Status: research-only. This document does NOT constitute legal or tax advice. Before acting on infrastructure spend decisions, verify all vendor pricing directly — rates change frequently and this doc reflects publicly-available data as of 2026-04-25.
The immediate blocker is a $0 spending limit on the GitHub account — setting it to any positive number (even $1) unblocks jobs tonight. The longer question is whether GitHub Pro at $4/month and 3,000 minutes is enough runway, or whether a drop-in third-party runner (WarpBuild or Ubicloud) is cheaper at Raxx's actual burn rate. At current agent-driven PR cadence, GitHub Pro is borderline; a third-party runner likely pays for itself within one month of sustained agent dispatch.
The error "job was not started because recent account payments have failed or your spending limit needs to be increased" is a spending-limit block, not a payment failure per se. GitHub defaults the overage spending limit to $0 for new/upgraded accounts.
Fix: Settings → Billing & plans → Budgets and alerts → set Actions spending limit from $0 to any positive value (e.g., $10). Jobs resume within minutes. Source: GitHub community discussion #165506, #183940.
If payments actually failed (card declined), update the payment method first, then set the limit.
.github/workflows/*.yml)| Workflow | Trigger | Jobs | Notes |
|---|---|---|---|
ci.yml |
Every PR + push to main | 5 parallel jobs: backend-tests, frontend-tests, security-deps, security-sast, security-secrets | npm ci + jest + pip install + pytest |
ci-pr.yml |
Every PR | 3 jobs: smoke_suite, commitlint, pr_report | Runs scripts/ci/run_health_gate.sh; commitlint is advisory |
pr-preview.yml |
Every PR (path-gated) | detect + up to 2 deploy jobs (antlers, mockups, comment) | Antlers: npm ci + npm run build + Cloudflare deploy. Only fires when frontend or mockups paths change. |
nightly-security-scan.yml |
Nightly 08:07 UTC | 1 job with ~6 tool installs + pip + apt installs | Trivy install via apt; full history checkout |
deploy-heroku.yml / deploy.yml |
Merge to main | not analyzed in detail | Merge-gated, not PR-gated |
slack-notify.yml |
Event-driven | lightweight | minimal cost |
release.yml |
Tag push | not analyzed in detail | infrequent |
ci.yml: 5 jobs in parallel, all ubuntu-latest. Estimated per-job: backend-tests (pip install + pytest) ~3-6 min; frontend-tests (npm ci + jest) ~3-6 min; security-deps (pip-audit + npm audit) ~3-5 min; security-sast (bandit) ~2-4 min; security-secrets (gitleaks) ~2-3 min. Wall-clock is parallel so ~6 min elapsed, but billed minutes are summed: ~13-24 min per PR run.ci-pr.yml: smoke_suite (pip install + node setup + health gate) ~4-8 min; commitlint ~2-3 min; pr_report ~1 min. Billed: ~7-12 min per PR run.pr-preview.yml: If Antlers path touched — npm ci + build + Cloudflare wrangler deploy ~3-6 min. If not, only detect job (~1 min).| Cadence assumption | PRs/mo | Runs/PR | Min/run | Total min/mo |
|---|---|---|---|---|
| Conservative | 60 | 2 | 20 | 2,400 |
| Moderate | 100 | 2.5 | 25 | 6,250 |
| Current surge | 225 | 2 | 28 | 12,600 |
Plus: nightly scan = ~15-25 min/night = ~450-750 min/month.
Bottom line: Conservative burn is ~2,400-3,000 min/month. Moderate/surge is 6,000-13,000 min/month. The free tier (2,000 min) was already not enough; GitHub Pro (3,000 min) covers only the conservative case.
All costs in USD/month unless noted. "Drop-in" = change runs-on: label only, no workflow rewrite.
| Option | Monthly cost | Minutes / quota | Overage rate | Setup time | Ongoing care | Drop-in? | Security posture | Lock-in |
|---|---|---|---|---|---|---|---|---|
| GitHub Free (current) | $0 | 2,000 | $0.006/min Linux | 0 | None | — | GitHub-managed | High |
| GitHub Pro | $4 | 3,000 | $0.006/min Linux | 0 | None | — | GitHub-managed | High |
| GitHub Team (req. Org) | $4/user ($4 solo) | 3,000 | $0.006/min Linux | Org migration ~1 hr | None | — | GitHub-managed | High |
| GitHub Enterprise (req. Org) | $21/user | 50,000 | $0.006/min Linux | Org migration + vetting | None | — | GitHub-managed | High |
| WarpBuild (cloud runner) | ~$0 base + usage | Pay-per-min | $0.004/min (2vCPU) | 30 min | None | Yes | WarpBuild-managed | Low |
| Ubicloud (cloud runner) | ~$0 base + usage | Pay-per-min | $0.0008/min (2vCPU) | 30 min | None | Yes | Ubicloud-managed | Low |
| Blacksmith (cloud runner) | ~$0 base + 3,000 free min | Pay-per-min | ~$0.004/min (2vCPU) | 30 min | None | Yes | Blacksmith-managed | Low |
| Depot | $20/mo base | 2,000 GHA min included | pay-per-min above | 1-2 hr | None | Yes | Depot-managed | Medium |
| RunsOn (self-hosted on AWS) | €300/yr (~$28/mo) + AWS EC2 | Unlimited (AWS-billed) | ~$0.0003-0.0025/min EC2 spot | 2-4 hr (CloudFormation) | Low-medium | Yes | Your AWS account | Low |
| Self-hosted on Hetzner | $5-15/mo VPS | Unlimited | $0 runner cost | 3-5 hr | Medium-high | Yes (manual config) | Solo-managed | None |
| Self-hosted on AWS Lightsail | $10-20/mo | Unlimited | $0 runner cost | 3-5 hr | Medium-high | Yes (manual config) | Solo-managed | None |
| CircleCI | $0 (6k min free) or $15/mo | 6,000 min free | ~$0.006/min | 4-8 hr (workflow rewrite) | Low | No — rewrite | CircleCI-managed | High |
| Buildkite | $0 runners + you supply compute | Unlimited (your VMs) | Compute cost only | 4-8 hr | Medium-high | No — rewrite | Medium | Medium |
Notes: - GitHub's proposed $0.002/min self-hosted platform fee (announced Dec 2025 for March 2026) was postponed indefinitely following community backlash. As of 2026-04-25, self-hosted runners on private repos are still free to run. Source: GitHub Changelog Dec 2025, GitHub Changelog Jan 2026. - BuildJet shut down January 2026 — not listed. - Namespace.so/actuated: no current pricing found in public sources — unsourced, confirm directly before relying on them. - WarpBuild BYOC ("bring your own cloud") option is $0.002/min but requires a cloud account.
| Scenario | GitHub Pro | GitHub Pro + overages | Ubicloud drop-in | WarpBuild drop-in |
|---|---|---|---|---|
| Conservative 2,400 min | $4 (within quota) | $4 | ~$2 | ~$10 |
| Moderate 6,250 min | $4 + $19.50 overage = $23.50 | $23.50 | ~$5 | ~$25 |
| Surge 12,600 min | $4 + $57.60 = $61.60 | $61.60 | ~$10 | ~$50 |
At conservative cadence, GitHub Pro at $4/month is the cheapest option — barely.
At moderate or surge cadence, Ubicloud is significantly cheaper and drops in with a one-line runs-on: change.
GitHub's own documentation warns against self-hosted runners on public repositories because arbitrary PR code could exfiltrate runner credentials. For a private repo with a solo founder, this risk is substantially reduced — no external contributors can push code to trigger a runner. The main residual risk is a supply-chain compromise in a third-party GitHub Action (e.g., a compromised actions/checkout or community action) that reads environment variables. Mitigations: pin all actions to SHA, never put production keys in the runner environment, use OIDC for cloud auth instead of static secrets. Source: GitHub Docs — security hardening.
Immediate (tonight): Set the spending limit to $10-25 in GitHub Billing settings. This unblocks all 10 open PRs and costs nothing unless minutes are consumed beyond the existing quota.
Short-term (this week): Upgrade to GitHub Pro ($4/month, 3,000 min). At conservative cadence, this holds. At moderate cadence, set the spending limit to ~$30 to allow overages rather than hitting a block again.
If/when burn exceeds 5,000 min/month consistently: Drop in Ubicloud. It requires only changing runs-on: ubuntu-latest to runs-on: ubicloud-standard-2 (or equivalent) in the workflow files. At $0.0008/min it is roughly 7x cheaper than GitHub's $0.006/min overage rate. At 6,000 min/month that is ~$5 vs $19.50 in overages on top of the $4 Pro plan.
Do not set up RunsOn or a raw self-hosted runner right now. The RunsOn CloudFormation setup and an AWS account layer adds real operational surface for a solo pre-launch founder. Save it for post-launch when burn is predictably high and worth the $28/month flat rate.
Do not migrate to CircleCI or Buildkite. Every workflow is GHA-shaped; the rewrite cost is not justified at this scale.
Is the card on file the issue, or purely the $0 spending limit? Go to Settings → Billing → Payment history. If there is a failed charge, the card needs to be updated before the spending limit fix takes effect. If payment history is clean, the spending limit change alone unblocks CI.
What is the actual PR cadence going forward? The surge (15 PRs in 48 hrs) was an agent-driven wave. If agent dispatch settles to 5-10 PRs/day rather than 15+, GitHub Pro likely holds without overages. If it stays at surge, the break-even point on Ubicloud is within the first month.
Are there nightly scan artifacts accumulating storage cost? The nightly scan uploads reports with a 30-day retention window (see nightly-security-scan.yml line 116). Storage is $0.07/GB-month. Confirm the artifact sizes are not adding a material line item — likely negligible but worth checking in Billing → Actions usage.