depmedic / benchmarks

What 20 popular open-source projects pay for GitHub Actions

Pulled the live .github/workflows directory from 20 widely-used OSS repos (React, Next.js, Vite, TypeScript, Deno, etc.), priced every job using GitHub's published per-runner rates, and ran ci-doctor across all of them. Below is what the data says. Reproduce locally with npx ci-doctor + npx gha-budget; data and scripts are in the workspace.

Repos scanned

Workflows analyzed

229

CI smells found

944

Combined monthly @ 30 runs/day

$50,976.00

Per-repo cost (sorted by monthly spend)

Assumes 8 minutes per job, 30 runs per day, GitHub-hosted runner pricing. Self-hosted and large runners are unpriced (shown as priced/total). Per-repo deep dives with workflow-level breakdown and the actual ci-doctor findings live at /examples/.

Repo	Workflows	Priced jobs	Per run	Monthly @ 30/day	CI smells
denoland/deno · deep dive	11	37/51	$18.30	$16,473.60	99
facebook/react · deep dive	24	57/67	$16.19	$14,572.80	91
vercel/next.js · deep dive	37	57/116	$4.10	$3,686.40	166
axios/axios · deep dive	8	21/21	$2.62	$2,361.60	40
storybookjs/storybook · deep dive	15	32/33	$2.05	$1,843.20	67
microsoft/TypeScript · deep dive	18	31/32	$1.92	$1,728.00	79
eslint/eslint · deep dive	8	15/18	$1.54	$1,382.40	46
remix-run/react-router · deep dive	19	18/30	$1.22	$1,094.40	52
webpack/webpack · deep dive	9	14/17	$1.15	$1,036.80	25
vitejs/vite · deep dive	12	17/18	$1.09	$979.20	26
prettier/prettier · deep dive	17	16/23	$1.02	$921.60	32
jestjs/jest · deep dive	9	11/28	$0.90	$806.40	20
parcel-bundler/parcel · deep dive	6	9/15	$0.90	$806.40	52
vuejs/core · deep dive	9	12/14	$0.83	$748.80	39
sveltejs/svelte · deep dive	5	11/12	$0.70	$633.60	14
rollup/rollup · deep dive	4	8/10	$0.64	$576.00	25
preactjs/preact · deep dive	8	10/25	$0.64	$576.00	30
tannerlinsley/react-query · deep dive	5	7/9	$0.45	$403.20	20
expressjs/express · deep dive	4	5/7	$0.38	$345.60	18
sindresorhus/got · deep dive	1	0/1	$0.00	$0.00	3

The most common CI smells

Across all 229 workflows. Percentage is share of priced jobs that hit at least one of that rule.

Rule	Hits	Per priced job
`missing-timeout`	364	94%
`missing-cache`	113	29%
`pinned-action-sha`	91	23%
`missing-permissions`	80	21%
`artifact-no-retention`	73	19%
`missing-concurrency`	52	13%
`matrix-overcommit`	52	13%
`deprecated-action`	39	10%
`fetch-depth-zero`	22	6%
`stale-cache-key`	19	5%
`fail-fast-true`	13	3%
`expensive-runner`	12	3%
`always-run-on-pr`	10	3%
`wide-trigger`	4	1%

What the data shows

Missing job timeout is the #1 finding by a wide margin (364 hits). A stuck job runs to GitHub's default 6-hour cap. One stuck job at macos-latest = $28.80 from a single bad PR.
Missing cache hits 113 times. Setup-node/setup-python/setup-java without cache: reinstalls every run; for a busy repo this is dollars/day.
Unpinned action SHAs hit 91 times. Not a cost issue; a supply-chain issue. Run npx pin-actions to fix everything in place.
159 jobs (29% of total) ran on self-hosted, large, or non-standard runners. These are excluded from cost totals - the real spend is higher than the table.

Try the same analysis on your repo

The fastest way: audit a workflow in your browser or price a workflow in your browser. Both run client-side, same engines, no upload. To run across the whole repo:

npx ci-doctor              # find the smells
npx ci-doctor --fix        # auto-apply the safe fixes
npx gha-budget             # price the workflows
npx pin-actions            # pin every uses: ref to a SHA

Want the patterns that fix all 11 of these?

The Cut Your CI Bill cookbook ships 30 paste-ready GitHub Actions patterns and 5 hardened workflow templates that target exactly the rules above. $19, one-time, MIT-licensed templates.

Get the cookbook

Generated 2026-04-27T23:57:09.903Z from real public workflow YAML. Pricing model: ubuntu $0.008/min, windows $0.016/min, macos $0.08/min. This is a snapshot; workflows change. Numbers are conservative. Methodology: blog post.