depmedic / benchmarks / expressjs/express

expressjs/express - GitHub Actions cost & CI smells

From the depmedic OSS benchmark dataset. Source: public workflow YAML in expressjs/express/.github/workflows.

Workflows
4
Per-run $ (modeled)
$0.38
Monthly $ @ 30/day
$345.6
ci-doctor findings
18
Numbers are modeled: 8 minutes per priced job, 30 runs per day per workflow, 30-day month, GitHub-hosted runner rate sheet. expressjs/express's real run frequency is unknown to me. Smells, however, are real - they come from parsing the actual YAML.

Findings by rule

RuleHits
missing-timeout7
missing-cache3
deprecated-action2
matrix-overcommit2
missing-concurrency2
always-run-on-pr2

Per-workflow breakdown

Workflow Jobs Per-run $ Findings
ci.yml 3 $0.13 7
codeql.yml 1 $0.13 4
legacy.yml 2 $0.06 5
scorecard.yml 1 $0.06 2

Examples of what ci-doctor reports

ci.yml · WARN missing-cache
actions/setup-node has no cache option. Add 'with: cache: <ecosystem>' to skip dep re-downloads. Saves 30-90 seconds per run.
ci.yml · WARN missing-cache
actions/setup-node has no cache option. Add 'with: cache: <ecosystem>' to skip dep re-downloads. Saves 30-90 seconds per run.
ci.yml · WARN missing-timeout
Job 'lint' has no timeout-minutes. Default is 360 (6h). A hung job can drain your CI budget.
codeql.yml · WARN missing-concurrency
No top-level concurrency block. New pushes will not cancel in-flight runs of stale commits, doubling spend on rapid-push branches.
codeql.yml · WARN missing-timeout
Job 'analyze' has no timeout-minutes. Default is 360 (6h). A hung job can drain your CI budget.
codeql.yml · INFO always-run-on-pr
codeql analysis step in job 'analyze' runs on every PR with no paths filter or condition. Consider gating it on changed files or a label.

What you can do

If you maintain expressjs/express or a similar workflow shape, three patterns probably move the most dollars per minute of work:

  1. Add a concurrency: block with cancel-in-progress: true on every PR-triggered workflow.
  2. Set timeout-minutes on every job (default is 6 hours).
  3. Make sure every setup-* action sets cache: <ecosystem>.

Free CLIs that automate the audit and the pin step:

npx ci-doctor             # 14-rule audit
npx ci-doctor --fix       # auto-apply the four safe fixes
npx pin-actions           # pin every uses: ref to a SHA
npx gha-budget            # estimate per-run $ + monthly

Want the full pattern set?

The Cut Your CI Bill cookbook is 30 paste-ready GitHub Actions patterns plus 5 hardened workflow templates. $19, one-time, MIT-licensed templates.

Get the cookbook

About this dataset

Methodology and code: /blog/oss-ci-cost-benchmarks.html. Compare with all 20 repos: /benchmarks.html. This page is regenerated when the benchmark dataset is refreshed.