vercel/next.js (56 findings, $8,215/mo) vs huggingface/transformers (122 findings, $17,055/mo): what the GitHub Actions cost contrast reveals

Live $79 audit on two flagship public repos. Same deterministic engine. Zero LLM-in-the-loop. 2.2× asymmetry tells you what mature OSS still misses.

What the audit actually does

The analyzer is a deterministic static scan over .github/workflows/*.yml plus Dockerfiles, lockfiles, and reusable action definitions. It checks for 10 patterns that account for the bulk of recurring GitHub Actions overspend:

1. Missing actions/cache on heavy dependency installs (node_modules, pip wheels, gradle, cargo). Single biggest leak — re-fetching deps every PR multiplies minutes by N runs.
2. Missing concurrency.cancel-in-progress: true. Push 5 quick commits to a PR? Without cancellation, you run the full test matrix 5 times. Cancel-in-progress reduces this to 1.
3. Test matrix bloat. Running on `[ubuntu-latest, macos-latest, windows-latest]` × `[node 18, 20, 22]` when a single target would catch the same bugs.
4. macOS runners for Linux work. macOS-latest costs 10× the Linux minute rate ($0.08 vs $0.008).
5. Cache-key fragmentation. Different lockfile hash per PR means each PR starts with a cold cache that takes ~5 min to warm.
6. Artifact bloat. Uploading 200MB of node_modules / coverage HTML as build artifact on every run.
7. Self-hosted runner candidates. Heavy jobs (Docker buildx, large test suites) cost 5-10× on GitHub-hosted vs a self-hosted runner.
8. Docker buildx without cache-from/cache-to. Rebuilding the same layers every run.
9. Untargeted actions/checkout with fetch-depth: 0 when shallow clone would work.
10. Heavy actions repeated across jobs (e.g., running setup-node 5 times in a workflow when setup could be shared).

Each finding includes a confidence rating, a $/mo savings estimate calibrated to mid-volume workloads, and a before/after diff snippet paste-able into a PR. Zero LLM-in-the-loop — meaning 100% reproducible findings + zero hallucination risk.

Live demo #1: vercel/next.js (Vercel's flagship)

Run: The audit ran against github.com/vercel/next.js, the React framework Vercel ships and maintains. This is widely considered one of the better-engineered OSS repos in the JS ecosystem — >100K stars, dozens of full-time maintainers, mature CI investment.

Top finding categories: missing actions/cache on several workflow files (Next.js has many workflows for the docs site, the framework, the test matrix), matrix bloat on browser-compat tests, and cancel-in-progress missing on the docs-deploy workflow. None of these are "bugs" in a strict sense — they're cost-leak patterns that built up over years of organic workflow growth.

Live demo #2: huggingface/transformers (the larger contrast)

Run: Same audit, against github.com/huggingface/transformers. The flagship Python ML library, 100K+ stars, deep CI investment because every PR runs significant test suites.

Transformers has roughly 2.2× more findings + 2.1× more $/mo than Next.js. Why? Heavier dependency installs (PyTorch, TensorFlow, JAX optionals), more matrix dimensions (Python version × backend × hardware target), longer-running test suites that benefit more from cache-on-warm, and Docker buildx steps that would dramatically benefit from cache-from/cache-to backend.

What the 2.2× contrast tells you

The point of running on TWO public repos isn't to dunk on either project. Both Next.js and Transformers are excellent. The point is engine-honesty:

• If the engine were a snake-oil dollar-inflater, both repos would surface similar numbers regardless of underlying complexity. Same engine, ~3K-line analyzer, would produce ~equal output.
• If the engine were correctly measuring real waste, the heavier repo (Transformers) would surface proportionally more. That's exactly what happened: 2.2× more findings + 2.1× more $/mo. The dollar density tracks workload density.
• If the engine were padding findings to justify the $79 fee, even simple repos would show $5K+/mo. Vercel's main repo shows $8K — calibrated, not inflated.

This is the same honesty-proof pattern I use across all my audit products (LLM Bill X-Ray, Stripe Webhook Audit, Anthropic Prompt Library Audit, AWS NAT Gateway Audit, Datadog Static Cost Audit, this one). Run on a reference-quality repo + a production repo, compare the contrast, let the customer judge.

What you'd actually fix first (per the report)

The audit ranks findings by $/mo descending. For a typical repo, the top 3 fixes are:

1. Add actions/cache on the heaviest dependency install (usually node_modules or pip). Single-finding savings: $400-$1,200/mo depending on PR volume.
2. Add concurrency.cancel-in-progress: true at the top of every workflow that runs on push/PR. 1-line change × dozens of workflows = $200-$800/mo.
3. Move heavy Docker buildx steps to cache-from: type=gha, cache-to: type=gha,mode=max. $100-$500/mo per Dockerfile that gets built often.

None of these require architectural changes. They're configuration tweaks that compound across every PR run for the lifetime of the repo.

The 30-day re-audit voucher

Every $79 GitHub Actions Cost Audit includes a re-audit voucher: 30 days after delivery, you submit the same repo URL, the analyzer re-runs, and you see which findings closed. If your billing console doesn't show the projected savings landing, refund. The math is verifiable in your next GitHub billing cycle.

Related

• aws-cdk-examples vs terraform-aws-vpc: 68× NAT Gateway cost asymmetry — same engine-honesty pattern, much larger contrast on AWS NAT
• anthropic-cookbook vs litellm: 13× prompt-caching asymmetry — the entry-tier $39 audit's honesty proof
• All 6 audit products + free cost calculators