AI coding costs more than you think

Auto DevOps builder image moves from heroku/builder:22 to :24 as part of GitLab 19.0's breaking changes rolling out to GitLab.com May 4–6. Pipelines using the default builder image without a pinned tag will automatically pick up :24; verify apps build cleanly against the new base before the rollout completes.
Two CI job token API endpoints are deleted in 19.0: the ciJobTokenScopeAddProject GraphQL mutation and the ci_job_token_scope_enabled REST attribute are removed entirely. Any pipeline tooling or automation scripts hitting these endpoints will fail post-upgrade.
Self-managed teams must externalize PostgreSQL, Redis, and MinIO before upgrading — the bundled versions are no longer supported at 19.0. GitLab.com teams are unaffected; this is a self-managed-only hard requirement with no grace period.

GitHub's Merge Queue corrupted commits for 2,092 pull requests across 658 repositories on April 23 — squash merges in groups of more than one PR inadvertently reverted previously merged changes, per the CTO's incident post-mortem. Standard merges and rebase were unaffected. All commits were retained in Git, but affected default branches required manual repair.
GitHub planned for 10X capacity growth starting October 2025; by February it needed 30X. The driver: agentic development workflows accelerating sharply since December 2025, with PRs, commits, API calls, and large-monorepo workloads all compounding simultaneously. April uptime is now below 85%, down from ~90% in 2025.
An April 27 Elasticsearch overload — attributed to a botnet attack — took down search-backed surfaces across pull requests, issues, and projects. Git operations and APIs were unaffected. CTO Vlad Fedorov stated the remediation priority order: "availability first, then capacity, then new features" — and confirmed the Azure migration has helped, not caused, the scaling issues.

Starting June 1, each Copilot code review on a private repo triggers both AI Credits and GitHub Actions minute consumption — because the review agent runs on GitHub-hosted runners. Public repos are unaffected. Applies to Copilot Pro, Pro+, Business, and Enterprise — including reviews from non-licensed users billed via direct org billing.
All Copilot plans simultaneously move from premium request units (PRUs) to usage-based AI Credits on June 1, per GitHub's billing announcement. No plan price changes, but consumption shifts from fixed request pools to metered usage. Billing admins should audit Actions minute budgets and set spending limits before the new pattern kicks in — one team cited in a GitHub Actions vs. Azure DevOps comparison received a bill three times higher than expected after missing concurrent job limits.

Dagger now generates lockfiles for CI — pinning container image digests, git commit SHAs, and HTTP fetch checksums — per the Dagger changelog. The same lockfile produces the same environment regardless of when the pipeline runs or what upstream tags resolve to, addressing a root cause of the mutable-tag supply chain attacks that compromised Trivy and tj-actions (covered in prior issues).
Cloud Checks (early access) replaces CI YAML with direct Git integration: push a commit, Dagger runs the pipeline without touching .github/workflows or .gitlab-ci.yml. Cloud Engines adds managed, auto-scaling compute with distributed caching — no self-hosted runner fleet to provision or maintain.
BuildKit is out; Dagger's native engine is in, delivering 80% faster git fetches as a direct result of the replacement. Expanded secret providers are also included, extending coverage to additional vault and secret manager integrations.

Faros AI telemetry across 22,000 developers shows a 242.7% rise in incidents per pull request under high AI adoption, per an analysis stress-testing Google DORA's AI ROI calculator against two years of system data. Monthly incidents are up 57.9%; bugs per developer up 54%. DORA surveys show developers feel code quality has improved — the telemetry contradicts this at every measure. (Previously: DORA data showed a -7.2% system-level stability drop correlated with AI adoption — Faros now quantifies the mechanism: larger, less-reviewed batches.)
31.3% more pull requests are merging without any review — a process failure invisible to survey-based measurements. The same dataset shows PR sizes growing: files changed per PR up 51.3%, files per PR up 59.7%. Code churn is up 861% in high-adoption environments. Both DORA and Faros identify a "senior engineer tax" — the cognitive overhead of reviewing structurally complex AI-generated code that appears idiomatic but contains downstream logical failures.
The ROI math flips when quality costs enter the model. Applying telemetry-informed inputs to DORA's calculator — 12-month J-curve, 3× change failure rate, flat deployment frequency — produces a first-year benefit of -$3.46M and -18.9% ROI versus DORA's default +39.2%. The most sensitive single input: J-curve duration. Extending it from 3 to 12 months alone swings ROI from +39.2% to -36.2%, before any quality cost adjustments.

Get CI/CD & Release Engineering Briefing in your inbox