📊 Agentic Workflow Lock File Statistics - January 2026

[github-actions[bot]]

This comprehensive analysis examines all 140 .lock.yml files in the repository to identify usage patterns, popular triggers, safe outputs, structural characteristics, and other key metrics.

Executive Summary

• Total Lock Files: 140
• Total Size: 10.3 MB (10,761,783 bytes)
• Average File Size: 75.1 KB (76,869 bytes)
• Analysis Date: 2026-01-25
• Smallest File: dev.lock.yml (22 KB)
• Largest File: copilot-session-insights.lock.yml (118 KB)

File Size Distribution

Size Range	Count	Percentage
< 10 KB	0	0%
10-50 KB	8	6%
50-100 KB	121	86%
> 100 KB	11	8%

Key Insight: The vast majority (86%) of lock files fall into the 50-100 KB range, indicating consistent workflow complexity across the repository.

View Size Extremes

Smallest Files (10-50 KB range):

• dev.lock.yml (22 KB)
• Plus 7 other compact workflows

Largest Files (> 100 KB):

• copilot-session-insights.lock.yml (118 KB)
• Plus 10 other complex workflows

These larger files typically contain more extensive agent configurations, multiple MCP servers, or complex multi-step analysis pipelines.

Trigger Analysis

Most Popular Triggers

Trigger Type	Workflows	Percentage	Description
issues	139	99%	Nearly all workflows respond to issue events
workflow_dispatch	125	89%	Manual trigger capability widely adopted
schedule	106	76%	Automated scheduled execution
issue_comment	14	10%	Comment-triggered workflows
pull_request	12	9%	PR-triggered workflows
pull_request_review_comment	6	4%	Review comment triggers
discussion	4	3%	Discussion-triggered workflows
workflow_run	2	1%	Workflow chaining
push	1	<1%	Push event trigger

Key Insight: The repository strongly favors issue-driven workflows (99%), with most workflows also supporting manual execution (89%) and scheduled automation (76%).

View Common Trigger Combinations

Combination	Count	Use Case
schedule + workflow_dispatch	97	Daily/periodic tasks with manual override
workflow_dispatch only	14	Pure manual workflows
pull_request + schedule + workflow_dispatch	5	Multi-trigger PR analysis
issues only	4	Pure issue-driven automation
discussion + discussion_comment + issue_comment + issues + pull_request + pull_request_review_comment	3	Comprehensive event coverage

Example Scheduled Workflows:

• agent-performance-analyzer
• agent-persona-explorer
• archie
• artifacts-summary
• audit-workflows

Example Issue-Triggered Workflows:

• agent-performance-analyzer
• agent-persona-explorer
• agentic-campaign-generator
• ai-moderator
• archie

Schedule Patterns

Most common cron schedules (daily, scattered to avoid conflicts):

Schedule (Cron)	Count	Time (UTC)
0 14 * * 1-5	4	2:00 PM weekdays
0 13 * * 1-5	4	1:00 PM weekdays
0 11 * * 1-5	4	11:00 AM weekdays
0 9 * * 1-5	2	9:00 AM weekdays
0 7 * * 1-5	2	7:00 AM weekdays

Key Insight: Scheduled workflows are deliberately scattered throughout the day to distribute load, with concentration during business hours on weekdays.

Safe Outputs Analysis

Safe outputs are the primary mechanism for workflows to create artifacts and communicate results.

Safe Output Types Distribution

Type	Usage Count	Workflows	Primary Use Case
missing_tool	1,206	N/A	Tool availability reporting
noop	1,203	N/A	Transparency/completion logging
add-comment	112	30	Add comments to issues/PRs
create-pull-request	30	16	Automated PR creation
create-issue	14	8	Issue creation from analysis
create-discussion	13	9	Discussion posts for reports
update-issue	3	N/A	Issue updates

Total Safe Output Tool Calls: 2,581

View Example Workflows by Safe Output Type

create-discussion (9 workflows):

• copilot-agent-analysis
• copilot-pr-merged-report
• copilot-pr-prompt-analysis

create-issue (8 workflows):

• cli-consistency-checker
• cli-version-checker
• craft

add-comment (30 workflows):

• agentic-campaign-generator
• archie
• brave

create-pull-request (16 workflows):

• cloclo
• daily-doc-updater
• daily-workflow-updater

Key Insight: The high frequency of missing_tool and noop calls (over 1,200 each) suggests strong adoption of transparency patterns and proper error handling across workflows.

Structural Characteristics

Job Complexity Metrics

• Average Jobs per Workflow: 8.05
• Average Steps per Workflow: 71.6
• Maximum Steps in Single Workflow: 92 steps (in audit-workflows.lock.yml)
• Workflows with MCP Servers: 136 (97%)

View Typical Lock File Structure

Based on statistical analysis, a typical .lock.yml file has:

• Size: ~75 KB
• Jobs: ~8 jobs
• Steps: ~72 steps total
• Triggers: issues + workflow_dispatch + schedule
• Safe Outputs: Multiple (averaging ~18 safe output calls per workflow)
• Permissions: Read-heavy with selective write access
• Timeout: Variable (some workflows have specific timeouts up to 600 minutes)
• MCP Integration: Yes (97% of workflows)

Standard Job Structure:

1. activation - Workflow timestamp validation
2. agent - Main AI agent execution with MCP servers
3. safe-outputs - Process and publish results
4. git-sync - Optional Git operations
5. assets - Optional asset handling
6. Additional specialized jobs based on workflow purpose

Key Insight: Workflows are consistently structured with an average of 8 jobs and 72 steps, indicating mature patterns and standardized architecture.

Permission Patterns

Most Common Permissions

Permission	Usage Count	Access Level	Primary Use
contents: read	630	Read-only	Repository access
discussions: write	265	Write	Discussion creation
issues: write	262	Write	Issue management
pull-requests: write	235	Write	PR operations
pull-requests: read	124	Read-only	PR analysis
issues: read	123	Read-only	Issue analysis
contents: write	77	Write	Code changes
actions: read	63	Read-only	Workflow introspection
discussions: read	35	Read-only	Discussion access
security-events: read	14	Read-only	Security analysis

View Permission Distribution Analysis

Permission Philosophy:

• Read-dominant: contents: read appears 630 times vs contents: write at 77 times (8:1 ratio)
• Selective Write Access: Write permissions are granted specifically for outputs (discussions, issues, PRs)
• Security-Conscious: Only 14 workflows access security events, indicating proper scoping

Workflows with Minimal Permissions: 140 workflows start with permissions: {} at the workflow level, then grant specific permissions per job. This follows the principle of least privilege.

Key Insight: The repository follows security best practices with read-heavy permissions (8:1 read-to-write ratio for contents) and job-level permission scoping.

MCP Server & Tool Patterns

MCP Server Adoption

• Workflows with MCP Servers: 136 (97%)
• Total MCP Server Configurations: ~420+ (many workflows use multiple servers)

Common MCP Server Patterns:

• GitHub MCP Server (v0.29.0): 134+ instances - GitHub API access
• MCP Gateway (ghcr.io/githubnext/gh-aw-mcpg:v0.0.78): 113+ instances - Tool routing
• Playwright MCP: 9+ instances - Browser automation
• Specialized MCPs: Notion, MarkItDown, ast-grep, Semgrep

View MCP Configuration Patterns

Standard MCP Stack:

1. GitHub MCP Server (v0.29.0) - Core GitHub operations
2. MCP Gateway - Routing and orchestration  
3. Base images: node:lts-alpine (most common), python:alpine
4. Specialized tools: Added per workflow needs

Interesting MCP Combinations:

• Security Analysis: GitHub MCP + Semgrep MCP + Gateway
• Documentation: GitHub MCP + MarkItDown + Gateway
• Code Analysis: GitHub MCP + ast-grep + Gateway
• Project Management: GitHub MCP + Notion MCP + Gateway

Key Insight: MCP integration is nearly universal (97%), with consistent patterns around GitHub access and tool gateways.

Engine Distribution

Based on concurrency group patterns:

Engine	Workflows	Concurrency Pattern
Copilot	138	gh-aw-copilot-${{ github.workflow }}
Generic	111	gh-aw-${{ github.workflow }}
Claude	64	gh-aw-claude-${{ github.workflow }}
Codex	15	gh-aw-codex-${{ github.workflow }}

Key Insight: GitHub Copilot is the dominant engine (138 workflows), followed by Claude (64) and Codex (15), with some workflows using generic configurations.

Concurrency & Timeout Patterns

Concurrency Groups

Top concurrency patterns (prevent parallel runs):

1. gh-aw-copilot-${{ github.workflow }} - 138 workflows
2. gh-aw-${{ github.workflow }} - 111 workflows
3. gh-aw-claude-${{ github.workflow }} - 64 workflows
4. gh-aw-codex-${{ github.workflow }} - 15 workflows
5. Issue/PR-specific groups - 26 workflows

Pattern: Concurrency is scoped by engine and workflow, preventing resource conflicts.

Timeout Configuration

• Minimum Timeout: Default (no explicit timeout)
• Maximum Timeout: 600 minutes (10 hours)
• Average Timeout: ~17 minutes (when specified)

Key Insight: Most workflows run quickly (<17 min avg), but some complex analysis workflows are allowed up to 10 hours for thorough processing.

Interesting Findings

1. Issue-Centric Architecture: 99% of workflows respond to issue events, making issues the primary interaction interface for agentic workflows in this repository.

2. Transparency-First Design: The high usage of noop (1,203 instances) and missing_tool (1,206 instances) safe outputs demonstrates a commitment to visibility and proper error reporting, even when no action is taken.

3. Consistent Workflow Complexity: The tight clustering around 75 KB file size and 72 steps per workflow suggests mature, reusable patterns rather than ad-hoc implementations.

4. Security-Conscious Permissions: The 8:1 ratio of read-to-write permissions for repository contents shows careful permission scoping, with write access granted only when necessary.

5. MCP-Driven Integration: 97% adoption of MCP servers indicates this is the standard integration pattern, with GitHub MCP Server being the foundation for most workflows.

6. Multi-Engine Support: The repository supports multiple AI engines (Copilot, Claude, Codex) with proper isolation via concurrency groups, enabling comparative analysis and engine-specific optimizations.

7. Scheduled Automation at Scale: 106 scheduled workflows run daily tasks scattered throughout business hours to distribute load, representing significant automation investment.

8. Safe Output Diversity: Workflows use 7 different safe output types, with comment-based communication (112 instances) being the most common interactive pattern, followed by PR creation (30) for code changes.

Recommendations

1. Continue Issue-First Pattern: The 99% issue-trigger rate is working well. Consider documenting this pattern as a best practice for team collaboration.

2. Monitor Large Workflows: The 11 workflows exceeding 100 KB should be periodically reviewed for potential simplification or modularization opportunities.

3. Standardize MCP Stacks: Document the common MCP server patterns to help new workflow authors choose the right tools.

4. Schedule Optimization: Consider analyzing actual execution times to further optimize the scattered scheduling pattern and reduce job queue wait times.

5. Permission Audit: The current 8:1 read-write ratio is excellent. Establish this as a benchmark and monitor for drift over time.

6. Safe Output Patterns: The high use of transparency tools (noop, missing_tool) should be documented as a pattern for other teams adopting agentic workflows.

Methodology

• Analysis Tool: Bash scripts with text processing (awk, grep, sed)
• Lock Files Analyzed: 140 files in .github/workflows/*.lock.yml
• Cache Memory: Scripts persisted in /tmp/gh-aw/cache-memory/ for reuse
• Data Sources: Direct parsing of YAML structure and metadata
• Historical Tracking: Results saved to cache for trend analysis

Scripts Available:

• analyze_lockfiles.sh - File sizes, triggers, safe outputs, structure
• extract_details.sh - MCP servers, categories, timeouts
• analyze_permissions.sh - Permission and concurrency patterns
• final_stats.sh - Workflow examples and statistics

---

Analysis Timestamp: 2026-01-25 14:51:28 UTC
Workflow Run: §21334466228

AI generated by Lockfile Statistics Analysis Agent

• expires on Feb 1, 2026, 2:56 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-01T14:56:51.386Z.