[audit-workflows] Daily audit — 2026-05-10

[github-actions[bot]]

Overview

Across the last 24 hours, 215 workflow runs were observed for github/gh-aw, with 2 activation failures (0.93% failure rate) and $27.23 in estimated agent cost. All failures occurred before 14:00 UTC; the most recent 17:00–21:00 UTC window was 100% green. Two recurring concerns deserve attention: an outdated lock file for schema-consistency-checker.md, and 17% firewall block rate on the Daily Project Performance Summary Generator workflow.

Summary

Metric	Value
Runs	215 (214 completed, 1 in-progress)
Failures	2 (0.93%)
Warnings / missing tools	0 / 0
Total tokens (raw / effective)	42.4M / 218.2M
Estimated cost	$27.23
Action-minutes	227
Engine mix (labeled)	Copilot 18 · Claude 10 · Codex 1
GitHub API calls	141
Firewall: allowed / blocked	1,237 / 18

Critical Issues

1. Schema Consistency Checker — outdated lock file ⚠️

Run §25621677191 failed at activation with:

ERR_CONFIG: Lock file '.github/workflows/schema-consistency-checker.lock.yml' is outdated!
The workflow file '.github/workflows/schema-consistency-checker.md' frontmatter has changed.
Run 'gh aw compile' to regenerate the lock file.

Action: run gh aw compile and commit the regenerated schema-consistency-checker.lock.yml. Until that lands, every scheduled run of this workflow will skip the agent stage.

2. Auto-Triage Issues — transient DNS failure 🌐

Run §25630347638 failed at activation:

fatal: unable to access 'https://github.com/github/gh-aw/': Could not resolve host: github.com

Isolated occurrence — other Auto-Triage Issues runs in the window completed successfully. No code change recommended; if recurrence increases, consider adding a retry to the activation git fetch.

High-Severity Observability Signals

Network friction hotspot — Daily Project Performance Summary Generator

This workflow had 16 blocked requests out of 93 (17%) — the highest pressure of any workflow in the window. Blocked domains:

• accounts.google.com:443 (4)
• redirector.gvt1.com:443 (4)
• clients2.google.com (3)
• www.google.com:443 (3)
• release-assets.githubusercontent.com:443 (1)
• nodejs.org:443 (1)

The nodejs.org and release-assets.githubusercontent.com blocks suggest a toolchain bootstrap step. The Google-domain blocks look like an unintended Chrome/Puppeteer egress. Review whether these are required (and if so, allowlist them) or trim the script that triggers them.

Daily Cache Strategy Analyzer — direct GitHub egress blocked

2 blocks on api.github.com:443 / github.com:443. Workflows should route GitHub reads through the GitHub MCP server instead of direct API calls.

Execution drift — Test Quality Sentinel

Varied from 4 to 28 turns across runs (avg 16). Suggests unstable prompt shape or fluctuating task scope; worth a prompt review to tighten the agent loop.

Trend Charts

Workflow health

All failures are clustered in the early UTC hours (06:00 and 13:00). Once scheduled daily workflows started firing at 17:00 UTC, success rate held at 100% through the rest of the window. The early-hour failures explain the dip in success rate, not a systemic regression.

Token usage and cost

Cost rises sharply through the 17:00–21:00 UTC daily-job window. The 19:00 UTC peak ($8.18) is driven entirely by [aw] Failure Investigator (6h), and the 21:00 UTC bar (~$7.62) by Daily Safe Output Tool Optimizer. Just two workflows account for 58% of the day's spend.

Top cost drivers (24h)

Workflow	Tokens	Cost (USD)
[aw] Failure Investigator (6h)	11,968,768	$8.18
Daily Safe Output Tool Optimizer	11,321,562	$7.62
Daily Code Metrics and Trend Tracking Agent	2,794,348	$3.04
Lockfile Statistics Analysis Agent	2,309,693	$2.57
Daily Caveman Optimizer	1,556,742	$1.75
Copilot Agent PR Analysis	1,277,064	$1.75
Daily Team Evolution Insights	737,888	$1.24

Note: Copilot-engine workflows report $0.00 because cost is not surfaced for them in the run summary; raw token usage is the better health signal for those.

Per-run overview (all 30 runs in the audit's most-recent batch)

Workflow	Engine	Status	Duration
Agentic Workflow Audit Agent	Claude Code	in_progress	23.0s
Contribution Check	Copilot CLI	completed	6.3m
Daily Safe Output Tool Optimizer	Claude Code	completed	15.5m
Auto-Triage Issues	Copilot CLI	completed	6.6m
Daily Caveman Optimizer	Claude Code	completed	7.2m
Copilot PR Prompt Pattern Analysis	Copilot CLI	completed	5.5m
Daily Project Performance Summary Generator	Copilot CLI	completed	16.6m
Daily Team Evolution Insights	Claude Code	completed	11.1m
Lockfile Statistics Analysis Agent	Claude Code	completed	7.5m
Q	Copilot CLI	completed	8.6m
Daily Safe Output Integrator	Copilot CLI	completed	4.0m
Auto-Triage Issues	Copilot CLI	completed	4.9m
[aw] Failure Investigator (6h)	Claude Code	completed	18.1m
PR Triage Agent	Copilot CLI	completed	3.7m
Daily Code Metrics and Trend Tracking Agent	Claude Code	completed	18.1m
Copilot Agent PR Analysis	Claude Code	completed	6.2m
Daily Secrets Analysis Agent	Copilot CLI	completed	4.9m
Smoke CI (×3)	Copilot CLI	completed	~2.3m each
Daily Testify Uber Super Expert	Copilot CLI	completed	6.6m
Daily Cache Strategy Analyzer	Codex	completed	10.5m
Contribution Check	Copilot CLI	completed	5.2m
Design Decision Gate 🏗️ (×2)	Claude Code	completed	3.7–3.9m
Matt Pocock Skills Reviewer (×2)	Copilot CLI	completed	5.1–5.3m
Test Quality Sentinel (×2)	Copilot CLI	completed	3.6m / 13.6m

DIFC integrity-filtered issue reads (5 events)

The agent attempted to read issues from non-approved authors, which were correctly blocked by integrity filtering. Behaves as designed — no action required.

• #19099 by abillingsley
• #31241 by trask
• #30832 by jbaruch
• #30840 by rhardouin
• #28888 by clementbolin

Reason in every case: Resource has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

Recommendations

1. Recompile schema-consistency-checker.lock.yml with gh aw compile. Highest-priority concrete fix — until landed, every scheduled run will continue to fail at activation.
2. Review Daily Project Performance Summary Generator egress. Decide whether the Google-domain and Node.js fetches are intentional (allowlist them) or accidental (remove the upstream call). 17% block rate is the worst in the fleet.
3. Switch Daily Cache Strategy Analyzer to the GitHub MCP server for any direct API/web access — direct calls to api.github.com / github.com are being blocked and the MCP path is the supported one.
4. Tighten Test Quality Sentinel prompt — turn count fluctuating from 4 to 28 is a stability signal worth investigating.
5. Consider whether [aw] Failure Investigator (6h) and Daily Safe Output Tool Optimizer justify their cost — together they consume 58% of the day's Claude spend. Either trim their context window or move them to lower-cost models if appropriate.

Notes on data coverage

Historical pre-2026-05-10 logs were not retrievable from the MCP logs tool (pagination returned empty beyond the day's window), so the trend chart is intra-day hourly rather than 30-day. Repo memory has now been seeded with today's metrics; future audits should be able to plot real day-over-day trends.

References:

• Failed Schema Consistency Checker run §25621677191
• Failed Auto-Triage Issues run §25630347638
• This audit run §25640187706

Generated by Agentic Workflow Audit Agent · ● 21.7M · ◷

• expires on May 11, 2026, 9:44 PM UTC

[github-actions[bot]]

💥 WHOOSH! 🦸♀️

The smoke test agent ZOOMS through the audit discussion! ⚡

POW! All Claude smoke checks passed! 💥
ZAP! Tavily, Serena, Playwright, and Make: all green! ✨
BAM! Slack ping delivered, code-scanning alert minted, PR review bundled! 🎯

Run §25641551150 — engine nominal, signing off! 🚀💨

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · ● 4.8M · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Agentic Workflow Audit Agent.

A newer discussion is available at Discussion #31591.