<p>This week on <strong>Ship It Weekly</strong>, Brian looks at how the “platform tax” is showing up everywhere: pricing model shifts, CI dependencies, and new security boundaries thanks to AI agents.</p><p>We start with GitHub Actions. GitHub announced a new “cloud platform” charge for self-hosted runners in private/internal repos… then hit pause after backlash. Hosted runner price reductions for 2026 are still planned. We also got the perfect timing joke: a GitHub incident the same week.</p><p>Next up is HashiCorp. Legacy HCP Terraform (Terraform Cloud) Free is reaching end-of-life in 2026, with orgs moving to the newer Free tier capped at 500 managed resources. If you’re running real infrastructure, this is a good moment to audit what you’re actually managing and decide whether you’re cleaning up, paying, or planning a migration.</p><p>Then we talk PromptPwnd: why stuffing untrusted PR/issue text into AI agent prompts (inside CI) can turn into a supply chain/security problem. The short version: treat AI inputs like hostile user input, keep tokens/permissions minimal, and don’t let agents “run with scissors.”</p><p>We also cover the Home Depot report about long-lived access exposure as a reminder that secrets hygiene, blast radius, and detection still matter more than the shiny tools.</p><p>In the lightning round: CDKTF is sunset/archived, Bitbucket is cleaning up free unused workspaces, and SourceHut is proposing pricing changes. We wrap with a human note on “platform whiplash” and why a simple watchlist beats carrying all this stuff in your head.</p><p><strong>Links from this episode</strong></p><p>GitHub Actions pricing + pause <a target="_blank" rel="noopener noreferrer nofollow" href="https://runs-on.com/blog/github-self-hosted-runner-fee-2026/">https://runs-on.com/blog/github-self-hosted-runner-fee-2026/</a> <a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/github/status/2001372894882918548">https://x.com/github/status/2001372894882918548</a> <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.githubstatus.com/incidents/x696x0g4t85l">https://www.githubstatus.com/incidents/x696x0g4t85l</a></p><p>HashiCorp / Terraform Cloud free plan changes <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/hashicorp/terraform-cdk?tab=readme-ov-file#sunset-notice">https://github.com/hashicorp/terraform-cdk?tab=readme-ov-file#sunset-notice</a> <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.reddit.com/r/Terraform/s/slYm77wzYr">https://www.reddit.com/r/Terraform/s/slYm77wzYr</a></p><p>PromptPwnd / AI agents in CI <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.aikido.dev/blog/promptpwnd-github-actions-ai-agents">https://www.aikido.dev/blog/promptpwnd-github-actions-ai-agents</a></p><p>Home Depot access exposure report <a target="_blank" rel="noopener noreferrer nofollow" href="https://techcrunch.com/2025/12/12/home-depot-exposed-access-to-internal-systems-for-a-year-says-researcher/">https://techcrunch.com/2025/12/12/home-depot-exposed-access-to-internal-systems-for-a-year-says-researcher/</a></p><p>Bitbucket cleanup <a target="_blank" rel="noopener noreferrer nofollow" href="https://community.atlassian.com/forums/Bitbucket-articles/Bitbucket-cleanup-of-free-unused-workspaces-what-you-need-to/ba-p/3144063">https://community.atlassian.com/forums/Bitbucket-articles/Bitbucket-cleanup-of-free-unused-workspaces-what-you-need-to/ba-p/3144063</a></p><p>SourceHut pricing proposal <a target="_blank" rel="noopener noreferrer nofollow" href="https://sourcehut.org/blog/2025-12-01-proposed-pricing-changes/">https://sourcehut.org/blog/2025-12-01-proposed-pricing-changes/</a></p>