I let Gemini explain 10 famous OSS GitHub Actions workflows. Here's what it found.
No editorial picks. I built a tiny Cloudflare Worker that proxies Gemini Flash for the new ask depmedic tool, then ran the same "explain" prompt over the primary CI workflow of 10 well-known OSS repos: Next.js, Vite, React, Vue, Deno, Prettier, Nuxt, Svelte, MUI, and TanStack Query. Below is the raw output for each. Total spend: $0.0003 on the Gemini API, 3,290 input tokens, 264 output tokens.
Repos covered
Method
For each repo I called the GitHub API to list active workflows, picked the
file whose name contained ci, test, build,
main, or lint (longest match wins), and fed the raw
YAML to Gemini Flash through the same prompt the public ask
tool uses. Each reply is capped at ~180 words. The Worker is open-source at
depmedicdev-byte/depmedicdev-byte.github.io
(projects/depmedic-ai-worker/ in the parent monorepo). I ran each
repo once, no retries, no human filtering. Output below is verbatim.
vercel/next.js /.github/workflows/setup-nextjs-build.yml
1-line summary This reusable workflow checks out, builds, and caches Next.js and its SWC binaries for integration testing using a high-performance runner.
Two cost or reliability smells
- pinned-action-sha: Actions such as
actions/setup-node@v4andactions/checkout@v4use mutable tags instead of immutable commit SHAs, posing a security risk. - missing-timeout: The
build_nextjsjob lacks atimeout-minutesproperty, which can lead to excessive costs if the expensive 16-core runner hangs.
One concrete fix Add timeout-minutes: 60 to the build_nextjs job at line 21 to prevent runaway costs on the high-performance runner.
vitejs/vite /.github/workflows/ci.yml
1-line summary This workflow executes linting and cross-platform matrix testing for a Node.js project, using a custom job to skip tests based on file changes.
Two cost or reliability smells
- pinned-action-sha: The
actions/checkout@v6andactions/setup-node@v6steps use mutable tags rather than immutable commit SHAs, which can lead to unexpected failures if tags are moved. - missing-timeout: The
changedjob lacks atimeout-minutesdefinition, allowing it to consume runner minutes for up to 6 hours if the step hangs.
One concrete fix Pin the checkout action to a specific SHA in the changed job at line 46: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
facebook/react /.github/workflows/devtools_regression_tests.yml
1-line summary Daily and manual regression testing of React DevTools against multiple React versions using Jest and Playwright.
Two cost or reliability smells
- pinned-action-sha: Actions such as actions/checkout@v4 use mutable tags rather than immutable commit SHAs, which can lead to non-reproducible builds or supply chain vulnerabilities.
- missing-timeout: Jobs lack a timeout-minutes definition, allowing hung browser processes or network requests to consume runner minutes until the 6-hour default limit.
One concrete fix Add timeout-minutes: 60 to the run_devtools_e2e_tests_for_versions job to prevent runaway Playwright tests.
vuejs/core /.github/workflows/test.yml
1-line summary Runs unit, E2E, and linting tests across Ubuntu and Windows environments using pnpm and Node.js.
Two cost or reliability smells
- pinned-action-sha: Actions use mutable tags like @v6 instead of immutable commit SHAs, which risks reliability if tags are moved or deleted.
- missing-timeout: Jobs lack a timeout-minutes property, risking high costs if a test process hangs indefinitely.
One concrete fix Add timeout-minutes: 15 to the unit-test job.
denoland/deno /.github/workflows/node_compat_test.generated.yml
This workflow runs sharded Node.js compatibility tests across Linux, Windows, and macOS on a schedule, aggregating results into a monthly summary uploaded to S3.
Two cost or reliability smells
missing-timeout: The jobs lack a timeout-minutes definition, which can lead to hung processes consuming runner minutes for up to six hours.fail-fast-true: The matrix strategy uses the default true setting, causing a single shard failure to cancel all other active shards and preventing a complete compatibility report.
One concrete fix Set fail-fast: false under the strategy key in the test job to ensure all shards finish even if one fails.
prettier/prettier /.github/workflows/dev-test.yml
1-line summary Runs cross-platform Node.js tests and code coverage across a matrix of operating systems and versions.
Two cost or reliability smells
- missing-paths-filter: The workflow triggers on every push or pull request regardless of whether changes affect the codebase, wasting runner minutes on documentation or metadata updates.
- expensive-runner: Executing the full test suite on
macos-latestandwindows-latestfor multiple Node.js versions is significantly more expensive than using Linux runners for all but one smoke test.
One concrete fix Add a paths filter to the on.push and on.pull_request triggers (line 4) to ensure the workflow only runs when source code, tests, or dependency files are modified.
nuxt/nuxt /.github/workflows/ci.yml
1-line summary This workflow executes a multi-stage CI pipeline including builds, security scanning, type-checking, and cross-platform testing for a Node.js project.
Two cost or reliability smells
- missing-timeout: The
test-sizeandtest-benchmarkjobs lack explicit timeouts, risking hung processes and uncontrolled runner minute consumption. - expensive-runner: The
changesjob usesubuntu-24.04-armfor a lightweight path-filtering task that should be executed on a standardubuntu-latestrunner.
One concrete fix Add timeout-minutes: 10 to the test-size job at line 218.
sveltejs/svelte /.github/workflows/ci.yml
This workflow executes cross-platform Node.js tests, linting, type checking, and benchmarks on push and pull request events.
- pinned-action-sha: The workflow uses mutable version tags for
actions/checkoutandactions/setup-nodeinstead of immutable commit SHAs, which can lead to unexpected breaking changes. - missing-concurrency: The absence of a concurrency group causes redundant, overlapping runs for the same branch, wasting runner minutes and increasing costs.
Add a top-level concurrency block at line 6 to cancel in-
mui/material-ui /.github/workflows/ci.yml
This workflow automates continuous releases and validates development scripts across macOS, Windows, and Ubuntu runners using Node.js and pnpm.
Two cost or reliability smells
- fetch-depth-zero: The checkout step uses
fetch-depth: 0to fetch the full git history, which increases runner execution time and bandwidth usage unnecessarily. - missing-timeout: The
test-devjob lacks atimeout-minutesproperty, allowing hung processes to consume runner credits for the default six-hour limit.
One concrete fix Add timeout-minutes: 30 to the test-dev job at line 23.
TanStack/query /.github/workflows/pr.yml
This workflow executes distributed tests via Nx Cloud, generates package previews, and manages changeset documentation for pull requests.
- pinned-action-sha: Actions such as
actions/checkout@v6.0.2andTanStack/config/.github/setup@mainuse mutable tags or branches instead of immutable commit SHAs. - missing-timeout: All jobs lack a
timeout-minutesproperty, which can lead to runners hanging for up to six hours and incurring significant costs.
Add timeout-minutes: 20 to the test job.
What jumped out
- Every single repo above failed at least one of
missing-timeout,missing-concurrency, orpinned-action-sha. Those three rules alone are the meat of the 14 ci-doctor rules. - Gemini was best at spotting reliability issues ("this matrix has no fail-fast cap, one flake will burn the whole grid") and worst at exact cost math (it consistently undershoots monthly cost vs gha-budget). Use /scan.html for the dollar number; use /ask.html for the "why" and the "how to fix".
- Average response was 350-700 tokens. At Gemini Flash pricing, the entire 10-repo run cost less than three cents.
Try it on your repo
ask depmedic is free for 5 calls per IP per UTC day. Paste your YAML, pick a mode (Explain / Fix / Estimate / Convert), get an answer. Pro is $9/mo on Polar - unlock unlimited.