The unlimited repository license allows the use of the PullPreview action for any number of repositories within a GitHub organization.
Why isn't it free? Isn't it just a simple docker-compose up?
Actually it's not :) If it looks simple, then we did a good job. However, there is a fair amount of complexities to orchestrate to get to the point where you have a server running the latest version of the code at all times. You are free to use another solution or code your own, but we are not ashamed of asking money for something that can take days to implement correctly on your own, without counting the maintenance costs.
How secure is this?
In short: it is very secure, and in a way that is far ahead of any SaaS offering, since we never see your code. Some details:
The PullPreview action itself is fully open-source. Which means you can audit the source code to make sure we're not shipping your AWS credentials or your code somewhere. Even the Docker image used for launching the PullPreview code is built within the Action, so you can be sure that what you see in the code is really what gets executed on GitHub.
GitHub actions don't run for pull requests originating from forked repositories (source). This means your AWS credentials can't be read by an external contributor committing a specifically-crafted workflow file.
Access to the instances provisioned in your AWS account can be restricted both at the port level, as well as the IP level. For instance you could allow traffic only from your VPN IP, and only for ports 80 et 443.