From 2affbe4e628b3df47b68487b0924bf42f9183a2a Mon Sep 17 00:00:00 2001 From: anandgupta42 Date: Sat, 4 Apr 2026 11:09:30 -0700 Subject: [PATCH 1/2] chore: add anti-slop protection for AI-generated spam PRs - Install peakoss/anti-slop GitHub Action with user signal checks (account age, profile completeness, merge history), honeypot trap, file protection, and conventional title enforcement - Add AI contributions policy to CONTRIBUTING.md - Add honeypot instruction to PR template for catching AI agents Closes #641 Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/pull_request_template.md | 4 ++ .github/workflows/anti-slop.yml | 94 ++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 16 ++++++ 3 files changed, 114 insertions(+) create mode 100644 .github/workflows/anti-slop.yml diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index b32f39f16a..32de8f0c84 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,3 +1,7 @@ + + ## Summary What changed and why? diff --git a/.github/workflows/anti-slop.yml b/.github/workflows/anti-slop.yml new file mode 100644 index 0000000000..ce0e933323 --- /dev/null +++ b/.github/workflows/anti-slop.yml @@ -0,0 +1,94 @@ +name: anti-slop + +on: + pull_request_target: + types: [opened, reopened] + +permissions: + contents: read + issues: read + pull-requests: write + +jobs: + anti-slop: + runs-on: ubuntu-latest + steps: + - uses: peakoss/anti-slop@v0 + with: + # --- Failure threshold --- + # Close PR after 4+ failed checks (default) + max-failures: 4 + + # --- Exemptions --- + # OWNER, MEMBER, COLLABORATOR are exempt by default. + # Also exempt our CI bots: + exempt-bots: | + actions-user + dependabot[bot] + renovate[bot] + github-actions[bot] + opencode-agent[bot] + + # --- PR quality --- + require-description: true + require-maintainer-can-modify: true + + # --- PR title --- + # We already enforce conventional commits in pr-standards.yml, + # but this adds a second layer for the anti-slop score: + require-conventional-title: true + + # --- PR description --- + max-description-length: 5000 + max-emoji-count: 3 + max-code-references: 10 + require-linked-issue: false # Already enforced in pr-standards.yml + + # --- Honeypot trap --- + # AI agents follow hidden instructions; humans ignore them. + # The matching instruction is embedded in pull_request_template.md. + blocked-terms: "PINEAPPLE" + + # --- Commit checks --- + max-commit-message-length: 500 + require-conventional-commits: false # Only title is enforced + require-commit-author-match: false # We use Co-Authored-By: Claude + + # --- File checks --- + blocked-paths: | + LICENSE + CODE_OF_CONDUCT.md + SECURITY.md + require-final-newline: true + max-added-comments: 0 # Disable — legitimate PRs often add comments + + # --- User signal checks (the main anti-slop value) --- + detect-spam-usernames: true + min-account-age: 30 + max-daily-forks: 5 + min-profile-completeness: 3 + + # --- Merge history checks --- + min-global-merge-ratio: 25 + + # --- Branch checks --- + blocked-source-branches: | + main + master + + # --- Actions on failure --- + close-pr: true + lock-pr: false + failure-add-pr-labels: "needs-review:blocked" + failure-pr-message: | + 👋 This PR was automatically closed by our quality checks. + + Common reasons: + - New GitHub account with limited contribution history + - PR description doesn't meet our guidelines + - Contribution appears to be AI-generated without meaningful review + + If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you. + + # --- Actions on success --- + success-add-pr-labels: "" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a93f6866e4..e12d689dce 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -202,6 +202,22 @@ Some debug methods that can be problematic: With that said, you may want to try these methods, as they might work for you. +## AI Contributions Policy + +We welcome contributions from developers who use AI tools as part of their workflow. However, we require that all contributions reflect genuine understanding and effort from the contributor. + +### What we expect + +- **Review what you submit.** Whether you wrote it by hand or with AI, you should be able to explain your changes if asked. +- **Keep PR descriptions in your own words.** Short and focused beats long and generated. +- **No drive-by agent PRs.** Autonomous agents opening PRs without human review will be closed automatically. + +### What's totally fine + +- Using Copilot, Claude, or any AI tool as part of your workflow +- AI-assisted refactoring, test generation, or boilerplate +- Asking an LLM to help you understand the codebase before contributing + ## Pull Request Expectations ### Issue First Policy From 85b0f4a6b4728a3b952340b173f49f22f360b2b8 Mon Sep 17 00:00:00 2001 From: anandgupta42 Date: Sat, 4 Apr 2026 11:16:36 -0700 Subject: [PATCH 2/2] fix: address code review findings for anti-slop workflow - Pin `peakoss/anti-slop` to full commit SHA (85daca18) for supply-chain safety since workflow uses `pull_request_target` with write permissions - Add `edited` and `synchronize` triggers so checks re-run on PR updates Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/anti-slop.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/anti-slop.yml b/.github/workflows/anti-slop.yml index ce0e933323..fe6ed9bdde 100644 --- a/.github/workflows/anti-slop.yml +++ b/.github/workflows/anti-slop.yml @@ -2,7 +2,7 @@ name: anti-slop on: pull_request_target: - types: [opened, reopened] + types: [opened, reopened, edited, synchronize] permissions: contents: read @@ -13,7 +13,7 @@ jobs: anti-slop: runs-on: ubuntu-latest steps: - - uses: peakoss/anti-slop@v0 + - uses: peakoss/anti-slop@85daca1880e9e1af197fc06ea03349daf08f4202 # v0 with: # --- Failure threshold --- # Close PR after 4+ failed checks (default)