I have a few projects on Github. I am receiving a lot of spam PRs and requests from vibe coders and bots. Most of them to prop up their profiles. The stars are obviously exaggerated too.
What other platforms are you using for your projects?
sourcehut.org would be my choice.
Drew is pretty adamant about stuff and his morales.
You will dislike somethings (UI and some policies) but will like majority of the things (tech like CI/CD etc).
It's OSS and can be self-hosted as well.
But I think drew fighting LLM scrappers on our behalf is good for us.
It's also cheap and should progressively improve going forward.
It's my long term plan. And the project and company is setup in a way to be here for the long game. So, I am progressively moving my projects (private and in small numbers, but still...) from gitlab to sourcehut over this year or next.
This is evidently not a popular opinion, but git repositories don’t need to be hosted on any platform. Your local repo is a complete copy and can be pulled and pushed from and to. If you really want a backup or “source of truth” copy, you can clone it anywhere you have shell access. We make so many simple things hard unnecessarily.
That only works if you are only using Github as a place to store your code. I'm not the OP, and maybe their situation is different, but I want to continue getting sincere human PRs and issue reports on my projects, but want to reduce or eliminate the amount of AI produced spam.
If they have a blog or use a static site generator they could host their github repos online and use a plugin or something to display them. Or even just post links to the repos. It might cause bandwidth issues for popular projects and you wouldn't have any of the "social" features like stars (which in this case would be a feature) but it should be possible. Depending on how the backend is set up you might not even need to put the repos in the web path at all.
But I'd still say just use Codeberg. And see if there's an option to turn off PRs wherever your projects are hosted.
It depends on what you are looking to get out of the next platform.
For me, I'm not interested in the social aspect of coding anymore, so I have a Synology NAS running a git server accessible via ssh and I push my code there.
I use klaus (https://github.com/jonashaag/klaus) as a read only git web ui. My NAS is connected to my tailscale network so it's easy to view things on the go. It's a simple setup and works great.
I think one important factor would be still being able to interact with a community of people who care for software and would like to put genuine thoughts. Whether it be for submitting bug reports, issues, PRs or security reports. Of course other platforms are not diverse as GitHub, it would be nice to see which other platforms are attracting such people. This in turn has a higher chance of interacting with such people.
I use forgejo myself but both are great choices. Self hosting has improved dramatically over the last decade. So many things that I would never think we'd have access to, like open source PaaS software on-par with what VC companies offer (dokploy, coolify, or komodo).
Same way you would for any other server. And I mean that 100% literally, given that at the command-line level the remote is simply a URL: https://git-scm.com/docs/git-remote
I'm not familiar with git, but can you post a read-only version publicly so others can still access all the commit history but not be subjected to pull requests?
(IIRC it is in fact actually even sometimes preferable from a security standpoint; or at least that's the tentative conclusion I've reached under a few specific circumstances over the years, although the exact details elude my memory at the moment.)
Git doesn’t even need to be “hosted” in the traditional sense. The whole point of it is that it is distributed and you don’t actually need a centralized source of truth.
Anywhere you accept unvouched pull requests will end up being spammed. You might find some respite at other sites, but whether you stay or go: you’re better off disabling pull requests on your projects for everyone but you, and then using discussions (like ghostty) where people petition to work on a feature; if they can convince you it’s a feature that’s valuable to you, then you can pull from their branch (like Linus) and merge them yourself when ready. That will halt the PRs and give you a much reduced pool of noise, as most fly-by-night sloppers won’t be interested in spending the extra tokens on both code and discussion. (You’ll still get entitled human beings who demand you add and maintain their solution to their needs, but that’s much easier to sift out and discard once people have to discuss their needs in written words rather than code.)
Really surprised that this is not the first thing everyone does on their repositories.
I am not a celebrity on github and not even agents bother with my repositories, however, even before the bot pull requests/issues, I always made sure to enable only the things I felt I would want to use and provide a way for someone to reach out in case I was expecting collaboration/feedback.
I realized that anyone can create a PR to upstream, when I accidentally did so using the github web UI on mobile. Felt embarrassed and immediately closed it. But, then it made sense that why people were frustrated with this sort of thing happening to big repositories.
I'm enjoying forgejo as a self-hosted repo. No complaints, and the actions I was using on GH transferred over cleanly. I understand it's not quite fully compatible though, but worth an exploratory smoke test.
I hate the name though and resist saying it aloud. But that's been true of a few of my tools over the years :)
I kind of wish there was some kind of way to be licensed as a professional (or amateur) in a way that could be used to block AI-originating PRs.
Not that it would be perfect, but if I could set the bar to "only licensed software engineers" can open PRs, it at least sets the bar that only accounts controlled by people who know what they're doing can open a PR to my repo, as opposed to letting anyone in the world who knows how to prompt open a PR.
(That being said, I personally haven't encountered AI SPAM on my github repos. Maybe my projects just aren't popular enough?)
Does anyone has experience with AWS CodeCommit? It might not be what OP is looking for but since we're talking about moving away from GitHub. Personally I already pay for GitHub so I don't mind paying for something else. Just wondering if anyone has experience to share.
Related question, is there a web-based self-hosted git replacement that's _light-weight_ (i.e. resilient to scraping)? Should have things like file view, file browser, etc but is not taxing on the server.
Forgejo. A single tiny golang binary, I think about 200mb. It has 75% of the functionality of gitlab with 5% of the resource requirements. I migrated to it and have never missed gitlab.
Forgejo is lightweight relative to some other options, but it is not resilient to scraping. Scrapers can access, commit-by-commit, each individual file, each file's "git blame", and each commit's repository archive... and they do. Most public Forgejo instances need to rely on a reverse proxy like Anubis or Iocaine in order to prevent server resources from being exhausted by bad actors. Or require sign-in for all access.
gitea runs well on a low end server in my experience. self hosting on hetzner and it's somehow the holy trinity of cheap, fast and reliable. I previously (years ago) self hosted gitlab but I remember it being very slow which was the reason I moved on
Codeberg. They ONLY host open source software, it's sponsored by European institutions, Zig moved there too.
In the near future I'm also adding Forgejo to our Kexxu servers. Forgejo is basically Codeberg (but you need to host it). If you want a private repo on Kexxu just ask.
Set up a GitHub action to auto-close any pull requests from anyone not on an approved list.
Leave a message in the pull request that if they want to argue their case for a pull request they can send a message through a communication channel of your choice, and say that anyone sending a message with AI generated text, even to help with language and grammar will be banned.
It's my long term plan. And the project and company is setup in a way to be here for the long game. So, I am progressively moving my projects (private and in small numbers, but still...) from gitlab to sourcehut over this year or next.
Link - https://sourcehut.org/
reply