How Archestra Stopped AI Bot Spam in Their GitHub Repo Using Git's --author Flag

The Problem: AI Bot Spam at Scale

Open-source maintainers increasingly face a new kind of contributor noise. For Archestra, the numbers were stark: a single bounty issue accumulated 253 AI-generated bot comments, a feature request spawned 27 untested pull requests, and one team member spent half their week removing spam. Legitimate contributors were buried.

The Solution

Step 1 — Onboarding verification: Before gaining repository access, contributors must complete an ethical AI usage agreement and CAPTCHA verification. GitHub's "limit to prior contributors" setting then blocks unvetted accounts from commenting or opening PRs.

Step 2 — Git's --author flag: Git distinguishes between a commit's author and its committer. By using the --author flag with a user's noreply email format ([email protected]), the team can create commits attributed to an external contributor without giving that person direct push access.

The workflow: once a user completes onboarding, a GitHub Action retrieves their ID via the API, the team creates a commit authored under their account, and that person becomes recognized as a prior contributor — unlocking commenting and PR permissions going forward.

The Insight

Repository metrics like contributor count and PR volume do not reflect quality. The real target is not AI-assisted contributions — it's unverified, mass-generated AI output. This approach creates a practical boundary between the two, without blocking AI tools entirely.