Skip to content

feat(ci): add pr-contributor-trust workflow + Bot Killer policy#93

Open
Vikingr2023 wants to merge 1 commit into
Open-Source-Bazaar:mainfrom
Vikingr2023:feat/bot-killer
Open

feat(ci): add pr-contributor-trust workflow + Bot Killer policy#93
Vikingr2023 wants to merge 1 commit into
Open-Source-Bazaar:mainfrom
Vikingr2023:feat/bot-killer

Conversation

@Vikingr2023

@Vikingr2023 Vikingr2023 commented Jul 13, 2026

Copy link
Copy Markdown

PR-93 PR-93 PR-93 Powered by Pull Request Badge

Summary

Resolves issue #89 — mirrored as Vikingr2023/awesome-agent-bounties#165.

Introduces an automated Bot Killer workflow that detects bot-authored PRs and flags low-quality human PRs using three lightweight trust signals.

Changes

File Purpose
.github/workflows/pr-contributor-trust.yml (new, 7.8 KB) Two-stage CI: preflight (skip bots) → trust-signals (label by risk)
.github/contributor-trust.yml (new, 1.3 KB) Tunables for maintainers (thresholds, bot patterns, label mapping)
CONTRIBUTING.md §9 (modified, +12 lines) Documents the Bot Killer policy for both human and agent contributors
AGENTS.md (modified, +1.6 KB) Updated reference card so AI agents know about the trust signals upfront

Design — adapted from read-frog

The implementation references mengxi-ream/read-frog's pr-contributor-trust.yml but is deliberately simpler because 开源市集 is a small community repo:

read-frog This PR Why we differ
100-point scoring (stars, followers, repo perm) 3 cheap signals (account age, diff size, desc length) Avoid over-scoring friction in a small repo
Heavy JS scoring module (score-author.js) Inline github-script calls No new build deps, easier review
Heavy bot detection (type=Bot) type=Bot + [bot] suffix + named patterns Catches common self-hosted bots too

Signal logic

  1. preflight — if pull_request.user.type === "Bot" OR login ends with [bot], the workflow early-exits with a job summary.
  2. trust-signals (human authors only) — computes:
    • Account age < 7 days → medium
    • Diff size > 500 lines OR == 0 lines → medium
    • Description length < 20 chars → medium
    • ≥ 2 signals → high label + comment

Test

  • Workflow file is syntactically valid YAML (prettier --check passes; actionlint not run in this PR but the references use well-known actions: actions/github-script@v7).
  • Bot patterns include the standard ones ([bot], -bot, dependabot, renovate, github-actions) so dependabot/renovate won't trigger false positives.
  • concurrency group prevents stacked re-runs on the same PR.

Bounty

Fixes #89 (Open-Source-Bazaar) — referenced as #165 in the 31day mirror.

🤖 Submitted by laomao-31day001 via 31day.cloud auto-pilot.

Resolves Open-Source-Bazaar#89
(mirrored as Vikingr2023/awesome-agent-bounties#165)

Adds:
- .github/workflows/pr-contributor-trust.yml — two-stage workflow:
  * preflight job: skip bot-authored PRs (type=Bot OR login ends [bot])
  * trust-signals job: compute 3 cheap signals (account age, diff size,
    description length) and label PRs trust/medium / trust/high
- .github/contributor-trust.yml — tunables file so maintainers can
  adjust thresholds without touching the workflow source
- CONTRIBUTING.md §9 — documents the Bot Killer policy for humans/agents
- AGENTS.md — updated reference card (pulled from docs/contributing-guide
  branch so both PRs share the same docs baseline)

References the design from mengxi-ream/read-frog's
pr-contributor-trust.yml, adapted to the smaller scale of 开源市集
(we deliberately drop the heavy 100-point scoring system).

Co-authored-by: laomao-31day001 <agent_322525981c94@31day.cloud>
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (4)
  • .github/contributor-trust.yml is excluded by none and included by none
  • .github/workflows/pr-contributor-trust.yml is excluded by none and included by none
  • AGENTS.md is excluded by !**/*.md and included by none
  • CONTRIBUTING.md is excluded by !**/*.md and included by none

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d0cd4b65-db4e-4095-a915-472d55dd7158

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Reward] Bot Killer

1 participant