What 20 popular open-source projects pay for GitHub Actions
This is real data, not a survey. I pulled the live .github/workflows
directory from 20 widely-used open-source repos via the GitHub API, ran every
workflow through gha-budget
to price each job at GitHub's published per-runner rates, and ran
ci-doctor against the
same files to count CI smells.
The headline: 229 workflows, 388 priced jobs, 944 CI smells. Modeled at 30 runs/day and ~8 minutes per job, the combined spend works out to about $51,000/month. The 944 smells are real and counted from the YAML; the dollar number is a model, and your number depends entirely on your real run frequency. 159 additional jobs ran on self-hosted or large runners and could not be priced from the YAML alone, so the modeled total is conservative for the projects that use only standard runners.
The full sortable table is on /benchmarks.html. The interesting parts are below.
Top 10 by monthly spend
| Repo | Per run | Monthly @ 30/day | CI smells |
|---|---|---|---|
| denoland/deno | $18.30 | $16,473.60 | 84 |
| facebook/react | $16.19 | $14,572.80 | 87 |
| vercel/next.js | $4.10 | $3,686.40 | 164 |
| axios/axios | $2.62 | $2,361.60 | 40 |
| storybookjs/storybook | $2.05 | $1,843.20 | 66 |
| microsoft/TypeScript | $1.92 | $1,728.00 | 75 |
| eslint/eslint | $1.54 | $1,382.40 | 40 |
| remix-run/react-router | $1.22 | $1,094.40 | 52 |
| webpack/webpack | $1.15 | $1,036.80 | 25 |
| vitejs/vite | $1.09 | $979.20 | 25 |
Deno and React lead because their workflows lean heavily on macOS and larger Linux runners for cross-platform builds. macOS minutes are 10x Ubuntu minutes; one matrix expansion of 5x macOS jobs at 8 minutes each is $32 per push.
The CI smells, ranked
ci-doctor recorded 944 findings across all 229 workflows. The distribution is not even. One rule alone accounts for 40% of all findings:
| Rule | Hits | Per priced job |
|---|---|---|
missing-timeout | 364 | 94% |
missing-cache | 113 | 29% |
pinned-action-sha | 91 | 23% |
missing-permissions | 80 | 21% |
artifact-no-retention | 73 | 19% |
missing-concurrency | 52 | 13% |
matrix-overcommit | 52 | 13% |
deprecated-action | 39 | 10% |
fetch-depth-zero | 22 | 6% |
stale-cache-key | 19 | 5% |
fail-fast-true | 13 | 3% |
expensive-runner | 12 | 3% |
always-run-on-pr | 10 | 3% |
wide-trigger | 4 | 1% |
Three observations that matter for your bill
1. Almost nobody sets a timeout-minutes. 94% of
priced jobs have no timeout. GitHub's default is 6 hours. One stuck job at
macos-latest burns $28.80 before it gives up. One in 1,000 PRs hits
this; in a busy repo that is a real line on the invoice.
2. Setup actions are missing cache: 29% of the time.
actions/setup-node, setup-python, setup-java all support
cache: npm, cache: pip, cache: gradle as a one-line
addition. Re-resolving and re-downloading dependencies per run typically
adds 1-3 minutes per job. At 30 runs a day across a 9-job matrix, that is
the better part of an hour of paid runner time, every day.
3. concurrency: blocks are rare and worth a lot. 13% of
priced jobs hit missing-concurrency. The pattern is six lines:
concurrency:
group: ${'{{ github.workflow }}-${{ github.ref }}'}
cancel-in-progress: trueIn an active PR with 8 pushes, this turns 8 full runs into 1. On a busy repo it is one of the largest single levers available.
The supply-chain side
91 of the workflows used at least one third-party action pinned by tag
(actions/checkout@v4) instead of by full commit SHA. That is not a
cost issue; it is the exact pattern that the
tj-actions/changed-files compromise
exploited in 2025. Pinning to SHA
with a one-line CI policy fixes it. npx pin-actions
rewrites every uses: line in place.
Reproduce this locally
Everything above ran on a laptop in under a minute. The recipe:
# 1. Audit any repo's workflows for the same 11 rules:
npx ci-doctor
# 2. Price the same workflows in dollars:
npx gha-budget --runs-per-day 30 --minutes 8
# 3. Pin every uses: ref to a SHA in place:
npx pin-actions
# 4. Don't want to install? Paste a single workflow into:
# https://depmedicdev-byte.github.io/audit.html
# https://depmedicdev-byte.github.io/budget.htmlAll four CLIs are MIT-licensed, free, and listed on the homepage.
Want the patterns that fix all 11 of these rules?
The Cut Your CI Bill cookbook is the companion to ci-doctor. 30 paste-ready GitHub Actions patterns and 5 hardened workflow templates - including the concurrency, cache, timeout, and matrix patterns this benchmark surfaced as most violated. $19, one-time, MIT-licensed templates.
Get the cookbookMethodology and caveats
- Repos: 20 widely-used JS/TS-leaning OSS repos. Selection bias is real; this is not a representative sample of all OSS.
- Pricing: ubuntu $0.008/min, windows $0.016/min, macos $0.08/min, self-hosted $0. Larger runners (e.g.
ubuntu-latest-16-core) are unpriced and excluded. - Assumptions: 8 min/job, 30 runs/day. Both are deliberately conservative; real-world numbers for active repos are typically higher.
- Matrix expansion: products of every list dimension, plus
include, minusexclude.fail-fastnot modeled. - Reproducible: see
tools/benchmark-fetch.mjs+benchmark-analyze.mjsin the workspace.