GitHub just announced that all Copilot plans will move to usage-based billing on June 1, 2026. Same monthly price, but now every chat, every code review, every agentic workflow burns tokens from a credit pool. One company ran the numbers on their 28-day usage and found their costs would jump from under $1,000/month to over $18,000/month. New sign-ups for Pro and Pro+ are paused entirely. Opus 4.5 and 4.6 are being removed. Code review now consumes both AI Credits and GitHub Actions minutes — double-billed for the same feature.

I'm sharing this because we saw it coming. Not this specific change — but the pattern.

We removed GitHub from our deployment pipeline three months ago. Not because we were predicting pricing changes. Because we were looking at a different problem: supply chain security.

What Our Pipeline Used to Look Like

Our code went through seven trust boundaries to reach production: dev machine → git push → GitHub → GitHub Actions runner → build step → deploy step → Azure. Every one of those is an attack surface. In March 2025, the tj-actions supply chain attack compromised 23,000 repositories through a single poisoned GitHub Action. Developers who did nothing wrong had their CI/CD secrets stolen.

We decided seven trust boundaries was six too many.

What It Looks Like Now

Two trust boundaries. Our secured development machine and Azure, connected through Entra ID with passwordless, hardware-backed MFA. That's it. No shared runners. No third-party actions. No secrets stored in GitHub. No build step that pulls packages from the internet without verification.

We still use GitHub — but only for code backup and pull request reviews. It never touches production. It never sees our secrets. It never runs our code.

Why This Matters Beyond Security

The GitHub Copilot pricing change reveals a deeper pattern: platform dependency is a business risk. When your deployment pipeline runs through GitHub Actions, your pricing model is locked to GitHub's pricing model. When your code review runs through Copilot, your code review cost is whatever GitHub decides to charge next quarter.

We use Claude Code for our AI-assisted development. We route complex tasks through Opus, quick tasks through Sonnet, and tedious formatting through free open-source models. If any one provider changes pricing or goes down, our fallback chain kicks in. No single provider has leverage over our operation.

What I'd Recommend

If you're evaluating your development infrastructure right now, here's what I'd consider:

  1. Count your trust boundaries. Every system between your code and production is a dependency you don't fully control. Fewer is better.
  2. Separate your code hosting from your deployment pipeline. Git is excellent for version control. That doesn't mean your CI/CD should run there too.
  3. Own your AI tooling strategy. Direct API access to multiple models gives you negotiating power. A single-vendor AI subscription gives THEM negotiating power.
  4. Calculate your actual token costs. If you're using Copilot for agentic workflows, run the numbers on what usage-based billing will cost you in June. Then compare that to direct API access at published rates.

The move to usage-based billing isn't necessarily wrong — it aligns cost with value. But it removes the predictability that made Copilot attractive in the first place. For teams that use AI heavily in code review and agentic workflows, the math may no longer work.

We made our decision months ago for security reasons. The pricing changes just made it look prescient.

Want help auditing your deployment pipeline or AI tooling strategy? See our AI-Era Cyber Defense services or schedule a conversation.