Target Workflow
File: .github/workflows/copilot-setup-steps.yml
Engine: GitHub Actions (CI — no AI/LLM token costs)
Analysis period: 7 days (2026-05-05 to 2026-05-18)
Runs analyzed: 7 (all concluded success)
Note: This workflow has no AI token usage. Savings are measured in GitHub Actions minutes and pipeline efficiency. It was selected as the only non-Token, non-recently-optimized workflow eligible for review.
Token / Cost Profile
| Metric |
Value |
| AI tokens |
None (pure CI workflow) |
| Runs (7d) |
7 (all success) |
| Avg run duration |
~15s (recent runs with validate steps); ~8s (older runs) |
| Failure rate |
0% |
Why This Workflow
The copilot-setup-steps workflow was recently expanded (around 2026-05-13) with two new validation steps — a smoke test that fetches published workflows from the registry and a separate validate step that compiles all local workflow files. These two steps overlap: both end up compiling agentic-token-audit and agentic-token-optimizer, creating redundant gh aw compile invocations on every push. In addition, the artifact upload step always runs (via always()) even when no trial output exists, and two community actions are pinned only to major-version tags rather than SHAs.
Ranked Recommendations
1. Eliminate Redundant gh aw compile Invocations
Estimated savings: ~3–6 seconds per run (~20–30% of CI runtime)
The current pipeline runs two sequential compile/validate passes:
- Smoke test step:
gh aw add .../agentic-token-audit .../agentic-token-optimizer → gh aw compile --validate --no-emit (compiles 2 workflows from registry)
- Validate published workflows step:
gh aw compile --dir workflows --validate --no-emit (compiles all 3 workflows from the local workflows/ directory)
agentic-token-audit and agentic-token-optimizer are compiled twice in every run. The smoke test's purpose (verifying installable registry artifacts) can be preserved while eliminating the redundant compile by restructuring:
Proposed change: Keep the gh aw add call in the smoke test to install from registry, but remove the gh aw compile --validate --no-emit line from the smoke test and rely solely on the existing validate step to cover compilation of all workflows (which already includes both published workflows via the workflows/ directory).
# Smoke test: only verify that `gh aw add` succeeds (no compile needed here)
- name: Smoke test published workflows via gh aw add
run: |
set -euo pipefail
temp_dir="$(mktemp -d)"
trap 'rm -rf "$temp_dir"' EXIT
cd "$temp_dir"
git init -q
gh aw add "${{ github.repository }}/agentic-token-audit" "${{ github.repository }}/agentic-token-optimizer"
# compile validation is covered by the next step
# Validate step already covers everything in workflows/ dir — no change neededEvidence: Steps 4 and 5 both appear in every post-May-13 run (§25880554203, §25812237071, §25811942879).
2. Remove always() from Artifact Upload
Estimated savings: ~1–2 seconds per run + avoids pointless upload API calls
The artifact upload step uses if: ${{ always() }} which forces it to run even on failure and even when no trials/ directory exists. The if-no-files-found: ignore flag already handles the missing-files case, but the step still consumes setup time on every run.
Proposed change: Remove the always() condition and let the step default to running only on success. If post-failure artifact collection is needed, use if: ${{ failure() }} instead — which is more targeted.
- name: Upload trial results
# Remove: if: ${{ always() }}
uses: actions/upload-artifact@v4
with:
name: gh-aw-trial-results
path: trials/
if-no-files-found: ignore
3. Pin Community Actions to SHAs
Estimated savings: No runtime savings, but eliminates supply-chain risk
actions/checkout@v6 and actions/upload-artifact@v4 are pinned to major-version floating tags. If a major-version tag is moved (intentionally or via a compromised release), the workflow silently runs different code. The gh-aw-actions/setup-cli action is already SHA-pinned — apply the same pattern consistently.
Proposed change: Replace floating tag pins with SHA pins:
- uses: actions/checkout@<sha-for-v6>
- uses: actions/upload-artifact@<sha-for-v4>
Obtain SHAs via: gh api repos/actions/checkout/git/refs/tags/v6 --jq '.object.sha'
Caveats
- All 7 runs analyzed are
success; failure scenarios are not represented in the sample.
- Run durations vary (11–21s in recent runs) likely due to runner warm-up variation; savings estimates use the low end to stay conservative.
- This is a CI workflow with no AI/LLM token costs; all savings metrics are in GitHub Actions compute time, not AI token spend.
All runs analyzed
References:
Generated by Agentic Workflow Token Usage Optimizer · ● 7.5M · ◷
Target Workflow
File:
.github/workflows/copilot-setup-steps.ymlEngine: GitHub Actions (CI — no AI/LLM token costs)
Analysis period: 7 days (2026-05-05 to 2026-05-18)
Runs analyzed: 7 (all concluded
success)Token / Cost Profile
Why This Workflow
The
copilot-setup-stepsworkflow was recently expanded (around 2026-05-13) with two new validation steps — a smoke test that fetches published workflows from the registry and a separate validate step that compiles all local workflow files. These two steps overlap: both end up compilingagentic-token-auditandagentic-token-optimizer, creating redundantgh aw compileinvocations on every push. In addition, the artifact upload step always runs (viaalways()) even when no trial output exists, and two community actions are pinned only to major-version tags rather than SHAs.Ranked Recommendations
1. Eliminate Redundant
gh aw compileInvocationsEstimated savings: ~3–6 seconds per run (~20–30% of CI runtime)
The current pipeline runs two sequential compile/validate passes:
gh aw add .../agentic-token-audit .../agentic-token-optimizer→gh aw compile --validate --no-emit(compiles 2 workflows from registry)gh aw compile --dir workflows --validate --no-emit(compiles all 3 workflows from the localworkflows/directory)agentic-token-auditandagentic-token-optimizerare compiled twice in every run. The smoke test's purpose (verifying installable registry artifacts) can be preserved while eliminating the redundant compile by restructuring:Proposed change: Keep the
gh aw addcall in the smoke test to install from registry, but remove thegh aw compile --validate --no-emitline from the smoke test and rely solely on the existing validate step to cover compilation of all workflows (which already includes both published workflows via theworkflows/directory).Evidence: Steps 4 and 5 both appear in every post-May-13 run (§25880554203, §25812237071, §25811942879).
2. Remove
always()from Artifact UploadEstimated savings: ~1–2 seconds per run + avoids pointless upload API calls
The artifact upload step uses
if: ${{ always() }}which forces it to run even on failure and even when notrials/directory exists. Theif-no-files-found: ignoreflag already handles the missing-files case, but the step still consumes setup time on every run.Proposed change: Remove the
always()condition and let the step default to running only on success. If post-failure artifact collection is needed, useif: ${{ failure() }}instead — which is more targeted.3. Pin Community Actions to SHAs
Estimated savings: No runtime savings, but eliminates supply-chain risk
actions/checkout@v6andactions/upload-artifact@v4are pinned to major-version floating tags. If a major-version tag is moved (intentionally or via a compromised release), the workflow silently runs different code. Thegh-aw-actions/setup-cliaction is already SHA-pinned — apply the same pattern consistently.Proposed change: Replace floating tag pins with SHA pins:
Obtain SHAs via:
gh api repos/actions/checkout/git/refs/tags/v6 --jq '.object.sha'Caveats
success; failure scenarios are not represented in the sample.All runs analyzed
References: