Exploring Solutions to Tackle Low-Quality Contributions on GitHub #185387
Replies: 113 comments 282 replies
-
|
such a great intiative |
Beta Was this translation helpful? Give feedback.
-
|
I know this is a pretty ambitious idea and not trivial to implement, but it would be really powerful to have an AI-detection mechanism with a configurable threshold at the repository or organization level. That way, teams could decide what percentage of AI-generated code is acceptable in pull requests. Another possible approach would be to define a set of rules or prompts and evaluate pull requests against them. PRs that don’t meet those rules could be automatically flagged or potentially even closed. |
Beta Was this translation helpful? Give feedback.
-
|
As of today, I would say that 1 out of 10 PRs created with AI is legitimate and meets the standards required to open that PR.
On 28 Jan 2026, at 18:41, Camilla Moraes ***@***.***> wrote:
Another possible approach would be to define a set of rules or prompts and evaluate pull requests against them. PRs that don’t meet those rules could be automatically flagged or potentially even closed.
This is definitely something we’re exploring. One idea is to leverage a repository’s CONTRIBUTING.md file as a source of truth for project guidelines and then validate PRs against any defined rules.
In regards to AI-generated code, have you seen cases where the code is AI-generated but still high-quality and genuinely solves the problem? Or is it alwaays just something you want to close out immediately? I'm curious because I'm wondering if an AI-detection mechanism would rule out PRs where AI is used constructively, but that's where we'd want to test this thoroughly and understand what sensible thresholds look like.
—
Reply to this email directly, view it on GitHub<#185387 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABBWEYEKF6WLNDKE376L3GD4JDYFXAVCNFSM6AAAAACS7B7C7OVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTKNRTGEZTMMI>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as disruptive content.
This comment was marked as disruptive content.
-
|
Hey! I am from Azure Core Upstream and we have a lot of OSS maintainers who mainly maintain repositories on GitHub. We held an internal session to talk about copilot and there is a discussion on the topic where maintainers feel caught between today’s required review rigor (line-by-line understanding for anything shipped) and a future where agentic / AI-generated code makes that model increasingly unsustainable. below are some key maintainer's pain points:
|
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
|
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
-
|
An option to limit new contributors to one open PR would be nice. Just today I had to batch-close several AI generated PRs which were all submitted around the same time. For this protection, defining "new contributor" is probably not possible to do perfectly. But anyone who has no interactions with a project prior to the last 48 hours seems like a good heuristic. The point is to catch such a user at submission time and limit the amount of maintainer attention they can take up. For a different type of problem, I'd like to be able to close PRs as "abandoned", similar to the issue close statuses. It's a clear UI signal to the contributor that their work isn't being rejected but I'm not going to finish it for them. Several of the low quality contributions I have handled, dating back to before the Slop Era but getting worse, are simply incomplete and need follow through. |
Beta Was this translation helpful? Give feedback.
-
|
For the long term horizon: Implement a reviewer LLM that first does an initial scoring of the PRs? Critique is far easier than creation of a correct result. That automated pre-moderation should give the edge needed to handle. Depending on whether you just use rich prompting or fine-tuning, you can even start building an "oracle vox" for your project, which acts as a reasonably informed, reasonably on point virtual representative for the project/organization. |
Beta Was this translation helpful? Give feedback.
-
|
This is a very real problem, and I appreciate that it’s being treated as systemic rather than blaming maintainers or contributors individually. One concern I have with repo-level PR restrictions is that they may disproportionately impact first-time contributors who do want to engage meaningfully but don’t yet have collaborator status. Personally, I think the most promising direction here is criteria-based PR gating rather than blanket restrictions things like required checklist completion, passing CI, linked issues, or acknowledgement of contribution guidelines before a PR can be opened. On AI usage specifically, transparency feels more scalable than prohibition. Clear disclosure combined with automated guideline checks could help maintainers focus on high-intent contributions without discouraging responsible AI-assisted workflows. Looking forward to seeing how these ideas evolve especially solutions that preserve openness while respecting maintainer time. |
Beta Was this translation helpful? Give feedback.
-
|
Thinking along the lines of the discussion first approach that Ghostty uses, I think one way to create just enough friction would be to have an opt-in where a PR has to be linked to an open issue or discussion topic. So when an unprivileged (i.e. does not have elevated privileges on the repo) user tries to create a PR, there's a required field that takes an issue/discussion number. If that's not provided (or the corresponding issue/discussion is closed), then the PR can't be created. This could be trivially worked around by throwing in any old issue/discussion (or by creating one), but it may cause just enough friction to help. To guard against this, perhaps maintainers could set a "minimum age" for the issue/discussion (e.g. 12 hours) to prevent creating fake issues to support a spammy PR. |
Beta Was this translation helpful? Give feedback.
-
|
Implementing a secondary, muted counter for bot-authored PRs would help maintainers distinguish real community activity from automated noise at a single glance. |
Beta Was this translation helpful? Give feedback.
-
|
I totally agree that low-quality and AI-generated PRs have become a huge burden for open source maintainers. It wastes lots of time on reviewing meaningless, non-compliant and abandoned contributions. |
Beta Was this translation helpful? Give feedback.
This comment was marked as low quality.
This comment was marked as low quality.
-
|
I desperately need a Pull Request review panel for all of my orgs and pull requests. For instance:
122 repos in just 3 of my orgs. I have about 175+ open sourced github projects in total. In order to find the Pull Requests right now, I basically have to manually cycle through the projects, and sometimes that can take years to find (like this one or this 7 year 5 day-old PR only discovered because the author Assigned it to me (which no one ever does)). What I need is either (or both) an organization-level Pull Requests page, or a universal-level : Pull Requests page for every project I have merge rights on. I also want the ability to FULLY DELETE accidental or slop PR requests.... instead of closig them and then littering the Closed section... or at least a way to Archive them (remove from active list and search). |
Beta Was this translation helpful? Give feedback.
-
|
The automated spam is getting more and more frequent, and less usable. We really need a solution that is better than "just turn off PRs" Here is an example project I found that has been spamming me. These systems are so naive and dumb that a simple honeypot solution would almost certainly catch 90% of them... you just have to mention "payment" and they leap on it. If GitHub can autogenerate honeypots for legitimate user accounts, it might become cost prohibitive to run these bots. |
Beta Was this translation helpful? Give feedback.
-
|
One missing layer in this discussion is portable governance context for agents. A repo can have CONTRIBUTING.md, CI, branch protection and review rules, but an agent still needs a runtime-readable boundary that travels with it:
The important part is that the agent should not hold the keys. In the x.klickd model, the passphrase belongs to the human operator. A trusted local runtime decrypts the file, applies policy/redaction/human-veto rules, and only injects the safe subset of context into the model. Memory belongs to the user. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for addressing this. The low-quality PR problem is real maintainers are spending more time rejecting spam than reviewing genuine contributions. |
Beta Was this translation helpful? Give feedback.
-
|
https://github.com/PCL-Community/PCL-CE/issues/new?template=xxx.yml I personally think you should fix some bugs first, such as being able to create a blank issue that only maintainers have permission to create by using a non-existent template. (Blank issues have been disabled in the configuration, but the permission checks for some GitHub features are almost the same as if they weren't.) |
Beta Was this translation helpful? Give feedback.
-
|
The CONTRIBUTING.md-as-source-of-truth idea is interesting. The challenge is Something that's helped me more than detecting "is this AI-generated" is The signals I've found most useful for estimating review load before opening
I've been tracking these manually for a while and eventually automated it for |
Beta Was this translation helpful? Give feedback.
-
|
This is a real pain point for maintainers, so it’s good to see it being addressed. Overall, the balance between keeping repos healthy and keeping them open is the hard part, but these ideas are a solid starting point. |
Beta Was this translation helpful? Give feedback.
-
|
One approach I have been experimenting with is a lightweight triage layer rather than an "AI detector". I built PRAS Bot for this: https://github.com/marketplace/actions/pr-anti-spam-bot Source code: https://github.com/freakynit/pras-bot The reason I avoided pure AI-detection is that it feels like the wrong target. AI-assisted code can be good, human-written code can be bad, and any "was this generated?" detector will be noisy. What maintainers usually need is more practical:
PRAS Bot runs as a GitHub Action on incoming PRs, scores each one from 0-100, and applies one label:
It can also post a scorecard comment explaining why the PR was flagged. It does not close PRs, reject contributors, or make final moderation decisions. The goal is first-pass triage, not automated judgment. The current approach is signal-based. It is not perfect, but I think this is the most useful shape of solution right now: combine many weak-but-useful signals instead of pretending there is one magic spam detector. Maintainers already do this mentally; the bot just makes it consistent and visible.
The optional LLM checks are off by default. Repos can keep the bot fully heuristic, or enable LLM-backed checks only where they are comfortable with the cost and trust tradeoff. Basic usage is: - uses: freakynit/pras-bot@v1Repo-level config lives in Here is a sample run with the bot scorecard: I would be interested in feedback from maintainers here, especially on which signals are actually useful in daily triage, which ones are too noisy, and what kind of scorecard output would make this more actionable. |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
|
Great to see this being addressed; though this is not simply due to AI - though that probably makes the problem worse. In the ISO C++ Core Guidelines there was a lengthy discussion around this before AI was even a thing (see isocpp/CppCoreGuidelines#2258) because the project gets PRs and Issues opened by what seems like students at universities in China and India doing a homework assignment to create a GitHub account and open a PR or Issue; but as discussed in that issue (at least at that time) there was not real good way of identifying those and auto-closing them at least from our perspective as maintainers/contributors than someone just manually doing it. I don't know if there's been specific discussion of it, but I've also seen that on the Flutter repositories. This is perhaps a bigger issue for high profile projects which most are not - I've part of a number of FLOSS projects and communities and most don't see much of this. However, AI is certainly contributing to issues as pointed out. I'd just like to request that these other pre-existing issues also be considered in this. Also, perhaps an |
Beta Was this translation helpful? Give feedback.
-
|
Maintainer-adjacent builder here (I ship dev tooling, repo-proofer, BootProof). Most proposals in this thread try to detect slop after submission. I keep wondering about the inverse: let legitimate contributors prove work at submission time. Concretely: a CLI/Action run alongside an agent session that attaches a signed receipt to the PR, tests actually executed with output hashes, files read before editing, whether existing tests were modified, declared AI-assistance level per project policy. No receipt on an AI-assisted PR becomes a triage signal, like a missing DCO sign-off. Question for maintainers: if receipts existed, would “receipts required for AI-assisted PRs” be a policy you’d adopt? Which single piece of evidence would save you the most review time? Validating before building. |
Beta Was this translation helpful? Give feedback.
-
|
The “asymmetry of cost” point is the real insight here. Right now it is almost free for someone to fire an agent at every repo, but it is expensive in maintainer time to clean up the result. That asymmetry exists because most AI coding tools are metered per request, so the cost to the spammer is tiny and the cost to the maintainer is unbounded. One way to change the shape of that asymmetry is to move from per-request billing to a flat-rate compute model. If the agent is running on a GPU you control and pay a fixed monthly price for, the incentive shifts: the cost is bounded for you, and the spammer still has to operate within a real resource budget. That is the model we built UltraWork around — a flat-rate GPU-backed coding agent at https://vibecodingagency.com/gpu-cloud/ — so teams can set a predictable ceiling on their AI spend instead of watching a meter spin. Not a magic fix for low-quality PRs, but it does remove the “burn credits on trivial noise” dynamic that makes the asymmetry worse. |
Beta Was this translation helpful? Give feedback.

Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hey everyone,
I wanted to provide an update on a critical issue affecting the open source community: the increasing volume of low-quality contributions that is creating significant operational challenges for maintainers.
We’ve been hearing from you that you’re dedicating substantial time to reviewing contributions that do not meet project quality standards for a number of reasons - they fail to follow project guidelines, are frequently abandoned shortly after submission, and are often AI-generated. As AI continues to reshape software development workflows and the nature of open source collaboration, I want you to know that we are actively investigating this problem and developing both immediate and longer-term strategic solutions.
What we're exploring
We’ve spent time reviewing feedback from community members, working directly with maintainers to explore various solutions, and looking through open source repositories to understand the nature of these contributions. Below is an overview of the solutions we’re currently evaluating.
Short-term solutions:
Long-term direction:
As AI adoption accelerates, we recognize the need to proactively address how it can potentially transform both contributor and maintainer workflows. We are exploring:
Next Steps
These are some starting points, and we’re continuing to explore both immediate improvements and long-term solutions. Please share your feedback, questions, or concerns in this thread. Your input is crucial to making sure we’re building the right things and tackling this challenge effectively. As always, thank you for being part of this conversation. Looking forward to hearing your thoughts and working together to address this problem.
Beta Was this translation helpful? Give feedback.
All reactions