Anyone else get a vague GitHub shakedown notice?

(lists.osgeo.org)

41 points | by jjgreen 2 hours ago

9 comments

  • Aurornis 53 minutes ago
    I'm a GitHub admin. Did not receive this e-mail. We don't have the GitHub Code Quality feature enabled anywhere, though.

    The e-mail seems clear: Someone enabled the feature in the organization. The feature was in free preview, but the free preview is ending. If they leave it enabled, it will be billed at the new rate.

    It's pretty clear that "organization" is being used throughout the e-mail, so they're not referring to this person's free personal GitHub account.

    • drnick1 27 minutes ago
      How can you possibly bill someone without billing information?
      • Aurornis 15 minutes ago
        > How can you possibly bill someone without billing information?

        The person is confused. They're not getting billed.

        The organization's responsible billing contact would get billed.

        This feature can't even be enabled on free, personal accounts.

      • sandeepkd 12 minutes ago
        Its just a normal letter containing the details on what to expect, its more of a heads-up than a shake down to me. If the billing information is not there and account still continue to use the feature then the account would be disabled or something similar. Question is, should the email have all the if-else situations, probably not feasible.
      • theamk 15 minutes ago
        > GitHub Code Quality is available for organization-owned repositories on GitHub Team and GitHub Enterprise Cloud plans.

        Both of those are paid plans, so the billing information available. As the message says, this email is not for individual user, but rather for github org admin. I guess someone made the poster an admin, they are receiving admin-only messages and are freaking out now?

  • andai 1 hour ago
    This links to this, which says

    https://docs.github.com/en/code-security/concepts/about-code...

    > GitHub Code Quality is currently in public preview and will become generally available on July 20, 2026. During public preview, Code Quality scans will consume GitHub Actions minutes but you will not be billed for other usage. From July 20, 2026, usage will incur additional charges. See GitHub Code Quality billing.

    >If you want to avoid charges, disable Code Quality before July 20, 2026. See Disabling GitHub Code Quality.

    https://docs.github.com/en/code-security/how-tos/maintain-qu...

    >( Repo > Settings > Code Quality)

    I don't see that tab, so either the docs are out of date, and it's called something else now, or it's not on all accounts/all repos. (Due to being in preview?) I don't know.

    • Aurornis 50 minutes ago
      > I don't see that tab, so either the docs are out of date, and it's called something else now, or it's not on all accounts/all repos.

      Correct. It's only for certain plans like GitHub Team and Enterprise Cloud.

      The weird part about this e-mail is that they said they recently left some organizations because "the tone of the paid services" increased. So either they're still a member of one of these organizations, or GitHub mistakenly sent the e-mail to past members?

    • drcongo 1 hour ago
      It's probably now called CoPilot Code CoPilot Quality CoPilot™. Do you see that anywhere in your settings?
  • cush 3 minutes ago
    > More details are available in our documentation ( https://docs.github.com/code-security/concepts/about-code-qu... ).

    ^^^

  • dumbfoundded 1 hour ago
    It sounds like they gave you a feature for free you didn't want, and now are trying to charge for it. Very much a dark pattern.
    • Aurornis 49 minutes ago
      The person writing this doesn't have the feature. It would have had to be enabled by someone on a GitHub org they were a member of.

      It's not even available on personal free plans like the person says they have. Either the e-mail was sent in error, or it's enabled by someone else in an organization they're a member of.

  • dewey 1 hour ago
    What about this email is a "shakedown"?
    • Aurornis 40 minutes ago
      The wording could have been more clear: Instead of "what you'll pay" it should have said "what your organization will pay".

      Everything else about the e-mail is clear that it's about the organization, though. I don't know why this person would think they're going to start getting bills "per committer" of the organization where they're not already the responsible party for billing. Like GitHub just decided that they're going to start billing this one person for every committer in the org, but only for this one feature?

    • pocksuppet 1 hour ago
      The part where it says they are about to start taking your money?
      • dewey 1 hour ago
        Sending a billing notification to someone who has no billing information on file, but is part of an organization where someone probably enabled that beta feature ("You're receiving this because your organization is using the GitHub Code Quality public preview.") isn't a shakedown.
        • bobmcnamara 48 minutes ago
          Christ it's the airport bellhop scam:

          Someone appears, gives you a service unprompted(carries your bag of spams some AI code reviews), them later demands payment.

          • dewey 41 minutes ago
            Did you even read the email? It's an extremely boring standard billing notification that explains exactly why that person received it "You're receiving this because your organization is using the GitHub Code Quality public preview." and when it would be come into affect.

            It's not a small print somewhere, or one of these weekly app store subscriptions that run up high bills because someone clicked "Yes" in a game.

            It's like calling a Netflix renewal email a "shakedown" just because they send you an email giving you a heads up that your trial will convert into a paid subscription.

          • otterley 18 minutes ago
            You don’t have to pay if you stop using the feature. This is a huge nothing-burger.
      • theamk 11 minutes ago
        That featur is opt-in: someone had to check a checkbox somewhere to enable it.

        And yeah, that how the businesses work: you opt-in to feature, then you start paying for it. Sometimes the latter part is delayed, in which case it's a good style to send heads-up email about it. Nothing unusual or scammy about it.

    • drcongo 1 hour ago
      I was thinking the same thing, but I think it's down to this person not actually using the thing that GitHub are saying is moving to a paid service. It's hard to stop using something you don't use.
  • hkchad 6 minutes ago
    Uh? What? Shakedown? You enabled a free preview of a paid service, they are now letting you know what it will cost to continue to use a paid for service, how on earth is this a 'shake down'? GitHub deserves a lot of crap, but not for this.
  • OptionOfT 1 hour ago
    I got the same email, and I don't have a credit card on file with them. I wonder what they're going to do?
    • Aurornis 46 minutes ago
      The e-mail is pretty clear that it's about an organization. You can't even enable this feature on free personal accounts.

      It must be some organization you're a member of.

    • echoangle 1 hour ago
      Is this really the normal way to do this in the US? Does no billing info mean you’re immune? If they have your real name in Germany, they would just send it to collections and get their money if you really owe them something, even if they don’t have a way to charge it directly themselves.
      • iamnothere 47 minutes ago
        This would be fairly uncommon for consumer facing services in the US, outside of medical services.

        I guess if you signed up for a cell phone contract and didn’t pay after the first month, and didn’t have a billing method set, it would go to collections. Things like that are generally uncommon though. It usually only happens with things like medical services, loans, auto repair, home repair/contractor services, and contractual services such as cell phone plans and utilities. (Contractors and mechanics may actually take out a lien.) Usually this only happens when there’s larger sums of money at stake or when it’s a large company with an airtight contract and a well-staffed billing department.

        Things like consumer software subscriptions don’t usually involve this risk, there have been exceptions but consumers don’t like it and tend to punish it.

      • literallyroy 50 minutes ago
        Generally yes, though I remember seeing a post on hacker news in the past month where a SAAS sent an invoice after the free trial ended rather than terminating it.

        I always expect a failed billing or no billing info after a trial to cancel and not be pursued (I regularly do trials with a temp card that I immediately de-activate so it cannot be billed in case I forget to cancel)

      • picofarad 52 minutes ago
        Yeah, as far as I know. Also github doesn't have my real name, for instance. I am sure they could know it, but I never agreed to any billing, either.
      • forsalebypwner 49 minutes ago
        For the vast majority of services, yes
  • jjgreen 2 hours ago
    A QGIS-Developer post, original title anyone else get a vague github shakedown notice? is this about qgis?
  • pocksuppet 1 hour ago
    No, I didn't, because I quit GitHub when they started demanding mandatory SMS 2FA
    • graton 58 minutes ago
      > No, I didn't, because I quit GitHub when they started demanding mandatory SMS 2FA

      They haven't demanded that of me. I have 2FA with a Yubikey and a TOTP app.

      I don't ever recall giving them my phone number.

    • thenewnewguy 1 hour ago
      Huh? Just to make sure I wasn't missing something, I checked and my GitHub account has only a TOTP app and hardware security key configured, no SMS/phone number.

      As a matter of fact GH even has a red "Less secure" badge on the SMS 2FA in the settings discouraging its use, as well as the following text in the description: "We strongly advise against using SMS because it is susceptible to interception, does not provide resistance against phishing attacks, and deliverability can be unreliable."

      • pocksuppet 29 minutes ago
        This option must have been added later.
        • entrope 25 minutes ago
          U2F was always an option, because I used it since they added the MFA requirement (and like others here never gave Github my phone number). I think TOTP was also available from the start. The warning to not use SMS for MFA might have been added later.