Archestra open-sourced a whitelist workaround using Git’s --author flag to grant GitHub contributor status to vetted humans after AI bots overwhelmed their bounty-driven repo.
Key Takeaways
A $900 bounty issue ballooned to 253 comments from AI bots; one team member spent half a day weekly deleting untested PRs and closing hallucinated issues.
GitHub’s “Limit to prior contributors” setting gates commenting and PR access on having a commit merged to main; no native allowlist exists for external contributors.
Workaround: look up a user’s GitHub noreply email via the API, push a commit to main with git commit --author="user <ID+user@users.noreply.github.com>", and GitHub immediately grants them contributor status.
Full flow uses a CAPTCHA onboarding page, a GitHub Action that fires on submission, appends the handle to EXTERNAL_CONTRIBUTORS.md, and pushes the authored commit automatically.
The team acknowledges this is a “nuclear option” that conflicts with VC pressure on GitHub activity metrics, but chose quality over quantity.
Hacker News Comment Review
Commenters flagged a security hole: granting contributor status via the --author trick also bypasses CI approval requirements for fork PRs, which GitHub itself warns about in docs.
Consensus leans toward GitHub needing native tooling (token-based PR grants, rejection-rate throttling) rather than repo-level hacks; the current burden falls entirely on maintainers.
Skepticism exists about any reputation or ELO-based filter since any scoreable system creates a manipulation target; one reply noted a single bot breaking through contributor status could bootstrap further elevation.
Notable Comments
@captn3m0: The --author whitelist trick also grants elevated CI rights, bypassing fork-PR approval requirements – an overlooked attack surface.
@thih9: Points out that Archestra’s own onboarding doc shows common AI writing tells, calling the countermeasures “inadequate half measures.”
@infinitifall: Frames PR spam as classic digital spam and suggests proof-of-work tools like Anubis as a more principled defense.
