How Should Open Source Projects Handle AI Contributions?

Mar 20, 2026

Cowrie

Dev @ Bswen

Problem

I run an open source project, and I’m struggling with AI-assisted contributions. Some are great—the contributor used AI as a tool and understood the changes. Others are disasters—copy-pasted code from ChatGPT that breaks things in subtle ways.

The question is: how do I filter the good from the bad without being anti-AI?

Here’s the core issue:

Time spent by contributor creating PR: 10 minutes
Time spent by me reviewing PR: 1-2 hours

When the contributor invests less time creating the PR than I spend reviewing it, something is wrong.

Environment

• Mid-sized open source project
• Mix of human and AI-assisted contributions
• Volunteer maintainers with limited time
• Need for sustainable contribution process

What Happened?

AI coding assistants democratized contribution, which sounds great. But it created new challenges:

1. Flood of low-quality PRs - Contributors paste issues into AI, get code, and submit without understanding
2. Review burden explosion - Time spent reviewing often exceeds time spent creating
3. Hidden bugs - AI code contains edge cases the contributor doesn’t understand
4. Attribution confusion - Traditional DCO/CLA frameworks don’t address AI authorship
5. Community trust erosion - Maintainers can’t distinguish insight from pattern matching

I looked at what successful projects are doing. The Ghostty terminal emulator by Mitchell Hashimoto has excellent contributing guidelines. Here’s what I learned.

How to Solve It?

Step 1: Update CONTRIBUTING.md

I added explicit AI disclosure requirements:

CONTRIBUTING.md

## Before You Begin

### Understanding the Codebase
We ask that all contributors spend meaningful time understanding the system
before submitting changes. Please document:
- Time spent reading documentation
- Time spent exploring related code
- Time spent understanding the problem space

### AI Tool Disclosure

**Required**: Every PR must include a disclosure statement:

## AI Tool Usage

- [ ] I used AI assistance (e.g., Claude, GPT-4, Copilot)
- [ ] I did not use AI assistance

If AI assistance was used:
- Tools used: [list tools]
- Code generated by AI: [percentage estimate]
- Code reviewed and understood by me: [yes/no]

This isn’t about banning AI. It’s about transparency. Knowing AI was used helps me calibrate my review depth.

Step 2: Ask the Right Questions

For new contributors, I added specific questions that filter out low-effort submissions:

New contributor questions

### For New Contributors

If this is your first contribution, please answer:

1. How long did you spend understanding this system before starting?
2. What related issues/PRs did you review?
3. Does this implementation have known bugs or edge cases?
4. What alternatives did you consider?

These questions work because:

• AI can generate code quickly, but understanding takes time
• Contributors who actually studied the codebase can answer easily
• Low-effort AI users struggle to provide meaningful answers

Step 3: Create a Trusted Contributor System

I implemented a tiered trust system:

.github/trusted-contributors.yml

# Contributors exempt from detailed pre-submission questions
# Must still include AI disclosure

trusted_contributors:
  - username: contributor1
    added: 2024-01-15
    reason: "10+ significant contributions, deep system knowledge"
  - username: contributor2
    added: 2024-02-20
    reason: "Core maintainer, 50+ contributions"

requirements_for_trust:
  min_contributions: 3
  min_quality_score: "high"
  demonstrated_understanding:
    - code reviews provided
    - architecture discussions
    - bug fixes (not just features)

Trusted contributors get expedited review. New contributors get the full vetting process. This reduces friction for proven community members while maintaining quality.

Step 4: Update the DCO

I extended the Developer Certificate of Origin to address AI:

Extended DCO

(e) I understand that AI-generated code is a tool that I have
    reviewed, understand, and take responsibility for. I certify
    that any AI-assisted contribution meets the same standards
    as my own work.

This creates legal clarity: you’re responsible for AI code you submit, just like any other code.

Step 5: Automate with GitHub Actions

I created a workflow that checks for disclosure:

.github/workflows/pr-validation.yml

name: PR Validation

on:
  pull_request:
    types: [opened, edited]

jobs:
  check-ai-disclosure:
    runs-on: ubuntu-latest
    steps:
      - name: Check for AI disclosure
        uses: actions/github-script@v7
        with:
          script: |
            const pr = context.payload.pull_request;
            const body = pr.body || '';

            const hasAIDisclosure = body.includes('## AI Tool Usage') ||
                                    body.includes('AI Tool Usage');

            if (!hasAIDisclosure) {
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: pr.number,
                body: '**Missing AI Disclosure**\n\nPlease add the AI Tool Usage section to your PR description.\n\nSee CONTRIBUTING.md for details.'
              });
            }

You can see that I succeeded in creating a balanced process. AI-assisted contributions are welcome—they just need transparency and accountability.

The Reason

The philosophy is simple:

“AI isn’t bad, but the human driving Claude needs to put in at least as much time preparing the PR as the humans responsible for approving it will”

This isn’t about blocking AI. It’s about:

• Transparency - Maintainers deserve to know what they’re reviewing
• Accountability - Contributors must understand and stand behind their changes
• Sustainability - Volunteer maintainers can’t review infinite AI-generated PRs

Summary

In this post, I showed how to handle AI contributions in open source. The key points are:

1. Require AI disclosure - Every PR should state whether AI was used
2. Ask vetting questions - “How long did you spend understanding the system?”
3. Create trust tiers - Reduce friction for proven contributors
4. Update legal frameworks - Extend DCO/CLA for AI authorship
5. Automate enforcement - Use GitHub Actions to check compliance

The goal isn’t to resist AI assistance. The goal is to ensure contributors invest meaningful time understanding the systems they’re modifying. Quality over quantity.

Final Words + More Resources

My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

• 👨‍💻 Ghostty CONTRIBUTING.md
• 👨‍💻 Contributor Covenant
• 👨‍💻 Developer Certificate of Origin

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!

Comments

Tags:

• ai

How to Simplify Complex UI Designs

How to Evaluate Deep Agents Performance with Harbor and LangSmith