CI Cost Analysis — GitHub Actions Billing Situation

Status: research-only. This document does NOT constitute legal or tax advice. Before acting on infrastructure spend decisions, verify all vendor pricing directly — rates change frequently and this doc reflects publicly-available data as of 2026-04-25.

TL;DR

The immediate blocker is a $0 spending limit on the GitHub account — setting it to any positive number (even $1) unblocks jobs tonight. The longer question is whether GitHub Pro at $4/month and 3,000 minutes is enough runway, or whether a drop-in third-party runner (WarpBuild or Ubicloud) is cheaper at Raxx's actual burn rate. At current agent-driven PR cadence, GitHub Pro is borderline; a third-party runner likely pays for itself within one month of sustained agent dispatch.

1. Immediate Fix — Unblock Tonight

The error "job was not started because recent account payments have failed or your spending limit needs to be increased" is a spending-limit block, not a payment failure per se. GitHub defaults the overage spending limit to $0 for new/upgraded accounts.

Fix: Settings → Billing & plans → Budgets and alerts → set Actions spending limit from $0 to any positive value (e.g., $10). Jobs resume within minutes. Source: GitHub community discussion #165506, #183940.

If payments actually failed (card declined), update the payment method first, then set the limit.

2. Current Burn Estimate

Workflow inventory (from reading `.github/workflows/*.yml`)

Workflow	Trigger	Jobs	Notes
`ci.yml`	Every PR + push to main	5 parallel jobs: backend-tests, frontend-tests, security-deps, security-sast, security-secrets	npm ci + jest + pip install + pytest
`ci-pr.yml`	Every PR	3 jobs: smoke_suite, commitlint, pr_report	Runs `scripts/ci/run_health_gate.sh`; commitlint is advisory
`pr-preview.yml`	Every PR (path-gated)	detect + up to 2 deploy jobs (antlers, mockups, comment)	Antlers: npm ci + npm run build + Cloudflare deploy. Only fires when frontend or mockups paths change.
`nightly-security-scan.yml`	Nightly 08:07 UTC	1 job with ~6 tool installs + pip + apt installs	Trivy install via apt; full history checkout
`deploy-heroku.yml` / `deploy.yml`	Merge to main	not analyzed in detail	Merge-gated, not PR-gated
`slack-notify.yml`	Event-driven	lightweight	minimal cost
`release.yml`	Tag push	not analyzed in detail	infrequent

Per-PR cost estimate

ci.yml: 5 jobs in parallel, all ubuntu-latest. Estimated per-job: backend-tests (pip install + pytest) ~3-6 min; frontend-tests (npm ci + jest) ~3-6 min; security-deps (pip-audit + npm audit) ~3-5 min; security-sast (bandit) ~2-4 min; security-secrets (gitleaks) ~2-3 min. Wall-clock is parallel so ~6 min elapsed, but billed minutes are summed: ~13-24 min per PR run.
ci-pr.yml: smoke_suite (pip install + node setup + health gate) ~4-8 min; commitlint ~2-3 min; pr_report ~1 min. Billed: ~7-12 min per PR run.
pr-preview.yml: If Antlers path touched — npm ci + build + Cloudflare wrangler deploy ~3-6 min. If not, only detect job (~1 min).
Total per PR (non-frontend): ~20-36 billed minutes. With frontend touches: ~23-42 minutes.

Cadence projection

Recent history: ~15 PRs in 48 hours = ~225 PRs/month at that pace.
Conservative ongoing: ~60-100 PRs/month (agent-dispatch sustained, ~20-40 dispatches/day with some not creating PRs).
Each PR gets 2-3 runs (open + push + re-run on fix).

Cadence assumption	PRs/mo	Runs/PR	Min/run	Total min/mo
Conservative	60	2	20	2,400
Moderate	100	2.5	25	6,250
Current surge	225	2	28	12,600

Plus: nightly scan = ~15-25 min/night = ~450-750 min/month.

Bottom line: Conservative burn is ~2,400-3,000 min/month. Moderate/surge is 6,000-13,000 min/month. The free tier (2,000 min) was already not enough; GitHub Pro (3,000 min) covers only the conservative case.

3. Comparison Table

All costs in USD/month unless noted. "Drop-in" = change runs-on: label only, no workflow rewrite.

Option	Monthly cost	Minutes / quota	Overage rate	Setup time	Ongoing care	Drop-in?	Security posture	Lock-in
GitHub Free (current)	$0	2,000	$0.006/min Linux	0	None	—	GitHub-managed	High
GitHub Pro	$4	3,000	$0.006/min Linux	0	None	—	GitHub-managed	High
GitHub Team (req. Org)	$4/user ($4 solo)	3,000	$0.006/min Linux	Org migration ~1 hr	None	—	GitHub-managed	High
GitHub Enterprise (req. Org)	$21/user	50,000	$0.006/min Linux	Org migration + vetting	None	—	GitHub-managed	High
WarpBuild (cloud runner)	~$0 base + usage	Pay-per-min	$0.004/min (2vCPU)	30 min	None	Yes	WarpBuild-managed	Low
Ubicloud (cloud runner)	~$0 base + usage	Pay-per-min	$0.0008/min (2vCPU)	30 min	None	Yes	Ubicloud-managed	Low
Blacksmith (cloud runner)	~$0 base + 3,000 free min	Pay-per-min	~$0.004/min (2vCPU)	30 min	None	Yes	Blacksmith-managed	Low
Depot	$20/mo base	2,000 GHA min included	pay-per-min above	1-2 hr	None	Yes	Depot-managed	Medium
RunsOn (self-hosted on AWS)	€300/yr (~$28/mo) + AWS EC2	Unlimited (AWS-billed)	~$0.0003-0.0025/min EC2 spot	2-4 hr (CloudFormation)	Low-medium	Yes	Your AWS account	Low
Self-hosted on Hetzner	$5-15/mo VPS	Unlimited	$0 runner cost	3-5 hr	Medium-high	Yes (manual config)	Solo-managed	None
Self-hosted on AWS Lightsail	$10-20/mo	Unlimited	$0 runner cost	3-5 hr	Medium-high	Yes (manual config)	Solo-managed	None
CircleCI	$0 (6k min free) or $15/mo	6,000 min free	~$0.006/min	4-8 hr (workflow rewrite)	Low	No — rewrite	CircleCI-managed	High
Buildkite	$0 runners + you supply compute	Unlimited (your VMs)	Compute cost only	4-8 hr	Medium-high	No — rewrite	Medium	Medium

Notes: - GitHub's proposed $0.002/min self-hosted platform fee (announced Dec 2025 for March 2026) was postponed indefinitely following community backlash. As of 2026-04-25, self-hosted runners on private repos are still free to run. Source: GitHub Changelog Dec 2025, GitHub Changelog Jan 2026. - BuildJet shut down January 2026 — not listed. - Namespace.so/actuated: no current pricing found in public sources — unsourced, confirm directly before relying on them. - WarpBuild BYOC ("bring your own cloud") option is $0.002/min but requires a cloud account.

4. Cost comparison at actual burn

Scenario	GitHub Pro	GitHub Pro + overages	Ubicloud drop-in	WarpBuild drop-in
Conservative 2,400 min	$4 (within quota)	$4	~$2	~$10
Moderate 6,250 min	$4 + $19.50 overage = $23.50	$23.50	~$5	~$25
Surge 12,600 min	$4 + $57.60 = $61.60	$61.60	~$10	~$50

At conservative cadence, GitHub Pro at $4/month is the cheapest option — barely. At moderate or surge cadence, Ubicloud is significantly cheaper and drops in with a one-line runs-on: change.

5. Self-hosted runner security note

GitHub's own documentation warns against self-hosted runners on public repositories because arbitrary PR code could exfiltrate runner credentials. For a private repo with a solo founder, this risk is substantially reduced — no external contributors can push code to trigger a runner. The main residual risk is a supply-chain compromise in a third-party GitHub Action (e.g., a compromised actions/checkout or community action) that reads environment variables. Mitigations: pin all actions to SHA, never put production keys in the runner environment, use OIDC for cloud auth instead of static secrets. Source: GitHub Docs — security hardening.

6. Recommendation

Immediate (tonight): Set the spending limit to $10-25 in GitHub Billing settings. This unblocks all 10 open PRs and costs nothing unless minutes are consumed beyond the existing quota.

Short-term (this week): Upgrade to GitHub Pro ($4/month, 3,000 min). At conservative cadence, this holds. At moderate cadence, set the spending limit to ~$30 to allow overages rather than hitting a block again.

If/when burn exceeds 5,000 min/month consistently: Drop in Ubicloud. It requires only changing runs-on: ubuntu-latest to runs-on: ubicloud-standard-2 (or equivalent) in the workflow files. At $0.0008/min it is roughly 7x cheaper than GitHub's $0.006/min overage rate. At 6,000 min/month that is ~$5 vs $19.50 in overages on top of the $4 Pro plan.

Do not set up RunsOn or a raw self-hosted runner right now. The RunsOn CloudFormation setup and an AWS account layer adds real operational surface for a solo pre-launch founder. Save it for post-launch when burn is predictably high and worth the $28/month flat rate.

Do not migrate to CircleCI or Buildkite. Every workflow is GHA-shaped; the rewrite cost is not justified at this scale.

7. Open questions for Kristerpher

Is the card on file the issue, or purely the $0 spending limit? Go to Settings → Billing → Payment history. If there is a failed charge, the card needs to be updated before the spending limit fix takes effect. If payment history is clean, the spending limit change alone unblocks CI.
What is the actual PR cadence going forward? The surge (15 PRs in 48 hrs) was an agent-driven wave. If agent dispatch settles to 5-10 PRs/day rather than 15+, GitHub Pro likely holds without overages. If it stays at surge, the break-even point on Ubicloud is within the first month.
Are there nightly scan artifacts accumulating storage cost? The nightly scan uploads reports with a 30-day retention window (see nightly-security-scan.yml line 116). Storage is $0.07/GB-month. Confirm the artifact sizes are not adding a material line item — likely negligible but worth checking in Billing → Actions usage.

Sources

GitHub Actions billing documentation
GitHub Actions runner pricing table
GitHub pricing plans page
GitHub Changelog: 2025-12 pricing changes announcement
GitHub Changelog: Jan 2026 reduced hosted-runner prices
RunsOn pricing page
RunsOn blog: GitHub self-hosted runner $0.002/min fee
WarpBuild pricing page
WarpBuild blog: GitHub Actions price change
Northflank blog: GitHub pricing change + alternatives
GitHub community: spending limit / payment-failed fix
GitHub Docs: security hardening for GitHub Actions
Depot pricing (unsourced per-minute detail — confirm directly)
Ubicloud pricing (per-minute from secondary sources — confirm directly)