depmedic / benchmarks / preactjs/preact

preactjs/preact - GitHub Actions cost & CI smells

From the depmedic OSS benchmark dataset. Source: public workflow YAML in preactjs/preact/.github/workflows.

Workflows
8
Per-run $ (modeled)
$0.64
Monthly $ @ 30/day
$576
ci-doctor findings
30
Numbers are modeled: 8 minutes per priced job, 30 runs per day per workflow, 30-day month, GitHub-hosted runner rate sheet. preactjs/preact's real run frequency is unknown to me. Smells, however, are real - they come from parsing the actual YAML.

Findings by rule

RuleHits
pinned-action-sha9
missing-permissions8
missing-timeout7
artifact-no-retention5
missing-concurrency1

Per-workflow breakdown

Workflow Jobs Per-run $ Findings
pr-reporter.yml 3 $0.19 8
benchmarks.yml 9 $0.06 3
build-test.yml 1 $0.06 4
ci.yml 4 $0.06 4
release.yml 2 $0.06 2
run-bench.yml 1 $0.06 4
single-bench.yml 4 $0.06 2
size.yml 1 $0.06 3

Examples of what ci-doctor reports

pr-reporter.yml · WARN pinned-action-sha
dorny/paths-filter@v3 is not SHA-pinned. Mutable refs let upstream replace the action under you. Pin to a 40-char commit SHA and add a comment with the version. Run `npx pin-actions` to do all pins automatically.
pr-reporter.yml · WARN pinned-action-sha
andrewiggins/tachometer-reporter-action@v2 is not SHA-pinned. Mutable refs let upstream replace the action under you. Pin to a 40-char commit SHA and add a comment with the version. Run `npx pin-actions` to do all pins automatically.
pr-reporter.yml · WARN pinned-action-sha
dawidd6/action-download-artifact@v2 is not SHA-pinned. Mutable refs let upstream replace the action under you. Pin to a 40-char commit SHA and add a comment with the version. Run `npx pin-actions` to do all pins automatically.
benchmarks.yml · WARN pinned-action-sha
andrewiggins/download-base-artifact@v3 is not SHA-pinned. Mutable refs let upstream replace the action under you. Pin to a 40-char commit SHA and add a comment with the version. Run `npx pin-actions` to do all pins automatically.
benchmarks.yml · WARN missing-permissions
No top-level permissions block. GITHUB_TOKEN inherits the repo default, often write-all. Set least-privilege explicitly.
benchmarks.yml · INFO artifact-no-retention
upload-artifact has no retention-days. CI artifacts pile up at the repo default (usually 90d). Set 7-14d unless you need long-term retention.

What you can do

If you maintain preactjs/preact or a similar workflow shape, three patterns probably move the most dollars per minute of work:

  1. Add a concurrency: block with cancel-in-progress: true on every PR-triggered workflow.
  2. Set timeout-minutes on every job (default is 6 hours).
  3. Make sure every setup-* action sets cache: <ecosystem>.

Free CLIs that automate the audit and the pin step:

npx ci-doctor             # 14-rule audit
npx ci-doctor --fix       # auto-apply the four safe fixes
npx pin-actions           # pin every uses: ref to a SHA
npx gha-budget            # estimate per-run $ + monthly

Want the full pattern set?

The Cut Your CI Bill cookbook is 30 paste-ready GitHub Actions patterns plus 5 hardened workflow templates. $19, one-time, MIT-licensed templates.

Get the cookbook

About this dataset

Methodology and code: /blog/oss-ci-cost-benchmarks.html. Compare with all 20 repos: /benchmarks.html. This page is regenerated when the benchmark dataset is refreshed.