gh-aw-fleet 0.2: cost and risk, fleet-wide
The consumption rollup promised at launch shipped with a --budget flag, and the same fleet-wide view caught Renovate and Dependabot quietly fighting gh-aw's own pins.
The launch post ended on a cliffhanger: “a consumption rollup is in flight.” Five patch releases later (v0.2.1 through v0.2.5), it’s shipped, and on the way. We found a second question the per-repo tools couldn’t answer along the way.
the rollup, finished
gh-aw-fleet consumption reads AI-credit usage straight from gh aw logs --json and rolls it up however you want to slice it:
# fleet-wide spend for the trailing 30 days, by cost center
gh-aw-fleet consumption --trailing 30d --by cost-center
# flag anything over its budget before the invoice does
gh-aw-fleet consumption --budget 500
USD is derived at a fixed $0.01 per AI credit, so a number that used to mean
clicking through every repo’s Discussions is now one command. --by repo,
--by profile, or --by workflow if cost-center isn’t the axis you care
about; pass a repo name to drill into just its spend. The --budget flag
(v0.2.5) is the payoff: instead of eyeballing a table for anything that looks
high, the tool tells you which repos crossed a line you set.
why does Renovate keep touching gh-aw’s pins?
Cost was the fleet-wide question I went looking for. This one found me.
gh aw upgrade pins gh-aw-actions to an SHA coupled to the compiler version
baked into each workflow’s lock-file metadata. Renovate and Dependabot don’t
know that: a grep of the fleet’s own history for renovate / packageRules
/ gh-aw-actions turned up nothing. The tool that manages every repo’s pins
had zero visibility into the other bots that also touch those files.
It wasn’t hypothetical. While building the scanner, rshade/finfocus#1246
showed up live: a Dependabot PR bumping gh-aw-actions 0.77.4 → 0.78.3,
rewriting 9+ .lock.yml files it doesn’t own. Renovate can be told to leave
*.lock.yml alone entirely via
matchFileNames;
Dependabot has no file-glob ignore, only
dependency-name,
so its fix is narrower by construction. Two advisory scanners (v0.2.3) now warn if a managed repo’s
renovate.json or dependabot.yml is missing the rule, and hand you the
exact block to paste in.
saying so, three times
A scanner nobody reads is a scanner that didn’t run. Findings from
deploy/sync/upgrade now surface on three independent surfaces:
- stderr, above the summary
- an interactive
y/Nprompt before anything commits (skippable with--yes, which bypasses only the prompt) - a
## Security Findingssection in the PR body itself, so a teammate reviewing the diff sees what you saw in your terminal
--strict escalates a HIGH finding from a warning to a hard stop before
anything lands. It’s opt-in, so a routine run still doesn’t need a flag to
stay dry-run-first.
smaller things
pkg/fleetis a public package now, and the CLI runs on ax-go’s config primitives instead of its own copy, the tool eating its own dogfood.install.sh/install.ps1one-liners, so onboarding a new operator doesn’t start with a Go toolchain.- a real docs site, rshade.github.io/gh-aw-fleet,
on the same
rshade-themeas everything else here.
where it’s at
v0.2.5, still pre-1.0. Cost and risk turned out to be the same shape of
problem: something every per-repo tool is blind to, and the one place with a
view across the whole fleet is fleet.json.