[agentic-token-optimizer] Optimization: Install Workflows — enable paths filter and pin action SHA

[github-actions]

Target Workflow

Install Workflows — selected as the highest-eligible candidate after excluding all workflows optimized within the last 14 days (Agentic Maintenance, Release, Daily Agentic Workflow Token Usage Audit, Copilot Setup Steps, Copilot cloud agent) and excluding Token-named workflows.

Analysis Period

7 runs analyzed (2026-05-14 → 2026-05-20). All concluded success.

Run Profile

Metric	Value
Runs audited	7
All conclusions	✅ success
Avg validate job duration	~15 s
Avg install job duration	~10 s
Avg total wall time	~25 s
Estimated action minutes/run	~1 min (2 jobs × ~0.5 min each)
Token usage	0 (non-agentic workflow)

Note: This workflow contains no LLM agent calls. Optimization targets are GitHub Actions minutes and CI reliability rather than model tokens. All pre-downloaded token data sources (all-runs.json, top-workflows.json, daily snapshots) were empty for this run window; run-level data was derived directly from the GitHub Actions API.

Ranked Recommendations

1. Enable the commented-out paths trigger filter (High Impact)

Estimated savings: ~50–70% reduction in unnecessary runs → ~4–5 runs saved per 7-push cycle (~4–5 GitHub Actions minutes saved).

The paths filter is already scaffolded in the source but commented out:

on:
  push:
    branches:
      - main
    #paths:
    #  - workflows/**

Every push to main currently triggers this workflow, including automated commits from the Agentic Maintenance, Token Audit, and Token Optimizer workflows. None of those commits touch workflows/. Enabling the filter restricts triggers to pushes that actually change workflow source files.

Action: Uncomment the paths block in .github/workflows/install-workflows.yml:

    paths:
      - workflows/**

Evidence: 4 of the 7 audited runs occurred on a single day (2026-05-20) during periods of heavy automated activity, consistent with non-workflow commits triggering unnecessary installs.

References: §26162885593 · §26158137540 · §26156848869

---

2. Pin create-github-app-token to a full commit SHA (Medium Impact — Security)

Estimated savings: Supply-chain risk reduction; prevents unexpected behavior from @v1 tag drift.

The install job uses:

uses: actions/create-github-app-token@v1

All other actions in this workflow are pinned to exact commit SHAs (e.g., actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5). Pinning this action to a SHA closes the inconsistency and protects against tag mutation.

Action: Replace @v1 with a pinned SHA from the create-github-app-token release history.

---

3. Skip validate job on no-install dispatches (Low Impact)

Estimated savings: ~1 GitHub Actions minute per redundant manual dispatch.

When workflow_dispatch is triggered with install_workflows: false, the install job is correctly skipped by its if condition. However, the validate job always runs — spinning up a runner, installing the CLI, and validating sources even when the user had no intent to deploy.

Action: Add a matching if guard to the validate job:

  validate:
    runs-on: ubuntu-latest
    if: >-
      github.event_name == 'push' ||
      (github.event_name == 'workflow_dispatch' && github.event.inputs.install_workflows == 'true')

---

Caveats

• All 7 audited runs succeeded; no error or retry patterns were observed.
• The paths filter (Rec 1) will require a manual workflow_dispatch when installing without a source change — this is expected behavior.
• Inline sub-agent analysis is not applicable (no LLM steps present in this workflow).

Generated by Agentic Workflow Token Usage Optimizer · ● 7M · ◷

• expires on Jun 8, 2026, 4:27 PM UTC