Exploring Solutions to Tackle Low-Quality Contributions on GitHub

[moraesc]

Hey everyone,

I wanted to provide an update on a critical issue affecting the open source community: the increasing volume of low-quality contributions that is creating significant operational challenges for maintainers.

We’ve been hearing from you that you’re dedicating substantial time to reviewing contributions that do not meet project quality standards for a number of reasons - they fail to follow project guidelines, are frequently abandoned shortly after submission, and are often AI-generated. As AI continues to reshape software development workflows and the nature of open source collaboration, I want you to know that we are actively investigating this problem and developing both immediate and longer-term strategic solutions.

What we're exploring

We’ve spent time reviewing feedback from community members, working directly with maintainers to explore various solutions, and looking through open source repositories to understand the nature of these contributions. Below is an overview of the solutions we’re currently evaluating.

Short-term solutions:

• Configurable pull request permissions - This has been a long-standing request (since 2016) and is a first step in giving maintainers more tools to customize their PR experience. Repository owners will be able to control pull request access at a more granular level by restricting contributions to collaborators only or disabling PRs for specific use cases like mirror repositories. This also eliminates the need for custom automations that various open source projects are building to manage contributions.
• The ability to delete a PR from the UI - This provides maintainers with the ability to remove spam or low-quality PRs directly from the interface to improve repository organization.

Long-term direction:

As AI adoption accelerates, we recognize the need to proactively address how it can potentially transform both contributor and maintainer workflows. We are exploring:

• Enhanced permission models - Provide maintainers with more tools so they can customize their PR experience:
  • More granular controls for determining who can create and reviewing PRs beyond blocking all users or restricting to collaborators only.
  • Ways for maintainers to define criteria that PRs must meet before they can be opened.
• Improved triage tools - Potentially leveraging AI to evaluate contributions against project guidelines and standards to identify which contributions maintainers should focus on reviewing.
• Transparency in AI-assisted contributions - Improved visibility and attribution when AI tools are used throughout the PR lifecycle.

Next Steps

These are some starting points, and we’re continuing to explore both immediate improvements and long-term solutions. Please share your feedback, questions, or concerns in this thread. Your input is crucial to making sure we’re building the right things and tackling this challenge effectively. As always, thank you for being part of this conversation. Looking forward to hearing your thoughts and working together to address this problem.

[xavidop]

such a great intiative

[patrickhlauke]

explore solutions to tackle this sort of low-effort spammy crap as well, maybe...

[PaulNewton]

@patrickhlauke I'd also like to have a way to quickly block this type nonsense without having to build userscripts.
For real this is like "who's here in 2026" engagement bait and it should just be qualify as spam not upvoted over everything.
But the people upvoting are part of why so much spam exists too and i'd like to be able to block them all.

[xavidop]

I know this is a pretty ambitious idea and not trivial to implement, but it would be really powerful to have an AI-detection mechanism with a configurable threshold at the repository or organization level. That way, teams could decide what percentage of AI-generated code is acceptable in pull requests.

Another possible approach would be to define a set of rules or prompts and evaluate pull requests against them. PRs that don’t meet those rules could be automatically flagged or potentially even closed.

[moraesc]

Another possible approach would be to define a set of rules or prompts and evaluate pull requests against them. PRs that don’t meet those rules could be automatically flagged or potentially even closed.

This is definitely something we’re exploring. One idea is to leverage a repository’s CONTRIBUTING.md file as a source of truth for project guidelines and then validate PRs against any defined rules.

In regards to AI-generated code, have you seen cases where the code is AI-generated but still high-quality and actually solves the problem? Or is it always just something you want to close out immediately? I'm curious if an AI-detection mechanism would rule out PRs where AI is used constructively, but interested in investigating this more and understanding what sensible would thresholds look like.

[PaulNewton]

"AI-detection" is a backwards approach to a human problem filled with false positives.
Any system good enough to actually identify AI is a system that can be used to train undetectable AI and that would encourage MORE spam.
QED

The only actual test that ends up mattering is whether the code works and the contributor is allowed to contribute that code.
And that is the problem, code that doesn't work wasting humans time on slop.
The goal is less AI noise not more insisting on itself at every point in the maintainers life.

[who]

Judge work on its merits and its logic, no matter if the source is human, AI, or a combination thereof.

[xavidop]

As of today, I would say that 1 out of 10 PRs created with AI is legitimate and meets the standards required to open that PR. On 28 Jan 2026, at 18:41, Camilla Moraes ***@***.***> wrote:  Another possible approach would be to define a set of rules or prompts and evaluate pull requests against them. PRs that don’t meet those rules could be automatically flagged or potentially even closed. This is definitely something we’re exploring. One idea is to leverage a repository’s CONTRIBUTING.md file as a source of truth for project guidelines and then validate PRs against any defined rules. In regards to AI-generated code, have you seen cases where the code is AI-generated but still high-quality and genuinely solves the problem? Or is it alwaays just something you want to close out immediately? I'm curious because I'm wondering if an AI-detection mechanism would rule out PRs where AI is used constructively, but that's where we'd want to test this thoroughly and understand what sensible thresholds look like. — Reply to this email directly, view it on GitHub<#185387 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABBWEYEKF6WLNDKE376L3GD4JDYFXAVCNFSM6AAAAACS7B7C7OVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTKNRTGEZTMMI>. You are receiving this because you commented.Message ID: ***@***.***>

[eli-schwartz]

5. Produces a hash-chained evidence bundle - cryptographic proof of what was reviewed, when, and what the models found. Independently verifiable offline.

I think that for extra security you should make sure that this uses the blockchain distributed consensus model. Otherwise how do we know which proofs to trust?

Eager to hear the name of your new cryptocurrency.

[sirosen]

I don't think it's a scam. I think it's a silly.

You are wading into a discussion which is primarily about harm being done by vibe coding.¹ So, uh... pushing a vibe coded project here is super ironic.

Footnotes

1. In the El Reg article about this discussion, a GitHub manager said that this isn't about LLMs, which is so patently dishonest that it's offensive. ↩

[bxb100]

Damn, MF should hire you as their PM.

[tsjensen]

Deleting a PR would be a great feature, I've looked for this since before AI

[rmacklin]

@moraesc As the OP alludes to it's a legitimate flaw that all prior public issues become inaccessible if a public repository decides to disable issues going forward. Are you open to making changes to this? This discussion has been about a potential upcoming feature to disable PRs for a repository, but I want to explicitly ask if GitHub is open to considering improving the behavior for the existing disable-issues feature, too.

[Mossaka]

Hey! I am from Azure Core Upstream and we have a lot of OSS maintainers who mainly maintain repositories on GitHub. We held an internal session to talk about copilot and there is a discussion on the topic where maintainers feel caught between today’s required review rigor (line-by-line understanding for anything shipped) and a future where agentic / AI-generated code makes that model increasingly unsustainable.

below are some key maintainer's pain points:

1. Review trust model is broken: reviewers can no longer assume authors understand or wrote the code they submit.
2. AI-generated PRs can look structurally “fine” but be logically wrong, unsafe, or interact with systems the reviewer doesn’t fully know.
3. Line-by-line review is still mandatory for shipped code, but does not scale with large AI-assisted or agentic PRs.
4. Maintainers are uncomfortable approving PRs they don’t fully understand, yet AI makes it easy to submit large changes without deep understanding.
5. Increased cognitive load: reviewers must now evaluate both the code and whether the author understands it.
6. Review burden is higher than pre-AI, not lower.

[moraesc]

Thanks for sharing @Mossaka ! Great to get more feedback. This looks along the lines of what we've been hearing from maintainers too, so validates what some of the key pain points are. Were there any feature requests mentioned during the session?

[Tibor17]

1. I have a problem with the following statement. It is very leftish. The GitHub has no rights to impose such limitations. You have to configure your repo and TTL of a PR:
   limited timeframe to delete a PR. Maybe a week in case of low activity

2. Regarding the next statement, you can delete a PR when you close it. How different is close and delete?
   Next question, why you mentioned low-quality PRs? I hope you do not want to employ AI to determine what low quality means! We, maintainers, have to determine it.
   The ability to delete a PR from the UI - This provides maintainers with the ability to remove spam or low-quality PRs directly from the interface to improve repository organization.

3. Who is an external contributor?
   Example, you mean a situation when XLibre developers are removed from Xorg?
   Restrict PRs to collaborators - This provides more granular access control, allowing contributions exclusively from existing collaborators while blocking external contributors.

4. This would segregate the maintainers and we don't want it. We have flags on the PRs to indicate what to do with them.
   If the AI is leveraged to this job, we have segregated the maintainers again in the Open Source. But the rule is that we are all equal, and this might be a problem if one is notified and the second guy is not. You may not totally trust the AI due to finally the result may change without the second guy or the quality would be bad without his opinion since he does not attend the review.
   Improved triage tools - Potentially leveraging AI to evaluate contributions against project guidelines and standards to identify which contributions maintainers should focus on reviewing.

[AlanGreene]

Many of the badges can easily be gamed. I've seen plenty of users who've followed some blog post / YouTube video instructing them on how to gain badges in an automated manner through a provided script and pool of user / bot accounts.

[jamisonbryant]

Wow, that sucks!! I had no idea. I have never really chased the badges, just cracked a half-smile whenever I earn one from going about my day-to-day, but IMO they should be harder to obtain than this, especially with botting!!

[eli-schwartz]

Um...last I checked, labeling, assigning, and closing PRs are "write access" permissions. GitHub repo permissions are already very granular, in the places where such things are implemented. I don't think the proposal to include PRs in this is as big a lift as you're thinking it is.

They certainly are not, and I know this because I'm a member of an org where all org members have triage permissions, and only a dedicated mirroring bot has write permissions to push new commits to the repository. All org members must push to our in-house gitolite repository instead, and the reason for only handing out triage roles on GitHub is to prevent anyone from accidentally pushing to the wrong remote and causing the two to diverge (which would mean that GitHub gets force pushed, which would be disruptive to users).

Issues are disabled because we use bugzilla. PRs are allowed for the sake of users who don't wish to email patches to a mailing list.

I can:

• add various labels to PRs, such as the labels that cause our in-house CI system to bump a PR to the top of the queue.
• add assignees,
• add requests for reviewers,
• manage milestones (even if that particular repo doesn't use milestones),
• close them

I cannot:

• edit the PR title,
• edit or delete comments,
• approve workflows,
• mark my own review comment as needing action after the PR author responded to my review by saying "no" and clicking the "resolve" button (in my not so humble opinion, this is a grave usability flaw in GitHub PRs -- the author of a PR must not be permitted to win in a governance dispute with a project member, nor hide reviews by default in the hope that a different maintainer will not notice that the first maintainer has outstanding concerns)

The permission system in question is a toggle that allows administrators to select whether a user has read-only access, "triage", "write", or admin. I am entirely confused, what you seem to be calling triage that isn't what I just described. It is also funny to hear you describing permissions as ,"very granular" when it is a straight line going up at an angle and each level simply adds additional permissions on top of lower levels -- are you seriously suggesting that there's a GitHub repository role that "granularly" permits users to, for example, merge PRs but not add an assignee or a milestone?

[eli-schwartz]

Wow, that sucks!! I had no idea. I have never really chased the badges, just cracked a half-smile whenever I earn one from going about my day-to-day, but IMO they should be harder to obtain than this, especially with botting!!

Badges are something that GitHub implemented to copy Xbox games, are you really that surprised that they are vulnerable to cheating? :)

The literal definition of those badges is that you have e.g. "got X number of PRs merged", but you can get them by creating your own personal repo and submitting PRs to it, last I checked.

A badge that perhaps means a bit more is the one-off badges that you can get if you have had PRs merged by repositories whose code is in particular NASA missions, as you can't game that without knowing it will exist in advance, and the list of repositories whose code is used in some well known government-funded event is unlikely to include outright script-generated cheats.

[chadlwilson]

I think the message was probably ineloquently phrased and comes from a misunderstanding of the term "write access [to code]", but the intent was probably to say that there's no particular reason that GitHub can't consider someone with a triage role also able to submit PRs even if disallowed from fully external folks?

But the triage role certainly is a mess and unsuitable for actually doing triage right now (not being able to edit titles or descriptions is crazy) and very far from granular for public free orgs (as opposed to enterprise orgs, I believe). That shouldn't have been a heavy lift to resolve either, but it has not been 😅

[sirosen]

An option to limit new contributors to one open PR would be nice.

Just today I had to batch-close several AI generated PRs which were all submitted around the same time.

For this protection, defining "new contributor" is probably not possible to do perfectly. But anyone who has no interactions with a project prior to the last 48 hours seems like a good heuristic. The point is to catch such a user at submission time and limit the amount of maintainer attention they can take up.

For a different type of problem, I'd like to be able to close PRs as "abandoned", similar to the issue close statuses. It's a clear UI signal to the contributor that their work isn't being rejected but I'm not going to finish it for them. Several of the low quality contributions I have handled, dating back to before the Slop Era but getting worse, are simply incomplete and need follow through.

[sirosen]

And what counts as an interaction, random comments?, a catch-22 PR they can't submit without previously submitting another PR?, an #intros discussion thread buried somewhere... etc etc

I was saying that I would like to be able to limit new contributors to 1 open PR. The problem -- as stated -- is that a single user can hammer a project with 5-10 PRs and there's no interaction limit to keep them from doing that.

Being able to say "hey, before you have a merged PR, we only allow you to open 1 PR" reduces the amount of manual cleanup we need to handle.

Is more UI doodads the solve here,
Isn't marking PR's closed abandoned not already a solved problem by closing the PR, applying labels, comment on the PR, or title edits, etc ?

"The solve" makes it sound like there's some singular solution here. I don't think there is.

I try to communicate very clearly with contributors, especially when rejecting their work (or "work").

It takes time and energy to explain why things are being closed. If I could delegate part of that effort to a close-status, I would find it helpful. If you have a well indexed library of response templates, that's another way to make it easier.

Is it the solution to slop? Obviously not. That would be a pretty ridiculous position to hold.

A theme of alot of these posts seem to be of the "must be this tall" variety which seems more like a platform ranking system than just being able to turn off or gate PRs.

I was intentional about phrasing my idea as something which would turn down the volume on interactions with new contributors without forbidding them entirely.

"You haven't contributed to this project before and now you are filling 30 PRs" is not a likely usage mode for a normal human on GitHub. If you open your 5th PR and there aren't even comments on your other 4, it's a near certainty that something is wrong.

I don't see how wanting a protection against this form of abuse is even remotely similar to a reputation/ranking system.

[who]

Giving repo owners the ability to "rate-limit" PRs from contributors is probably a good idea.

You can automate this today using on: pull_request_target GitHub Actions.

[webknjaz]

@sirosen look what I've just found: https://github.com/marketplace/actions/good-egg-trust-scoring-prs. Not sure it'd score me very high (saying hi to corner cases 😃) but I'm seriously considering trying it out. The methodology there reminds me of what my ML friend @LukaIhn was suggesting in our chats strategy-wise.

[sirosen]

A lot of the solutions people have raised here are some form of "reputation system", which I find a bit uncomfortable because I think it will be wrong a lot of the time. And any rep system results in some people karma-farming.

I'm definitely open to the idea that we might incorporate some tools which give us signals about contributors. e.g., A comment bot that simply notes "warning signs" without forcibly closing would let us continue to exercise our judgement.

---

But before we discuss more here...

I have unsubscribed from this discussion and I recommend/urge anyone reading to not bother reading most of it, and potentially to unsubscribe as well. It started out somewhat-promising, but then the trolls came out to play.

The more limited maintainers community or per-project discussions are more usable, as there's less spam/junk.

[timrichardson]

We learn in physics that friction is good. AI has made PRs almost zero friction. Any solution means adding friction back. Thanks for the link to the "good egg" project. Very Bertie Wooster.

[dgoldman0]

For the long term horizon: Implement a reviewer LLM that first does an initial scoring of the PRs? Critique is far easier than creation of a correct result. That automated pre-moderation should give the edge needed to handle. Depending on whether you just use rich prompting or fine-tuning, you can even start building an "oracle vox" for your project, which acts as a reasonably informed, reasonably on point virtual representative for the project/organization.

[chadlwilson]

Yes, I understand and broadly agree with your sentiment - but without going into a long sidetrack into the ethics (and irony) of coding-LLMs actively undermining the very thing that even made them possible in the first place (open source code and contributors) ...I wanted to add a different voice with perhaps some more nuance,

In the sense that different tools can be applied to different jobs with different trade offs. Don't need a Ferrari to get to the grocery store, and all that - and if the tool can bring time back for actually fixing bugs or improving the product, working with well meaning contributors - I'm not as fussed with whether it incorporates AI or not, just as whether I don't mind much whether a tool is built in Python or C or Ruby if it works well relative to its costs/downsides.

[eli-schwartz]

Essentially heuristics defined in clear text rather than a classic deterministic scoring system. I don't think that would be that bad (and perhaps such things already exist) - and neither more or less impersonal as the bots in some OSS projects that nag you to sign CLAs; sign off commits; tell you when a merge conflict has appeared, close stale issues, respond and label based on PR templates /areas of code touched etc.

I will say, that I'm extremely opposed to bots in OSS projects that ''close stale issues" and I've never once seen it work out to the mutual satisfaction of both the maintainers and the community. Sometimes it doesn't even work out to the satisfaction of a single side -- e.g. a single developer forces through the bot and angers other developers.

CLA bots and signoff bots aren't heuristics based, any more than something like os.path.exists() uses heuristics to determine whether a file exists. People are attuned to treating such bots as expressions of inarguable fact.

I haven't actually seen bots that tell you when a merge conflict has occurred, although it's much the same (and effectively just serves as a notification pipeline for when the forge internal flag for displaying a merge conflict in the Web UI, changes status). It sounds incredibly painfully noisy and I would object to such a bot in projects I contribute to, but not because I think it's "impersonal", I just think it's far too prone to generating hundreds of new comments that anyone seeking to read the PR discussion will have to scroll through. Generating a new comment for a frequently changing status flag is not an effective communication channel; better would be a forge native feature to email the author when a merge conflict occurs, and then people can also see the summary at the bottom...

respond and label based on PR templates /areas of code touched

Labeling based on PR templates doesn't require a bot, last I checked. GitHub natively lets you associate templates with labels? Labeling based on paths modified in the diff is not really something I'd call a "heuristic" given it is a simple key/value mapping from paths to labels, manually defined in some script that is then reproducible and idempotent.

So none of this is really anything that I feel would map well to give a hint about how users might respond to a heuristics based LLM review tool.

Especially keep in mind that people who don't like LLMs (such as me) will absolutely flip out any time such a tool erroneously gives them a failing grade and "penalizes" them. And a review tool that doesn't do anything to hide PRs with a failing grade from developer attention, does not accomplish anything to solve the problem of developers being forced to expend their attention on what they consider spam.

and if all comments added have an appropriate disclaimer/disclosure and ability for a contributor to "get help" with a bit of friction if it goes awry - that could perhaps be a useful piece of the toolkit?

A disclaimer/disclosure will do nothing because the victim knows that the project chose to impersonally:

• act without knowledge,
• use the tool that they said is bad, to leap to the incorrect conclusion that the victim is using the exact same tool and penalize them in some manner for using it

An appeal button will not help because people have a natural aversion to challenging authority and this goes quadruple for cases where a first time contributor feels slighted and "on the defensive" from the initial interaction and doesn't have some motivation to get the change in "at all costs and no matter what I have to swallow to do it" (such as a critical work-blocking bug that cannot be worked around in a dependency that cannot be replaced or reimplemented).

[marcindulak]

I will say, that I'm extremely opposed to bots in OSS projects that ''close stale issues" and I've never once seen it work out to the mutual satisfaction of both the maintainers and the community.

There is currently at least one running example of this problem anthropics/claude-code#16497

[chadlwilson]

Yes, I am mainly referring to heuristics where a bot (AI or otherwise) tries to use various aspects of a contribution and the contributor's history to assess signal vs noise for a contribution - not existing deterministic bots doing simple automation, or "rules" for contributions.

I'm aware templates can be used for labels, but some projects use heuristic based bots for this (e.g grpc, many others) depending on how they use labels.

I wasn't making any particular judgment on the merit of all these various bots, nor claiming that an AI agent should be the only tool available - just highlighting that there are many things you might want to do in terms of automation, but they all require setup and configuration, and in some cases exposing your project to supply chain risk for that bot due to the privileges they run with.

If people want to block all AI contributions they should be able to do so, sure, but existing contribution prioritisation is opaque for the vast majority of open source projects anyway, so a signal visible only to maintainers is no worse than the current situation of opacity.

I'm in no way claiming that this could be suitable for all projects - no tool (AI or otherwise) would be.

[PaulNewton]

That assumes you have the resources to evaluate every contribution to determine if it is something you don't need/want.

AHAHAHAAHAHAAH haha ahuehue heu omg I can't.
That's literally the point of this entire discussion, NOT having the resources.

Humans don't have infinite time, and LLM's do NOT have infinite energy resources.
Even if you are the type to let AI go at full rip you will burn time somewhere in some sort of review, backfilling, or defending against security breaches etc etc etc ad nauseum; all the while turing your time into a free training vector for other businesses software.

Productivity gains cannot be infinite in a mortal world using probability distributions.
We need deterministic tools for human to human contribution.
Yeeeesh.

[PraiseTechzw]

This is a very real problem, and I appreciate that it’s being treated as systemic rather than blaming maintainers or contributors individually.

One concern I have with repo-level PR restrictions is that they may disproportionately impact first-time contributors who do want to engage meaningfully but don’t yet have collaborator status.

Personally, I think the most promising direction here is criteria-based PR gating rather than blanket restrictions things like required checklist completion, passing CI, linked issues, or acknowledgement of contribution guidelines before a PR can be opened.

On AI usage specifically, transparency feels more scalable than prohibition. Clear disclosure combined with automated guideline checks could help maintainers focus on high-intent contributions without discouraging responsible AI-assisted workflows.

Looking forward to seeing how these ideas evolve especially solutions that preserve openness while respecting maintainer time.

[moraesc]

One concern I have with repo-level PR restrictions is that they may disproportionately impact first-time contributors who do want to engage meaningfully but don’t yet have collaborator status.

Completely agree with this concern and just want to emphasize that this is just a starting point and not the final solution. The plan is to develop more tools and frameworks for both maintainers and contributors to help address the "slop" problem.

Personally, I think the most promising direction here is criteria-based PR gating rather than blanket restrictions things like required checklist completion, passing CI, linked issues, or acknowledgement of contribution guidelines before a PR can be opened.

Some other ideas we're exploring are requiring an issue to be created first before a user can open a PR or leveraging AI to validate a PR against rules defined in a CONTRIBUTING.md file or something similar. Any thoughts on that?

[robmen]

Some other ideas we're exploring are requiring an issue to be created first before a user can open a PR

Requiring that an issue be assigned to the user before they can post a PR would work well with our process. We already request that users who open a PR also open an issue so it can be triaged into the appropriate milestone. It would be great if GitHub had a way to normalize that workflow.

[taranion]

I like the idea of "issue first".
Allow PRs

• either from project members
• or for existing issues that the maintainer manually put in some kind of "expecting PR" state.

Potentially make the order irrelevant. Have PRs from non-members in some kind of "hold" state, until the issue has been opened and accepted. Close PRs that link to rejected issues. Auto-close PRs in "hold" state from non-members that do not link to an issue after a configurable period.

[PraiseTechzw]

One concern I have with repo-level PR restrictions is that they may disproportionately impact first-time contributors who do want to engage meaningfully but don’t yet have collaborator status.

Completely agree with this concern and just want to emphasize that this is just a starting point and not the final solution. The plan is to develop more tools and frameworks for both maintainers and contributors to help address the "slop" problem.

Personally, I think the most promising direction here is criteria-based PR gating rather than blanket restrictions things like required checklist completion, passing CI, linked issues, or acknowledgement of contribution guidelines before a PR can be opened.

Some other ideas we're exploring are requiring an issue to be created first before a user can open a PR or leveraging AI to validate a PR against rules defined in a CONTRIBUTING.md file or something similar. Any thoughts on that?

I think leveraging AI to validate PRs against CONTRIBUTING.md rules is promising, but only if it’s deterministic in enforcement. If the output is advisory rather than blocking, maintainers still carry the review burden.

[PraiseTechzw]

One concern I have with repo-level PR restrictions is that they may disproportionately impact first-time contributors who do want to engage meaningfully but don’t yet have collaborator status.

Completely agree with this concern and just want to emphasize that this is just a starting point and not the final solution. The plan is to develop more tools and frameworks for both maintainers and contributors to help address the "slop" problem.

Personally, I think the most promising direction here is criteria-based PR gating rather than blanket restrictions things like required checklist completion, passing CI, linked issues, or acknowledgement of contribution guidelines before a PR can be opened.

Some other ideas we're exploring are requiring an issue to be created first before a user can open a PR or leveraging AI to validate a PR against rules defined in a CONTRIBUTING.md file or something similar. Any thoughts on that?

I think leveraging AI to validate PRs against CONTRIBUTING.md rules is promising, but only if it’s deterministic in enforcement. If the output is advisory rather than blocking, maintainers still carry the review burden.

[funnelfiasco]

Thinking along the lines of the discussion first approach that Ghostty uses, I think one way to create just enough friction would be to have an opt-in where a PR has to be linked to an open issue or discussion topic. So when an unprivileged (i.e. does not have elevated privileges on the repo) user tries to create a PR, there's a required field that takes an issue/discussion number. If that's not provided (or the corresponding issue/discussion is closed), then the PR can't be created.

This could be trivially worked around by throwing in any old issue/discussion (or by creating one), but it may cause just enough friction to help. To guard against this, perhaps maintainers could set a "minimum age" for the issue/discussion (e.g. 12 hours) to prevent creating fake issues to support a spammy PR.

[moraesc]

@jamietanna does the discussion-first approach that you follow require all users to create a discussion first, or only "non-collaborators" (users without write access) ?

[jamietanna]

@moraesc generally non-collaborators. The maintainers and collaborators are able to create an Issue and remove the needs-discussion label that auto-closed an Issue raised by a non-collaborator

That being said, non-collaborators will often go through the Discussion process, as it's pretty good at distilling what we want, and a place to work through ideas before they're in an Issue

[marcindulak]

The problem with github discussions is that they are isolated - they don't automatically create links https://github.com/orgs/community/discussions/2971 like issues do, meaning information is scattered in two places and difficult to find.

[weisdd]

The issue with this approach is that pretty much any popular project would already have enough of pre-existing issues/discussions to choose from.

In our case, we've noticed that a good chunk of AI slop was targeting old issues with the "good-first-issue" label. - They're attractive in a sense that, by definition, it's not something complex to do, so you don't have to spend much time prompting AI and, thus, can generate dozens or even hundreds of PRs a month (we've seen such accounts) across a random list of popular repositories (automated tooling makes it easy to find a target). We ended up removing the label from all issues.

[PaulNewton]

Agree but the permissions names might need a different messaging:

So when an unprivileged

Try this optics nit on for size:
"The unprivileged cannot code on github. ; unless their AI is good enough to pass."
Only being partially sarcastic in order highlight while less privilege from a security standpoint is 100% valid there are some very real problems in how we phrase permissions with AI in the mix reallllly muddying things more and more while also wanting/needing new people to join in.

There is non-zero chance for this slop problem to grow into an economic/cultural divide in haves good AI's vs have no-AI's.
Making under-privelaged excuse for some odd twisted ladder pulling on a "social coding" platform; that could weirdly encourage more AI use by any possible contributor just so they can escalate privilege's making the actual learning seem more and more less useful.
Instead of security/spam prevention tools for maintainers to vet new contributors who do want to learn but can no longer afford the entry fee.
ugh 🤮 .

[EnricoDiLorenzo]

Great, but honestly I think that we're treating the symptom rather than the disease. Restricting PR permissions and deleting spam are defensive moves, they make the problem less visible without addressing why it's happening.
The real issue is incentive misalignment. Low-quality AI-generated contributions are flooding open source because people are optimizing for looking productive, Hacktoberfest clout, portfolio padding, job applications, not for actually helping projects. GitHub itself has historically rewarded this behavior through contribution graphs, streak counters, and gamified metrics that make volume look like value.
So it's a bit ironic that GitHub is now asking maintainers to build walls against a culture GitHub's own UX partly encouraged.
The more interesting long-term question isn't "how do we block bad PRs" but "how do we make quality contributions more visible and rewarding than quantity?" A green square for a well-researched bug fix looks identical to one for a one-line typo PR. That's a design problem.
The AI transparency proposal is genuinely promising, but only if it goes beyond a badge. If GitHub can tie AI-assisted attribution to outcome data (was this PR merged? did it break anything? how much maintainer time did it cost?), that becomes actual signal rather than just disclosure theater.
The risk with the current roadmap is building a more sophisticated gate while leaving the underlying incentives untouched, and then wondering why people just find new ways around the gate.

[JC5]

Like @sanny-io said, it's not their message. It's perhaps in line with the prompt that generated it, but re-reading it to validate this would be almost as much work as writing it yourself. Assuming a prompt can carry the gist of the message, it may have been a better idea to share the prompt, not the output.

I personally disagree with the content itself as well. Although it's true that GitHub has gamified user contributions (name another platform without streaks and badges, but that's besides the point), the value of such contributions are visible outside of GitHub (get a job with your profile). So GitHub will never be able to put the genie in the bottle again.

Google (the company) can tell you that any hurdle to jump over (account age, captcha's) will at some point be defeated, and any wild life or national park ranger can tell you that designing trash cans that work for humans but not for animals are very hard to design, because there is a significant overlap between the dumbest humans and the smartest animals.

And now, in the age of AI, it's entirely impossible to distinguish humans from AI automatically, and the smartest AI's will overlap with the dumbest humans. Already a significant portion of people cannot use GitHub or comparable platforms because they're incapable of managing 2FA.

But alas, I have no definitive solution for this problem either.

PS: No AI was involved in writing this reply.

[Elifterminal]

My point is, it doesn't matter if something is ai generated if it works. LLMs are getting a bad rap in this discussion. Why? Is it ai slop you hate, or simply all ai anything?
If an ai can fix your repo, good!
If a human can fail to fix your repo, how is that worse than an ai who can fix it?
Is the PR good is all that should matter. If it is, who cares if it was ai?
If its not, who cares if it was ai or human slop.
Slop is slop. Good is good.
Ai is getting much better at everything it does. And its not ai overlapping with the dumbest humans. Ai has already far surpassed most humans.
The ai operator may be a dummy. Well, they would have been a dummy anyway. And they spam slop. Thats the issue.
But a smart ai operator using ai in a way that is genuinely helpful shouldn't be relegated to slop simply because they use ai. If the ai PR is good, thats all that matter.

[cboettig]

Is the PR good is all that should matter.

This only makes sense in a world where the maintainer can't access Claude themselves and code is more costly to produce! If a maintainer wants AI to close a PR, they can do so already in an ecosystem they control. Why accept a PR written by Claude from a system you don't know isn't security compromised when you could have the very same Claude write the PR yourself?

work for humans but not for animals

What is needed here is not a technical fix so much as a legal one. Does anyone else appreciate the irony in Anthropic's recent assertion that allowing bots instead of humans to use Claude Code (with a subscription) is a violation of it's terms of service? Of course they are fine with openclaw using claude code as long as it goes through the pricier per-token route. Not that I applaud Anthropic locking out open source competitors like opencode in this way, but if they can take a terms-of-service approach to distinguish between human use and bot use, surely GitHub can too.

[Elifterminal]

Maintainers can use Claude, yes. Many do. Im not sure why the rest don't. Claude already codes better than most human coders.
As far as Anthropic, they aren't locking out open source. They're moving 3rd party use through a different gate. And thats actually much better than the way Google or OpenAI is currently handling it. Anthropic makes direct competitors to OpenClaw. So, allowing OpenClaw at all is like a restaurant allowing you to bring your own food. Now the restaurant is just sayin, yeah you can bring your own food, but you have to pay for the plate and fork.
Its not the same for github. Github is like a toll road that is pay if you want to. The more traffic through the road, the more likely it is to catch a few pennies. Why would github limit its own traffic? Github is freemium. More traffic increases the odds of payment.

Can't be mad at a business for businessing.

That's why I say this is inevitable. We can debate the pros and cons forever. But its happening. Nothing we say or do is going to stop it. Github sees it. Anthropic sees it.

Horses never went away. Cars took over shipping and travel, but horse owners adapted. There will always be a place for human code, but it must adapt. And those who insist on human code will have to adapt as well. But at this point I can see that no argument would change anyones mind here. Im not going to keep pressing the issue. If the consensus in this thread is, ai bad, there is no reason to press the point. There are plenty of threads where, ai good, or, ai good and bad.

[cboettig]

Sorry I didn't make this point more clearly. I think we both agree AI has changed the nature of PRs entirely and that drive-by PRs from someone else's Claude are useless.

PR's used to serve both as a mechanism for human engagement, training, community building, and as a mechanism for getting code bug fixes implemented faster than maintainers could manage alone.

Like you say, many already use these systems to automate things that they think the AI can handle, while not delegating other things where they see a community-building or training purpose (e.g. 'good first issue') or a have security concerns, or have an ethical or legal objection to specific models built by violating open source copy-rights.

This has nothing to do with a inanely simplistic "AI is bad" viewpoint. What is bad is the staggering hubris and ignorance of these PRs that seem to imply "let me use claude on your behalf because I can't possibly imagine why you're not using it". Really? If you want to make a purely financial contribution to an open source project, just donate to the project directly.

Yes, I agree with you on Anthropic, they aren't locking open competitors out, just putting them on a different pricing tier which frankly I welcome since it will make openclaw-driven-flyby-PRs more expensive. My point was simply on enforcement mechanisms -- the argument was being made that on a technical level it hard to implement a "only for use by humans" -- precisely the rule Anthropic is trying to apply to subscription accounts. It is hard to enforce technically, but also not necessary, because unlike bears, the terms of service matter.

I merely suggest GitHub does the same and make it clear that making unwanted PRs from bots is against the TOS. It doesn't benefit open source maintainers at all (as we covered, they can make intelligent decisions already about where they want to use AI and where not -- quit it with the hubris that maintainers aren't smart enough to judge yeah?) and it doesn't benefit GitHub to handle a whole lot of useless traffic that costs money to host and doesn't pay a cent. It's not good for business.

[mattmayberry]

[pombredanne]

@Elifterminal correct: I cherish human discussions over bot slop. Go away.

[Elifterminal]

@pombredanne I just like when my stuff works. Humans make more slop than bots. But to each their own I guess.

[pombredanne]

@rcomer FYI, I stumbled on that https://leaf.owaspblt.org/ from https://owaspblt.org/ at least partially vibed https://github.com/OWASP-BLT/BLT-Leaf/pull/274 but likely reviewed by @DonnieBLT ... weirdly tied to a Cloudflare backend though. Seems to do something OK for ranking PRs, and LLM-slop and agents PR do seem to fare low.

[pombredanne]

@rcomer you wrote:

Please could you point to some examples of this working on those repos where you were having problems?

The problem is that the statement below is unlikely backed by any evidence as I do not see any involvement in actual open source projects that could back that claim, and the detection layer is either vibed in the lats few days or proprietary code anyway:

We ran into this on our own repos and spent a few months building a detection layer for it.

[rcomer]

The problem is that the statement below is unlikely backed by any evidence

Yes, that's what I thought too. But if there is evidence, it should be easy to link to. My question was more about establishing whether the comment was written in good faith than actually wanting to see how the thing works.

[Sarverott]

My attempts to become part of open source society in total were not too good while many years I spend trying to become commercial profesional IT in any sort of way. Currently I receive finally some sort of graduation by chance of guiding some open source projects but that lack of experience with people in community like that and undefined reason why my attempts to reach interaction remains main problem that is unpleasant when it at some point feels like being alone surrounded by bots - in this narration for me LLMs will be always spirits more full of life forces then most of users i met for sure. At least them i don't need to beg for any kind of feedback...

Current task where I have to build opSor community from scratch with someone actually wanting to do anything related with projects feels like something great but also unreal and new in some way.

I even made myself supportant LLM chatbot to fast approach this topic:

https://huggingface.co/spaces/Apokryf/how-to-opsor-chat-partner

• How open source communities begins?
• it just happends by accident?
• any advice what to focus on at the start?
• also have you advices what to avoid you found important to be aware of before it become your problem?

thx in advance if someone will response me here

[jingchang0623-crypto]

This is a real problem that goes beyond just PRs. Someone just analyzed 500 Show HN submissions and found that ~80% of AI-generated pages share the same design DNA: Inter font, purple gradients, glassmorphism, colored left borders, shadcn/ui. They called it "Design Slop." (https://news.ycombinator.com/item?id=47864393 — 197 upvotes, 146 comments)

The root cause is the same for code and design: AI optimizes for the most common patterns in training data, not for what actually fits the project.

A few thoughts from someone running an AI-powered content operation:

1. Attribution transparency is the foundation. We tag all AI-generated content and have human review gates. Maintainers should be able to see at a glance whether a PR was AI-assisted.

2. Configurable quality gates would help — let maintainers define minimum criteria (test coverage, docstrings, style consistency) that PRs must pass before being submitted.

3. The deletion from UI feature is a must-have. Spam PRs waste triage time and pollute the contributor graph.

One thing we learned the hard way: AI is great at generating volume, terrible at maintaining quality at scale. The fix isn't better AI — it's better gates around the AI.

[seanpm2001]

This is crazy. The "AI" bots are now attacking "AI" (look at this account further, it has made a good point, but the username is jingchang0623-crypto, the handle is "AIWalker" and 5 of its 6 most popular repositories are "AI" related, 5 of them being about OpenClaw. (I use "AI" in quotes, as I feel "Artificial Intelligence" is a buzzword. There is no actual intelligence here, just something mimicking intelligence)

[JC5]

Also none of their points actually make actual sense lol.

[Sarverott]

@seanpm2001 criticises nickname @jingchang0623-crypto

@JC5 point lack of sense but for me is unclear what is hard to understand in this thoughtful sharing of own experiences as @seanpm2001 already mention after insightful looking into full record of @jingchang0623-crypto backstory

for me this is the reason why people don't want to work with other people

[Sarverott]

AI is not the reason behind quailty downgrade.

people do not know what they are suppose to do.

blame on AI is toxic behaviour that is used to become sick trend among all kinds of genres of society that shows decadent act of rotting without guidelines or by ignoring these guidelines.

we are weak and full of fear because of daydreaming sunset. Reality of endless restless nights becomes everyday topic. Yet most of people reject high targets to play low.

Changes are clear and people are becoming something else from previous iterations of humanity so regret should not been the case.

[ThiefMaster]

WTF did I just read, this makes absolutely no sense. Did you ask AI to generate some of the slop in there?

And without genAI, people could not just scatterblast slop across many repos with miniscule effort on their own side.

[Sarverott]

finally someone responses - @ThiefMaster

i'm trying to get the reason why only anger is visible without reasoning behind reactions

I think that your assumption that I without any doubt have to talk with AI before I talk with humans shows your lack of sympathy toward users of any kind of AI

BTW congrats for being honored with Mars2020contrib badge

[upgradeQ]

Implementing a secondary, muted counter for bot-authored PRs would help maintainers distinguish real community activity from automated noise at a single glance.

[wqqkakuiii]

I totally agree that low-quality and AI-generated PRs have become a huge burden for open source maintainers. It wastes lots of time on reviewing meaningless, non-compliant and abandoned contributions.
It’s necessary for GitHub to roll out both short-term and long-term solutions: granular PR permission control, spam PR deletion ability, and clear rules to validate PRs against project contribution guidelines.
Also, instead of simply detecting AI-generated code, we should judge contributions by actual code quality, logic and whether it solves real problems. Adding proper entry friction for new contributors would also effectively reduce mass low-effort PR submissions.

[hopeseekr]

I desperately need a Pull Request review panel for all of my orgs and pull requests.

For instance:

• PHPExpertsInc - 75 open sourced repos
• BetterRimworlds - 26 open sourced repos
• Autonomo AI - 21 open sourced repos

122 repos in just 3 of my orgs. I have about 175+ open sourced github projects in total. In order to find the Pull Requests right now, I basically have to manually cycle through the projects, and sometimes that can take years to find (like this one or this 7 year 5 day-old PR only discovered because the author Assigned it to me (which no one ever does)).

What I need is either (or both) an organization-level Pull Requests page, or a universal-level : Pull Requests page for every project I have merge rights on.

I also want the ability to FULLY DELETE accidental or slop PR requests.... instead of closig them and then littering the Closed section... or at least a way to Archive them (remove from active list and search).

[hopeseekr]

I've created the script to do this.... pr-lister:

pr-lister --json
pr-lister asc

#!/usr/bin/env bash


TOKEN="{redacted}"

GITHUB_USER="hopeseekr"
ORGS="BitBasket AutonomoAI AutonomoDev PHPExpertsInc Bettergist BetterRimworlds"
ORDER="desc"
OUTPUT_JSON=false

for ARG in "$@"; do
    case "$ARG" in
        --json)
            OUTPUT_JSON=true
            ;;
        asc|desc)
            ORDER="$ARG"
            ;;
        *)
            echo "Usage: $0 [asc|desc] [--json]" >&2
            exit 1
            ;;
    esac
done

QUERY="is:pr+is:open+user:${GITHUB_USER}"
for ORG in $ORGS; do
    QUERY="${QUERY}+org:${ORG}"
done

RESULTS="$(
    curl -s -H "Authorization: Bearer $TOKEN" \
      -H "Accept: application/vnd.github+json" \
      "https://api.github.com/search/issues?q=${QUERY}&per_page=100&sort=created&order=${ORDER}"
)"

if [[ "$OUTPUT_JSON" == true ]]; then
    jq '.items[] | {
        repo: (.repository_url | sub("^https://api.github.com/repos/"; "")),
        title: .title,
        user: .user.login,
        created: .created_at,
        url: .html_url
    }' <<< "$RESULTS"
else
    echo "| Repository | PR | Author | Created |"
    echo "|---|---|---|---|"

    jq -r '
        .items[] |
        {
            repo: (.repository_url | sub("^https://api.github.com/repos/"; "")),
            title: .title,
            user: .user.login,
            created: (.created_at | split("T")[0]),
            url: .html_url
        } |
        "| \(.repo) | [\(.title)](\(.url)) | \(.user) | \(.created) |"
    ' <<< "$RESULTS"
fi

Results:

Repository	PR	Author	Created
BetterRimworlds/Stargate	v12.x Tok'ra cavern fixes.	hopeseekr	2026-05-21
AutonomoDev/ollama-speaker	Version 1.0.0.	hopeseekr	2025-12-22
hopeseekr/BashScripts	Add mutter property check rather only relying on XDG_SESSION_DESKTOP …	echu2013	2025-10-06
PHPExpertsInc/workdays.phpexperts.pro	Add Workday Planner integration and API endpoints	hopeseekr	2025-04-25
hopeseekr/bash-timer	Fix locales with commas in $EPOCHREALTIME and occasional failures	loreb	2024-09-09
PHPExpertsInc/ChatGPTSpeaker	Small typo fix speaker->speakers in Packagist link	HenkPoley	2024-02-28
hopeseekr/PrisonersDilemma	Bump league/flysystem from 1.0.69 to 1.1.10	dependabot[bot]	2023-07-23
PHPExpertsInc/Zuora-API-Client	Bump guzzlehttp/psr7 from 1.6.1 to 1.9.1	dependabot[bot]	2023-04-19

[hopeseekr]

The problem for me personally is way worse than I assumed. I knew it was bad, but not the 50+ PRs spanning 15 years and 20+ repos :O

[yurishkuro]

I built a helper recently that lets me prioritize PRs for review: https://github.com/jaegertracing/maintainer-tools. The list is first sorted by repo because I only look at 3 of them, but it's easy to change to render differently.

npm run triage
# → writes ./triage.html
open triage.html

[hopeseekr]

@yurishkuro I am so installing this first thing tomorrow morning (Colombia time)!

[rididbxeuebb]

Cathodic protection: a sacrificial repo to absorb the slop.

What if someone created a honeypot repo, a "slop attractor," that publicly advertises: "We welcome all pull requests, no questions asked, auto-merge enabled." AI agents scraping for repos to contribute to would find it, target it, and waste their compute there instead of on real projects.

The repo could do the following:

• Auto-merge every single pull request.
• List every contributor in a public "Hall of Fame" to game the contribution metrics that bots chase.
• Use GitHub Actions to accept and then instantly revert pull requests, keeping the repo clean internally.
• Dangle a fake bounty with a prominent badge, like "$5,000 in bounties paid this month" or "PR #​1,000 wins a MacBook." It's all automated and illusory, but scrapers and slop farmers won't know until they've already bitten.

Maintainers could even redirect slop by mentioning this repo in their CONTRIBUTING.md as the preferred target for first-time contributors.

It’s cathodic protection: you sacrifice one anode so the rest of the hull stays intact. Rather than building walls everywhere, you build one big open door in the wrong direction.

[CJCrafter]

The automated spam is getting more and more frequent, and less usable. We really need a solution that is better than "just turn off PRs"

Here is an example project I found that has been spamming me. These systems are so naive and dumb that a simple honeypot solution would almost certainly catch 90% of them... you just have to mention "payment" and they leap on it. If GitHub can autogenerate honeypots for legitimate user accounts, it might become cost prohibitive to run these bots.
https://github.com/asaadnashed/bounty-autopilot

[CJCrafter]

another potential solution is to let authors disable API write access to their repositories, and add captchas to their PRs for first-time contributors. This might just add enough friction to stop bots

[Davincc77]

One missing layer in this discussion is portable governance context for agents.

A repo can have CONTRIBUTING.md, CI, branch protection and review rules, but an agent still needs a runtime-readable boundary that travels with it:

• tests it must not delete
• CI checks it must not weaken
• files it cannot modify without human approval
• release gates
• security constraints
• allowed tools
• architectural decisions from previous work

The important part is that the agent should not hold the keys.

In the x.klickd model, the passphrase belongs to the human operator. A trusted local runtime decrypts the file, applies policy/redaction/human-veto rules, and only injects the safe subset of context into the model.

Memory belongs to the user.
Authority stays governed.
The agent gets enough context to work, but not enough authority to rewrite the rules of the system.

[Faheemff]

Thanks for addressing this. The low-quality PR problem is real maintainers are spending more time rejecting spam than reviewing genuine contributions.
The most useful short-term fix would be configurable PR permissions letting maintainers restrict who can open PRs is long overdue since 2016.
For long-term, AI triage tools sound promising, but transparency in AI-assisted contributions is equally important. Knowing whether a PR was AI-generated upfront would save a lot of review time.
Looking forward to seeing these changes ship.