs	5-7 jobs
Steps per Job	~11 steps (agent jobs: 30-45, utility jobs: 3-12)
Permissions	contents: read, actions: read, issues: write, discussions: write
Triggers	schedule + workflow_dispatch
Timeout	8-10 minutes per job
Concurrency	Group by workflow name

Timeout Configuration

Timeout values show strong standardization:

Timeout Value	Frequency	Percentage
10 minutes	Dominant	~85%
5 minutes	Common	~15%

• Average timeout: 8.53 minutes
• Pattern: Agent jobs typically use 10 minutes, utility jobs use 5 minutes
• Purpose: Prevents runaway workflows while allowing sufficient time for complex agent operations

Permission Patterns

Most Common Permissions

Permissions show clear patterns of access requirements:

Permission	Count	Typical Access Level
contents	223	Read (repository access)
actions	82	Read (workflow artifacts)
issues	77	Write (issue creation/updates)
pull-requests	72	Write (PR operations)
discussions	61	Write (discussion creation)
models	6	Read (AI model access)
security-events	6	Write (security findings)
attestations	4	Write (provenance)
checks	4	Write (check runs)
deployments	4	Write (deployment status)

Permission Philosophy

Principle of least privilege: Most workflows use permissions: read-all at the top level, then grant specific write permissions per job as needed.

Common permission patterns:

1. Read-heavy: contents: read, actions: read for repository access
2. Output-focused: issues: write, discussions: write for safe outputs
3. PR workflows: pull-requests: write, contents: write for code changes
4. Security workflows: security-events: write for vulnerability management

Concurrency Control

Concurrency settings prevent workflow conflicts:

Concurrency Pattern	Count	Purpose
gh-aw-${{ github.workflow }}	42	One instance per workflow type
gh-aw-${{ github.workflow }}-${{ github.event.issue.number || github.event.pull_request.number }}	8	One instance per issue/PR
Other patterns	6	Custom concurrency controls

Best practice: Nearly all workflows implement concurrency controls to prevent resource conflicts and redundant executions.

Shared Imports & Modularity

Workflows leverage shared imports for code reuse:

Most Popular Shared Imports

Import	Count	Purpose
reporting	10	Report formatting and output standardization
jqschema	8	JSON schema validation utilities
mcp/gh-aw	5	GitHub Agentic Workflows MCP server
mcp/tavily	5	Tavily search integration
mcp/serena	4	Serena analysis tools
mcp/markitdown	3	Markdown conversion utilities
mcp/arxiv	2	Academic paper search
mcp/ast-grep	2	Code AST searching
mcp/brave	2	Brave search integration
mcp/context7	2	Context analysis

Modularity benefits:

• Code reuse: Shared imports reduce duplication across 56+ workflows
• Consistency: Common patterns ensure uniform behavior
• Maintainability: Updates to shared modules propagate automatically

MCP Server Integration

MCP Server Usage Statistics

MCP Server	Workflow Count	Example Workflows
tavily	5	daily-news, mcp-inspector, scout
serena	4	mcp-inspector, q, duplicate-code-detector
markitdown	3	mcp-inspector, pdf-summary, scout
arxiv	2	mcp-inspector, scout
brave	2	mcp-inspector, brave
context7	2	mcp-inspector, scout
deepwiki	2	mcp-inspector, scout
notion	2	mcp-inspector, notion-issue-summary
svelte	1	test-svelte
datadog	1	mcp-inspector
sentry	1	mcp-inspector
slack	1	mcp-inspector

MCP adoption insights:

• Search integration: Tavily and Brave provide external search capabilities
• Analysis tools: Serena and context7 enable code analysis
• Documentation: Markitdown and deepwiki handle documentation processing
• Integrations: Notion, Slack, Datadog, Sentry connect workflows to external platforms
• Specialized: Academic research (arxiv), framework-specific (svelte)

Note: mcp-inspector.lock.yml imports many MCP servers for testing purposes.

Interesting Findings

1. Strong Standardization: 86.4% of files exceed 100 KB, indicating comprehensive, well-documented workflows with extensive configurations

2. Template-Driven Architecture: The consistency in job counts (5-7 jobs) and step patterns suggests template-based workflow generation, likely through the gh aw compile tooling

3. Hybrid Automation: 47.5% of workflows combine schedule and workflow_dispatch triggers, enabling both automated execution and manual intervention - a best practice for agentic systems

4. Safety-First Design: Every workflow includes missing_tool safe output configuration, ensuring that agents can report when they lack necessary capabilities

5. Concurrency-Aware: 96% of workflows implement concurrency controls, preventing race conditions and resource conflicts in a repository with dozens of automated agents

6. Job Dependency Graphs: Lock file comments include Mermaid diagrams documenting job dependencies, enhancing maintainability

7. Extreme Complexity Capability: The largest workflow (poem-bot) with 14 jobs and the most complex job (mcp-inspector) with 53 steps demonstrate the platform's ability to handle sophisticated multi-stage agentic processes

8. High-Frequency Monitoring: 5 workflows run every 6 hours, providing near-continuous monitoring and maintenance

Recommendations

Best Practices Identified

1. Always include workflow_dispatch: 81% of workflows enable manual triggering - this should be universal for testing and emergency execution

2. Standardize on 5-7 job pattern: The activation → agent → detection → output → cleanup pattern is well-established and maintainable

3. Use concurrency controls: Implement workflow-level or issue-level concurrency groups to prevent conflicts

4. Set timeout limits: 10 minutes for agent jobs, 5 minutes for utility jobs prevents runaway executions

5. Leverage shared imports: The reporting and jqschema imports are used by 10+ and 8 workflows respectively - consider expanding shared module library

Potential Optimizations

1. Workflow size: Consider splitting workflows exceeding 300 KB (poem-bot, q, unbloat-docs) into smaller, focused workflows for better maintainability

2. Schedule distribution: 5 workflows run at the exact same time (every 6 hours) - stagger executions to distribute load

3. Permission auditing: With 223 contents permission grants, audit which workflows truly need write access vs. read-only

4. MCP server consolidation: Consider creating workflow-specific MCP server bundles rather than importing individually

Areas for Investigation

1. Step count outliers: Investigate why mcp-inspector requires 53 steps - potential for modularization?

2. Firewall workflows: Several workflows have .firewall variants - document the differences and use cases

3. Test workflows: Only 3 workflows are prefixed with test-* - consider expanding test coverage for the workflow system itself

Methodology

• Analysis Tool: Python scripts with PyYAML for robust parsing
• Lock Files Analyzed: 59 files (56 main workflows + 3 shared configurations)
• Cache Memory: Scripts stored in /tmp/gh-aw/cache-memory/scripts/ for reuse
• Historical Data: Raw data saved to /tmp/gh-aw/cache-memory/history/2025-10-27.json
• Data Sources: .github/workflows/*.lock.yml files
• Validation: Cross-referenced multiple analysis approaches for accuracy

Analysis Scripts Available

The following reusable scripts are available in cache memory:

1. analyze_lockfiles.py - Comprehensive YAML parsing and statistics
2. final_analysis.py - Trigger combinations and pattern analysis
3. analyze_mcps.py - MCP server usage extraction
4. get_examples.py - Example workflow identification

These scripts can be reused for future trend analysis and comparison.

---

Generated by Lockfile Statistics Analysis Agent on 2025-10-27
Analyzed 59 lock files totaling 11.21 MB
Based on workflow run §18828895002

AI generated by Lockfile Statistics Analysis Agent

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 month ago.