[audit-workflows] Daily Agentic Workflow Audit — 2026-04-29

[github-actions[bot]]

Overview

Daily audit of agentic workflows for 2026-04-29. This is the first run of the audit agent, establishing a baseline. 50 runs analyzed across 163 configured workflows. No MCP failures or missing tool requests detected. Two runs were cancelled due to superseded pushes; one permission issue found in the workflow updater.

Note: The 25.6% success rate reflects that 69.8% of runs were legitimately skipped (their triggers didn't match), not failures. Among runs that actually executed, all completed successfully.

---

Summary

Metric	Value
Total runs	50
Completed (success)	11 (25.6%)
Skipped	30 (69.8%)
Cancelled	2 (4.7%)
Failed	0 (0%)
In progress at capture time	4
Total tokens	3,414,456
Effective tokens	3,254,375
Estimated cost	$0.77
Total errors	9 (workflow annotations)
Missing tools	0
MCP failures	0
GitHub API calls	40

---

Workflow Health

The high skip rate is expected behavior: most workflows are event-triggered (PR labels, slash commands, deployment events) and only fire when their specific conditions are met. The two cancellations were both smoke-ci runs superseded by rapid successive pushes — a normal CI pattern.

---

Token Usage & Engine Distribution

38 of 50 runs had no engine identified (skipped/cancelled runs with no agent execution). Among runs that executed: Copilot handled 8, Claude handled 3, Codex 1. The highest-cost individual runs were Claude-powered (sergo at $1.92, static-analysis-report at $1.72).

---

Issues Found

Medium Severity

Git push permission denied in daily-workflow-updater — Run §25133773670

• The GitHub App lacks the workflows write permission, preventing pushes to .github/workflows/ files
• The workflow handled it gracefully by creating fallback issue [actions] Update GitHub Actions versions - 2026-04-29 #29190
• Recommendation: Grant the workflows permission to the GitHub App, or route workflow file changes through PRs with explicit approval

Low Severity

Run-cancellation artifact cascade in smoke-ci — Runs §25134101840, §25134073487

• Pre-activation job cancelled by a superseding push causes the conclusion job to fail on missing agent artifact
• Recommendation: Add a condition to the conclusion job to skip gracefully when no agent artifact exists (if: always() && steps.download.outcome != 'failure')

Cache-memory artifact missing — slide-deck-maintainer, step-name-alignment

• First run or cache expired; expected transient error
• No action needed; monitor for persistent failures

---

Observability Signals

View All Observations

Signal	Severity	Workflow	Detail
Turn count drift	Medium	test-quality-sentinel	Ranged from 4–32 turns (avg 18); suggests unstable prompt or varying task shapes
Firewall pressure	Medium	ai-moderator	25% block rate (2/8 requests); highest of any workflow
High anomaly events	Medium	Multiple	4 events with anomaly score > 0.6 across 50 runs
Read-only actuation	Info	All	0 write-capable safe-outputs executed; all runs stayed read-only
Tool concentration	Info	All	Read tool = 64% of all tool calls; narrow capability path

---

High-Cost Runs

View Top Token Consumers

Workflow	Run	Turns	Tokens	Cost
sergo	§25132435628	86	3,604,031	$1.92
static-analysis-report	§25130700074	28	1,869,449	$1.72
prompt-clustering-analysis	§25131364601	34	1,729,790	$1.21
aw-failure-investigator	§25128577381	8	337,257	$1.17
step-name-alignment	§25130490735	26	1,113,791	$0.94

---

Engine Breakdown

Engine	Runs	Notes
Copilot	8	Daily regulatory, CLI deep research, contribution check, auto-triage, smoke-ci, test quality, workflow updater
Claude	3	Audit agent (this run), design-decision-gate (×2)
Codex	1	AI moderator (queued)
N/A (skipped/cancelled)	38	No agent execution

---

Recommendations

1. Grant workflows permission to the GitHub App used by daily-workflow-updater to enable direct workflow file updates without fallback issues
2. Improve smoke-ci conclusion resilience — add skip condition when agent artifact is absent after cancellation
3. Investigate test-quality-sentinel turn volatility — high variance (4–32 turns) may indicate prompt instability or inconsistent input sizes
4. Monitor ai-moderator firewall blocks — 25% block rate is noteworthy; review if legitimate requests are being blocked

---

References:

• §25133773670 — daily-workflow-updater (git push permission failure)
• §25134101840 — smoke-ci (cancellation cascade)
• §25134187458 — this audit run

Generated by Agentic Workflow Audit Agent · ● 721K · ◷

• expires on Apr 30, 2026, 9:32 PM UTC