Target Workflow
Copilot Setup Steps (.github/workflows/copilot-setup-steps.yml) — selected as the only workflow not optimized in the last 14 days and not excluded by naming rules. All other candidates (Release, Install Workflows, Agentic Maintenance, Daily Agentic Workflow Token Usage Audit, Copilot cloud agent) were optimized between May 28 – June 3, 2026.
⚠️ Data note: Pre-aggregated token data (top-workflows.json, all-runs.json, daily snapshots) returned empty results for this analysis period. Selection and evidence are derived directly from the GitHub Actions API.
Analysis Period & Runs Audited
- Period: 2026-05-05 → 2026-06-04 (30 days)
- Runs analyzed: 7 (all conclusions:
success)
- Average job duration: ~14 s/run (range: 3–21 s)
- LLM tokens: N/A — this is a CI validation workflow, not an agentic workflow; savings are measured in Actions minutes
Token / Actions-Minutes Profile
| Metric |
Value |
| Total runs |
7 |
| All conclusions |
success (0 failures) |
| Avg job duration |
~14 s |
| Estimated total Actions minutes |
~1.6 min |
| Dominant step |
"Smoke test published workflows via gh aw add" (avg 6 s, ≈ 43% of job) |
| Always-skipped step |
"Run published workflows on this repo" (requires manual workflow_dispatch input) |
Per-run step breakdown
Ranked Recommendations
1. Cache the gh-aw extension install (~2 s/run saved)
Evidence: The "Install gh-aw extension" step pins an exact version (v0.72.1) but downloads it unconditionally on every run. Across 7 runs this step took 1–2 s each; at higher run frequencies it compounds.
Action: Add a cache key to the github/gh-aw-actions/setup-cli step, or use actions/cache to cache the extension binary by version tag before the install step. This is low-risk because the version is pinned and the cached artifact is deterministic.
- name: Cache gh-aw extension
uses: actions/cache@v4
with:
path: ~/.local/share/gh/extensions/gh-aw
key: gh-aw-${{ runner.os }}-v0.72.1Estimated savings: ~2 s × future runs (≈ 15 % of job time on cache hit).
2. Condition the artifact upload on file existence (~1 s/run saved)
Evidence: The "Upload trial results" step runs if: always() but trials/ is empty on every observed push-triggered run — the upload action always initializes but finds nothing. The if-no-files-found: ignore flag handles this gracefully, yet the step still consumes 0–1 s of setup overhead per run.
Action: Add a file-existence guard so the upload step is skipped entirely when trials/ is absent:
- name: Upload trial results
if: ${{ always() && hashFiles('trials/**') != '' }}
uses: actions/upload-artifact@v4
with:
name: gh-aw-trial-results
path: trials/
if-no-files-found: ignoreEstimated savings: ~1 s per automated push-triggered run; prevents spurious artifact entries in the Actions UI.
3. Tighten job permissions for push-triggered runs (~security hardening, no time cost)
Evidence: The job declares contents: write and actions: write, but push-triggered runs never execute the "Run published workflows on this repo" step (always skipped). The write permissions are only required for the workflow_dispatch path.
Action: Split permissions into the minimal needed for the non-dispatch path, or scope write permissions only to the conditional step using step-level env / a separate job:
permissions:
actions: read # sufficient for push path
contents: read # sufficient for push path
For the dispatch path, consider using a separate job with elevated permissions gated by if: github.event_name == 'workflow_dispatch'. This limits the blast radius if a supply-chain compromise occurs during a routine push-triggered run.
Estimated savings: No time savings, but reduces attack surface.
Structural Optimization Checks
Setup prefix: The two validation steps ("Smoke test" and "Validate published workflows") each invoke gh aw compile --validate --no-emit on different targets. These are sequential and cannot be combined without changing behavior — no shared-prefix extraction is warranted.
Inline sub-agents: This is a CI workflow with no LLM prompt body. Sub-agent refactoring does not apply.
Caveats
- LLM token data is unavailable for this workflow (it runs no agentic steps). Savings are measured in CI seconds / GitHub Actions minutes.
- With only 7 runs, timing variance (cold vs. warm runner) may reduce observed caching benefit.
- The
actions/cache approach requires the gh-aw-actions/setup-cli action to support it, or manual cache steps. Verify compatibility before merging.
References:
Generated by Agentic Workflow Token Usage Optimizer · ● 7.5M · ◷
Target Workflow
Copilot Setup Steps (
.github/workflows/copilot-setup-steps.yml) — selected as the only workflow not optimized in the last 14 days and not excluded by naming rules. All other candidates (Release, Install Workflows, Agentic Maintenance, Daily Agentic Workflow Token Usage Audit, Copilot cloud agent) were optimized between May 28 – June 3, 2026.Analysis Period & Runs Audited
success)Token / Actions-Minutes Profile
success(0 failures)workflow_dispatchinput)Per-run step breakdown
Ranked Recommendations
1. Cache the
gh-awextension install (~2 s/run saved)Evidence: The "Install gh-aw extension" step pins an exact version (
v0.72.1) but downloads it unconditionally on every run. Across 7 runs this step took 1–2 s each; at higher run frequencies it compounds.Action: Add a
cachekey to thegithub/gh-aw-actions/setup-clistep, or useactions/cacheto cache the extension binary by version tag before the install step. This is low-risk because the version is pinned and the cached artifact is deterministic.Estimated savings: ~2 s × future runs (≈ 15 % of job time on cache hit).
2. Condition the artifact upload on file existence (~1 s/run saved)
Evidence: The "Upload trial results" step runs
if: always()buttrials/is empty on every observed push-triggered run — the upload action always initializes but finds nothing. Theif-no-files-found: ignoreflag handles this gracefully, yet the step still consumes 0–1 s of setup overhead per run.Action: Add a file-existence guard so the upload step is skipped entirely when
trials/is absent:Estimated savings: ~1 s per automated push-triggered run; prevents spurious artifact entries in the Actions UI.
3. Tighten job permissions for push-triggered runs (~security hardening, no time cost)
Evidence: The job declares
contents: writeandactions: write, but push-triggered runs never execute the "Run published workflows on this repo" step (always skipped). The write permissions are only required for theworkflow_dispatchpath.Action: Split permissions into the minimal needed for the non-dispatch path, or scope write permissions only to the conditional step using step-level
env/ a separate job:For the dispatch path, consider using a separate job with elevated permissions gated by
if: github.event_name == 'workflow_dispatch'. This limits the blast radius if a supply-chain compromise occurs during a routine push-triggered run.Estimated savings: No time savings, but reduces attack surface.
Structural Optimization Checks
Setup prefix: The two validation steps ("Smoke test" and "Validate published workflows") each invoke
gh aw compile --validate --no-emiton different targets. These are sequential and cannot be combined without changing behavior — no shared-prefix extraction is warranted.Inline sub-agents: This is a CI workflow with no LLM prompt body. Sub-agent refactoring does not apply.
Caveats
actions/cacheapproach requires thegh-aw-actions/setup-cliaction to support it, or manual cache steps. Verify compatibility before merging.References: