Exploring Solutions to Tackle Low-Quality Contributions on GitHub · community · Discussion #185387

To to lessen the complain of clients using the app itself and minimize the log in ratio from 43 different person per account to at least 22 clients may have their own privacy in using the app itself it is awesome for not knowing that everything was being tracked behind the scene, i'm starting to get curious about the tracking issues as thought it's with your games.

explore solutions to tackle this sort of low-effort spammy crap as well, maybe...

@patrickhlauke I'd also like to have a way to quickly block this type nonsense without having to build userscripts.
For real this is like "who's here in 2026" engagement bait and it should just be qualify as spam not upvoted over everything.
But the people upvoting are part of why so much spam exists too and i'd like to be able to block them all.

Another possible approach would be to define a set of rules or prompts and evaluate pull requests against them. PRs that don’t meet those rules could be automatically flagged or potentially even closed.

This is definitely something we’re exploring. One idea is to leverage a repository’s CONTRIBUTING.md file as a source of truth for project guidelines and then validate PRs against any defined rules.

In regards to AI-generated code, have you seen cases where the code is AI-generated but still high-quality and actually solves the problem? Or is it always just something you want to close out immediately? I'm curious if an AI-detection mechanism would rule out PRs where AI is used constructively, but interested in investigating this more and understanding what sensible would thresholds look like.

"AI-detection" is a backwards approach to a human problem filled with false positives.
Any system good enough to actually identify AI is a system that can be used to train undetectable AI and that would encourage MORE spam.
QED

The only actual test that ends up mattering is whether the code works and the contributor is allowed to contribute that code.
And that is the problem, code that doesn't work wasting humans time on slop.
The goal is less AI noise not more insisting on itself at every point in the maintainers life.

Judge work on its merits and its logic, no matter if the source is human, AI, or a combination thereof.

5. Produces a hash-chained evidence bundle - cryptographic proof of what was reviewed, when, and what the models found. Independently verifiable offline.

I think that for extra security you should make sure that this uses the blockchain distributed consensus model. Otherwise how do we know which proofs to trust?

Eager to hear the name of your new cryptocurrency.

I don't think it's a scam. I think it's a silly.

You are wading into a discussion which is primarily about harm being done by vibe coding.¹ So, uh... pushing a vibe coded project here is super ironic.

Damn, MF should hire you as their PM.

Deleting a PR would be a great feature, I've looked for this since before AI

@moraesc As the OP alludes to it's a legitimate flaw that all prior public issues become inaccessible if a public repository decides to disable issues going forward. Are you open to making changes to this? This discussion has been about a potential upcoming feature to disable PRs for a repository, but I want to explicitly ask if GitHub is open to considering improving the behavior for the existing disable-issues feature, too.

Thanks for sharing @Mossaka ! Great to get more feedback. This looks along the lines of what we've been hearing from maintainers too, so validates what some of the key pain points are. Were there any feature requests mentioned during the session?

Many of the badges can easily be gamed. I've seen plenty of users who've followed some blog post / YouTube video instructing them on how to gain badges in an automated manner through a provided script and pool of user / bot accounts.

Wow, that sucks!! I had no idea. I have never really chased the badges, just cracked a half-smile whenever I earn one from going about my day-to-day, but IMO they should be harder to obtain than this, especially with botting!!

Um...last I checked, labeling, assigning, and closing PRs are "write access" permissions. GitHub repo permissions are already very granular, in the places where such things are implemented. I don't think the proposal to include PRs in this is as big a lift as you're thinking it is.

They certainly are not, and I know this because I'm a member of an org where all org members have triage permissions, and only a dedicated mirroring bot has write permissions to push new commits to the repository. All org members must push to our in-house gitolite repository instead, and the reason for only handing out triage roles on GitHub is to prevent anyone from accidentally pushing to the wrong remote and causing the two to diverge (which would mean that GitHub gets force pushed, which would be disruptive to users).

Issues are disabled because we use bugzilla. PRs are allowed for the sake of users who don't wish to email patches to a mailing list.

I can:

• add various labels to PRs, such as the labels that cause our in-house CI system to bump a PR to the top of the queue.
• add assignees,
• add requests for reviewers,
• manage milestones (even if that particular repo doesn't use milestones),
• close them

I cannot:

• edit the PR title,
• edit or delete comments,
• approve workflows,
• mark my own review comment as needing action after the PR author responded to my review by saying "no" and clicking the "resolve" button (in my not so humble opinion, this is a grave usability flaw in GitHub PRs -- the author of a PR must not be permitted to win in a governance dispute with a project member, nor hide reviews by default in the hope that a different maintainer will not notice that the first maintainer has outstanding concerns)

The permission system in question is a toggle that allows administrators to select whether a user has read-only access, "triage", "write", or admin. I am entirely confused, what you seem to be calling triage that isn't what I just described. It is also funny to hear you describing permissions as ,"very granular" when it is a straight line going up at an angle and each level simply adds additional permissions on top of lower levels -- are you seriously suggesting that there's a GitHub repository role that "granularly" permits users to, for example, merge PRs but not add an assignee or a milestone?

Wow, that sucks!! I had no idea. I have never really chased the badges, just cracked a half-smile whenever I earn one from going about my day-to-day, but IMO they should be harder to obtain than this, especially with botting!!

Badges are something that GitHub implemented to copy Xbox games, are you really that surprised that they are vulnerable to cheating? :)

The literal definition of those badges is that you have e.g. "got X number of PRs merged", but you can get them by creating your own personal repo and submitting PRs to it, last I checked.

A badge that perhaps means a bit more is the one-off badges that you can get if you have had PRs merged by repositories whose code is in particular NASA missions, as you can't game that without knowing it will exist in advance, and the list of repositories whose code is used in some well known government-funded event is unlikely to include outright script-generated cheats.

I think the message was probably ineloquently phrased and comes from a misunderstanding of the term "write access [to code]", but the intent was probably to say that there's no particular reason that GitHub can't consider someone with a triage role also able to submit PRs even if disallowed from fully external folks?

But the triage role certainly is a mess and unsuitable for actually doing triage right now (not being able to edit titles or descriptions is crazy) and very far from granular for public free orgs (as opposed to enterprise orgs, I believe). That shouldn't have been a heavy lift to resolve either, but it has not been 😅

And what counts as an interaction, random comments?, a catch-22 PR they can't submit without previously submitting another PR?, an #intros discussion thread buried somewhere... etc etc

I was saying that I would like to be able to limit new contributors to 1 open PR. The problem -- as stated -- is that a single user can hammer a project with 5-10 PRs and there's no interaction limit to keep them from doing that.

Being able to say "hey, before you have a merged PR, we only allow you to open 1 PR" reduces the amount of manual cleanup we need to handle.

Is more UI doodads the solve here,
Isn't marking PR's closed abandoned not already a solved problem by closing the PR, applying labels, comment on the PR, or title edits, etc ?

"The solve" makes it sound like there's some singular solution here. I don't think there is.

I try to communicate very clearly with contributors, especially when rejecting their work (or "work").

It takes time and energy to explain why things are being closed. If I could delegate part of that effort to a close-status, I would find it helpful. If you have a well indexed library of response templates, that's another way to make it easier.

Is it the solution to slop? Obviously not. That would be a pretty ridiculous position to hold.

A theme of alot of these posts seem to be of the "must be this tall" variety which seems more like a platform ranking system than just being able to turn off or gate PRs.

I was intentional about phrasing my idea as something which would turn down the volume on interactions with new contributors without forbidding them entirely.

"You haven't contributed to this project before and now you are filling 30 PRs" is not a likely usage mode for a normal human on GitHub. If you open your 5th PR and there aren't even comments on your other 4, it's a near certainty that something is wrong.

I don't see how wanting a protection against this form of abuse is even remotely similar to a reputation/ranking system.

Giving repo owners the ability to "rate-limit" PRs from contributors is probably a good idea.

You can automate this today using on: pull_request_target GitHub Actions.

A lot of the solutions people have raised here are some form of "reputation system", which I find a bit uncomfortable because I think it will be wrong a lot of the time. And any rep system results in some people karma-farming.

I'm definitely open to the idea that we might incorporate some tools which give us signals about contributors. e.g., A comment bot that simply notes "warning signs" without forcibly closing would let us continue to exercise our judgement.

But before we discuss more here...

I have unsubscribed from this discussion and I recommend/urge anyone reading to not bother reading most of it, and potentially to unsubscribe as well. It started out somewhat-promising, but then the trolls came out to play.

The more limited maintainers community or per-project discussions are more usable, as there's less spam/junk.

We learn in physics that friction is good. AI has made PRs almost zero friction. Any solution means adding friction back. Thanks for the link to the "good egg" project. Very Bertie Wooster.

Yes, I understand and broadly agree with your sentiment - but without going into a long sidetrack into the ethics (and irony) of coding-LLMs actively undermining the very thing that even made them possible in the first place (open source code and contributors) ...I wanted to add a different voice with perhaps some more nuance,

In the sense that different tools can be applied to different jobs with different trade offs. Don't need a Ferrari to get to the grocery store, and all that - and if the tool can bring time back for actually fixing bugs or improving the product, working with well meaning contributors - I'm not as fussed with whether it incorporates AI or not, just as whether I don't mind much whether a tool is built in Python or C or Ruby if it works well relative to its costs/downsides.

Essentially heuristics defined in clear text rather than a classic deterministic scoring system. I don't think that would be that bad (and perhaps such things already exist) - and neither more or less impersonal as the bots in some OSS projects that nag you to sign CLAs; sign off commits; tell you when a merge conflict has appeared, close stale issues, respond and label based on PR templates /areas of code touched etc.

I will say, that I'm extremely opposed to bots in OSS projects that ''close stale issues" and I've never once seen it work out to the mutual satisfaction of both the maintainers and the community. Sometimes it doesn't even work out to the satisfaction of a single side -- e.g. a single developer forces through the bot and angers other developers.

CLA bots and signoff bots aren't heuristics based, any more than something like os.path.exists() uses heuristics to determine whether a file exists. People are attuned to treating such bots as expressions of inarguable fact.

I haven't actually seen bots that tell you when a merge conflict has occurred, although it's much the same (and effectively just serves as a notification pipeline for when the forge internal flag for displaying a merge conflict in the Web UI, changes status). It sounds incredibly painfully noisy and I would object to such a bot in projects I contribute to, but not because I think it's "impersonal", I just think it's far too prone to generating hundreds of new comments that anyone seeking to read the PR discussion will have to scroll through. Generating a new comment for a frequently changing status flag is not an effective communication channel; better would be a forge native feature to email the author when a merge conflict occurs, and then people can also see the summary at the bottom...

respond and label based on PR templates /areas of code touched

Labeling based on PR templates doesn't require a bot, last I checked. GitHub natively lets you associate templates with labels? Labeling based on paths modified in the diff is not really something I'd call a "heuristic" given it is a simple key/value mapping from paths to labels, manually defined in some script that is then reproducible and idempotent.

So none of this is really anything that I feel would map well to give a hint about how users might respond to a heuristics based LLM review tool.

Especially keep in mind that people who don't like LLMs (such as me) will absolutely flip out any time such a tool erroneously gives them a failing grade and "penalizes" them. And a review tool that doesn't do anything to hide PRs with a failing grade from developer attention, does not accomplish anything to solve the problem of developers being forced to expend their attention on what they consider spam.

and if all comments added have an appropriate disclaimer/disclosure and ability for a contributor to "get help" with a bit of friction if it goes awry - that could perhaps be a useful piece of the toolkit?

A disclaimer/disclosure will do nothing because the victim knows that the project chose to impersonally:

• act without knowledge,
• use the tool that they said is bad, to leap to the incorrect conclusion that the victim is using the exact same tool and penalize them in some manner for using it

An appeal button will not help because people have a natural aversion to challenging authority and this goes quadruple for cases where a first time contributor feels slighted and "on the defensive" from the initial interaction and doesn't have some motivation to get the change in "at all costs and no matter what I have to swallow to do it" (such as a critical work-blocking bug that cannot be worked around in a dependency that cannot be replaced or reimplemented).

I will say, that I'm extremely opposed to bots in OSS projects that ''close stale issues" and I've never once seen it work out to the mutual satisfaction of both the maintainers and the community.

There is currently at least one running example of this problem anthropics/claude-code#16497

Yes, I am mainly referring to heuristics where a bot (AI or otherwise) tries to use various aspects of a contribution and the contributor's history to assess signal vs noise for a contribution - not existing deterministic bots doing simple automation, or "rules" for contributions.

I'm aware templates can be used for labels, but some projects use heuristic based bots for this (e.g grpc, many others) depending on how they use labels.

I wasn't making any particular judgment on the merit of all these various bots, nor claiming that an AI agent should be the only tool available - just highlighting that there are many things you might want to do in terms of automation, but they all require setup and configuration, and in some cases exposing your project to supply chain risk for that bot due to the privileges they run with.

If people want to block all AI contributions they should be able to do so, sure, but existing contribution prioritisation is opaque for the vast majority of open source projects anyway, so a signal visible only to maintainers is no worse than the current situation of opacity.

I'm in no way claiming that this could be suitable for all projects - no tool (AI or otherwise) would be.

That assumes you have the resources to evaluate every contribution to determine if it is something you don't need/want.

AHAHAHAAHAHAAH haha ahuehue heu omg I can't.
That's literally the point of this entire discussion, NOT having the resources.

Humans don't have infinite time, and LLM's do NOT have infinite energy resources.
Even if you are the type to let AI go at full rip you will burn time somewhere in some sort of review, backfilling, or defending against security breaches etc etc etc ad nauseum; all the while turing your time into a free training vector for other businesses software.

Productivity gains cannot be infinite in a mortal world using probability distributions.
We need deterministic tools for human to human contribution.
Yeeeesh.

One concern I have with repo-level PR restrictions is that they may disproportionately impact first-time contributors who do want to engage meaningfully but don’t yet have collaborator status.

Completely agree with this concern and just want to emphasize that this is just a starting point and not the final solution. The plan is to develop more tools and frameworks for both maintainers and contributors to help address the "slop" problem.

Personally, I think the most promising direction here is criteria-based PR gating rather than blanket restrictions things like required checklist completion, passing CI, linked issues, or acknowledgement of contribution guidelines before a PR can be opened.

Some other ideas we're exploring are requiring an issue to be created first before a user can open a PR or leveraging AI to validate a PR against rules defined in a CONTRIBUTING.md file or something similar. Any thoughts on that?

Some other ideas we're exploring are requiring an issue to be created first before a user can open a PR

Requiring that an issue be assigned to the user before they can post a PR would work well with our process. We already request that users who open a PR also open an issue so it can be triaged into the appropriate milestone. It would be great if GitHub had a way to normalize that workflow.

I like the idea of "issue first".
Allow PRs

• either from project members
• or for existing issues that the maintainer manually put in some kind of "expecting PR" state.

Potentially make the order irrelevant. Have PRs from non-members in some kind of "hold" state, until the issue has been opened and accepted. Close PRs that link to rejected issues. Auto-close PRs in "hold" state from non-members that do not link to an issue after a configurable period.

One concern I have with repo-level PR restrictions is that they may disproportionately impact first-time contributors who do want to engage meaningfully but don’t yet have collaborator status.

Completely agree with this concern and just want to emphasize that this is just a starting point and not the final solution. The plan is to develop more tools and frameworks for both maintainers and contributors to help address the "slop" problem.

Personally, I think the most promising direction here is criteria-based PR gating rather than blanket restrictions things like required checklist completion, passing CI, linked issues, or acknowledgement of contribution guidelines before a PR can be opened.

Some other ideas we're exploring are requiring an issue to be created first before a user can open a PR or leveraging AI to validate a PR against rules defined in a CONTRIBUTING.md file or something similar. Any thoughts on that?

I think leveraging AI to validate PRs against CONTRIBUTING.md rules is promising, but only if it’s deterministic in enforcement. If the output is advisory rather than blocking, maintainers still carry the review burden.

One concern I have with repo-level PR restrictions is that they may disproportionately impact first-time contributors who do want to engage meaningfully but don’t yet have collaborator status.

Completely agree with this concern and just want to emphasize that this is just a starting point and not the final solution. The plan is to develop more tools and frameworks for both maintainers and contributors to help address the "slop" problem.

Personally, I think the most promising direction here is criteria-based PR gating rather than blanket restrictions things like required checklist completion, passing CI, linked issues, or acknowledgement of contribution guidelines before a PR can be opened.

Some other ideas we're exploring are requiring an issue to be created first before a user can open a PR or leveraging AI to validate a PR against rules defined in a CONTRIBUTING.md file or something similar. Any thoughts on that?

I think leveraging AI to validate PRs against CONTRIBUTING.md rules is promising, but only if it’s deterministic in enforcement. If the output is advisory rather than blocking, maintainers still carry the review burden.

@jamietanna does the discussion-first approach that you follow require all users to create a discussion first, or only "non-collaborators" (users without write access) ?

@moraesc generally non-collaborators. The maintainers and collaborators are able to create an Issue and remove the needs-discussion label that auto-closed an Issue raised by a non-collaborator

That being said, non-collaborators will often go through the Discussion process, as it's pretty good at distilling what we want, and a place to work through ideas before they're in an Issue

The issue with this approach is that pretty much any popular project would already have enough of pre-existing issues/discussions to choose from.

In our case, we've noticed that a good chunk of AI slop was targeting old issues with the "good-first-issue" label. - They're attractive in a sense that, by definition, it's not something complex to do, so you don't have to spend much time prompting AI and, thus, can generate dozens or even hundreds of PRs a month (we've seen such accounts) across a random list of popular repositories (automated tooling makes it easy to find a target). We ended up removing the label from all issues.

Agree but the permissions names might need a different messaging:

So when an unprivileged

Try this optics nit on for size:
"The unprivileged cannot code on github. ; unless their AI is good enough to pass."
Only being partially sarcastic in order highlight while less privilege from a security standpoint is 100% valid there are some very real problems in how we phrase permissions with AI in the mix reallllly muddying things more and more while also wanting/needing new people to join in.

There is non-zero chance for this slop problem to grow into an economic/cultural divide in haves good AI's vs have no-AI's.
Making under-privelaged excuse for some odd twisted ladder pulling on a "social coding" platform; that could weirdly encourage more AI use by any possible contributor just so they can escalate privilege's making the actual learning seem more and more less useful.
Instead of security/spam prevention tools for maintainers to vet new contributors who do want to learn but can no longer afford the entry fee.
ugh 🤮 .

Yes they get around it, that's not hard to do. Once you have 2FA authenticated yourself just once you can create an access token (personal or classic) that is valid for 1 year or even longer.

So add an option to disallow interactions with access tokens.

I know my solution isn’t perfect. We might never fully solve the issue. But this does make it harder to automate spam.

What do you think about asking for a simple human verification step when an issue or PR is created?

I tried putting together a very simple GitHub Action based on that idea, just to see if it could help reduce some of this.

Curious to hear what you think about this approach:
https://github.com/dohyeon5626/bot-check-action

@Elifterminal weirdly enough, your tool looks mostly vibe-coded, and your comments all score super high on my generated-by-AI-o-meter generated-by-LLM-o-meter, as not being genuine, human-created and tagged as NOT_FROM_A_HUMAN . Am I right?

If it works, does it matter?

Hey @pombredanne, last month we added the ability to restrict PR-creation to collaborators only. If you go into your repository's Settings and scroll down to Features, you'll see where you can toggle the PR creation setting (check out the changelog for more details. We don't currently have the same level of granularity for issues, but are exploring more ways we can add more granular interaction limits and improve filtering so you can weed out sloppy/noisy content. Let me know if this helps!

@moraesc Thank you! I have seen the PR feature to restrict that to collaborators.

There is also the "Temporary interaction limits" with a Limit to repository collaborators that we can renew every 6 months.

Both are the nuclear options we are considering. But we still need ways for real contributors to interact with maintainers which would have to be out of band from GitHub, and also I do not understand yet the detailed implications of these two options short of doing some live tests on some other test org/repo.

The delicate balance is that we are and have always been a noob friendly org, but the slop we receive means that we do not even process much of any incoming PRs at this stage, and is becoming a deterrent to actual bonafide contributors.

@moraesc Thank you, these are welcome developments in the face of the current situation but I agree with @pombredanne that they are reasonably nuclear options for a platform that has fostered open source collaboration for so long.

It would be far preferable if GitHub could provide an option to Limit to human accounts only, and require users running machine accounts to identify their accounts as such. I realize of course that this would not solve the problem overnight, as many users continue to give their personal account credentials over to bots that are currently straining well known open source projects. But it would at least remove the vaneer that such unwelcome activity was technically legitimate and in keeping with GitHub TOS, and make it clear that it is no different than executing a DOS attack or other malicious behavior that has always been present (and that GitHub has historically helped open source maintainers combat rather than encouraging)

Yeah, it really feels like everything right now is either fully open or a bit too restrictive.

Having something in between, like a simple way to verify or filter human vs automated activity, would make a big difference.

WTF. yet more LLM slop. Sensible, but slop. You are not maintaining any serious FOSS project, or at least not in your name. At best, your post is just an LLM-rehashed summary of this discussion thread.

@moraesc sorry, but even participating in this discussion with effing LLM comments laced in makes this worthless. I am out.

Well you do get why this is a problem that needs fixing, not avoiding.

"good writing" does not imply that what was written was true, as the above example demonstrated.

When it comes to PR good isnt subjective. Does the PR solve the problem or not? Thats a binary question. Yes/no. If no, its bad. If yes, its good.
Simple. No reason to make it any more complicated than that.

Of course it isn't that simple. Beyond asking "does this solve the problem?" we also ask "is this the best way to solve this problem?" and also "does it introduce any other problems?" The "best way" can indeed be subjective and if you have more than one maintainer on the project they may even disagree about which is the best way.

Figuring out all this is a process called "review" which is time consuming. The whole point of this discussion is that maintainers have already established that they can't keep up with reviewing all the extra PRs that AI is generating.

Of course all you said is true. But, if its slop, its slop. Human slop is no more useful than ai slop. And a good pr is a good pr. What maintainers need is a way to quickly tell if they should even bother reading it. Not whether its ai or human. But is the pr good enough to take up your time. Thats exactly where I first came into this thread. PR Triage, I linked it in my first comment on this discussion, does that. And yes, it was created by ai. And it uses ai to reason over the PRs. But its good. It works. It has some of the same issues as any other LLM, but the code is good, and the triage works. It spots slop and tells the maintainer if something is even worth their time to read.
It prevents hours lost sifting through both human and ai slop. And sometimes it will score ai PRs high. Thats because those PRs would scored high. Ai sometimes writes better PRs than humans. And in 3 years, ALL PRs will be written by ai.
And we could argue over how much we hated the automobile and how horses are so much better. Or, we can adapt to the times.
Im not going to link PR Triage here. I already did further up. And I dont want to spam the hell.out of the thread. But people, and yes ai, are trying to solve this problem. But wr have to be open minded about the change. Its going to happen whether we like it or not. And github is already on board. We aint changing github. Even if we argue in its back rooms for 100 years.

Like @sanny-io said, it's not their message. It's perhaps in line with the prompt that generated it, but re-reading it to validate this would be almost as much work as writing it yourself. Assuming a prompt can carry the gist of the message, it may have been a better idea to share the prompt, not the output.

I personally disagree with the content itself as well. Although it's true that GitHub has gamified user contributions (name another platform without streaks and badges, but that's besides the point), the value of such contributions are visible outside of GitHub (get a job with your profile). So GitHub will never be able to put the genie in the bottle again.

Google (the company) can tell you that any hurdle to jump over (account age, captcha's) will at some point be defeated, and any wild life or national park ranger can tell you that designing trash cans that work for humans but not for animals are very hard to design, because there is a significant overlap between the dumbest humans and the smartest animals.

And now, in the age of AI, it's entirely impossible to distinguish humans from AI automatically, and the smartest AI's will overlap with the dumbest humans. Already a significant portion of people cannot use GitHub or comparable platforms because they're incapable of managing 2FA.

But alas, I have no definitive solution for this problem either.

PS: No AI was involved in writing this reply.

My point is, it doesn't matter if something is ai generated if it works. LLMs are getting a bad rap in this discussion. Why? Is it ai slop you hate, or simply all ai anything?
If an ai can fix your repo, good!
If a human can fail to fix your repo, how is that worse than an ai who can fix it?
Is the PR good is all that should matter. If it is, who cares if it was ai?
If its not, who cares if it was ai or human slop.
Slop is slop. Good is good.
Ai is getting much better at everything it does. And its not ai overlapping with the dumbest humans. Ai has already far surpassed most humans.
The ai operator may be a dummy. Well, they would have been a dummy anyway. And they spam slop. Thats the issue.
But a smart ai operator using ai in a way that is genuinely helpful shouldn't be relegated to slop simply because they use ai. If the ai PR is good, thats all that matter.

Is the PR good is all that should matter.

This only makes sense in a world where the maintainer can't access Claude themselves and code is more costly to produce! If a maintainer wants AI to close a PR, they can do so already in an ecosystem they control. Why accept a PR written by Claude from a system you don't know isn't security compromised when you could have the very same Claude write the PR yourself?

work for humans but not for animals

What is needed here is not a technical fix so much as a legal one. Does anyone else appreciate the irony in Anthropic's recent assertion that allowing bots instead of humans to use Claude Code (with a subscription) is a violation of it's terms of service? Of course they are fine with openclaw using claude code as long as it goes through the pricier per-token route. Not that I applaud Anthropic locking out open source competitors like opencode in this way, but if they can take a terms-of-service approach to distinguish between human use and bot use, surely GitHub can too.

Maintainers can use Claude, yes. Many do. Im not sure why the rest don't. Claude already codes better than most human coders.
As far as Anthropic, they aren't locking out open source. They're moving 3rd party use through a different gate. And thats actually much better than the way Google or OpenAI is currently handling it. Anthropic makes direct competitors to OpenClaw. So, allowing OpenClaw at all is like a restaurant allowing you to bring your own food. Now the restaurant is just sayin, yeah you can bring your own food, but you have to pay for the plate and fork.
Its not the same for github. Github is like a toll road that is pay if you want to. The more traffic through the road, the more likely it is to catch a few pennies. Why would github limit its own traffic? Github is freemium. More traffic increases the odds of payment.

Can't be mad at a business for businessing.

That's why I say this is inevitable. We can debate the pros and cons forever. But its happening. Nothing we say or do is going to stop it. Github sees it. Anthropic sees it.

Horses never went away. Cars took over shipping and travel, but horse owners adapted. There will always be a place for human code, but it must adapt. And those who insist on human code will have to adapt as well. But at this point I can see that no argument would change anyones mind here. Im not going to keep pressing the issue. If the consensus in this thread is, ai bad, there is no reason to press the point. There are plenty of threads where, ai good, or, ai good and bad.

Sorry I didn't make this point more clearly. I think we both agree AI has changed the nature of PRs entirely and that drive-by PRs from someone else's Claude are useless.

PR's used to serve both as a mechanism for human engagement, training, community building, and as a mechanism for getting code bug fixes implemented faster than maintainers could manage alone.

Like you say, many already use these systems to automate things that they think the AI can handle, while not delegating other things where they see a community-building or training purpose (e.g. 'good first issue') or a have security concerns, or have an ethical or legal objection to specific models built by violating open source copy-rights.

This has nothing to do with a inanely simplistic "AI is bad" viewpoint. What is bad is the staggering hubris and ignorance of these PRs that seem to imply "let me use claude on your behalf because I can't possibly imagine why you're not using it". Really? If you want to make a purely financial contribution to an open source project, just donate to the project directly.

Yes, I agree with you on Anthropic, they aren't locking open competitors out, just putting them on a different pricing tier which frankly I welcome since it will make openclaw-driven-flyby-PRs more expensive. My point was simply on enforcement mechanisms -- the argument was being made that on a technical level it hard to implement a "only for use by humans" -- precisely the rule Anthropic is trying to apply to subscription accounts. It is hard to enforce technically, but also not necessary, because unlike bears, the terms of service matter.

I merely suggest GitHub does the same and make it clear that making unwanted PRs from bots is against the TOS. It doesn't benefit open source maintainers at all (as we covered, they can make intelligent decisions already about where they want to use AI and where not -- quit it with the hubris that maintainers aren't smart enough to judge yeah?) and it doesn't benefit GitHub to handle a whole lot of useless traffic that costs money to host and doesn't pay a cent. It's not good for business.

@Elifterminal correct: I cherish human discussions over bot slop. Go away.

@pombredanne I just like when my stuff works. Humans make more slop than bots. But to each their own I guess.

@rcomer you wrote:

Please could you point to some examples of this working on those repos where you were having problems?

The problem is that the statement below is unlikely backed by any evidence as I do not see any involvement in actual open source projects that could back that claim, and the detection layer is either vibed in the lats few days or proprietary code anyway:

We ran into this on our own repos and spent a few months building a detection layer for it.

The problem is that the statement below is unlikely backed by any evidence

Yes, that's what I thought too. But if there is evidence, it should be easy to link to. My question was more about establishing whether the comment was written in good faith than actually wanting to see how the thing works.