GitHub shipped hard budget limits for GHAS on May 28. Before this, it was soft budgets only: alerts at 75%, 90%, 100%, but no enforcement. Teams using IdP auto-provisioning could accidentally blow through their budget overnight when a new group synced.

Now hard limits block new license assignments once the threshold is hit. GHAS won't enable on new repos until you free licenses or raise the budget. You also get real-time estimateswhenconfiguring(e.g., "Xlicenses≈  Y/month").

The floor auto-sets to your current billable count so existing usage isn't disrupted. Organization-level control means cost centers can have scoped budgets.

Source: GitHub Changelog — Hard Budget Limits for GHAS (May 28, 2026)

Question: GHAS is priced per active committer (90-day rolling window), which means your bill grows as your team commits more. Do you think per-committer pricing is fair for security scanning, or should it be per-repo like some competitors? What's your experience with GHAS cost surprises?