Hi there! I’m Luca (@bocaletto-luca), and I’ve put together this repo to demonstrate a surprising “feature” (or vulnerability?) in GitHub’s contribution model. With a single workflow file, you can automatically farm commits, issues, PRs, wiki edits, releases and comments every hour—artificially inflating your contribution graph.
Feel free to explore, reproduce, and share feedback. If you agree this could be abused at scale, please consider upvoting my feedback issue on GitHub or submitting your own.
You can find the full workflow YAML in the root as
bug-github-farms-points.txt
To try it yourself:
- Clone this repo.
- Rename
bug-github-farms-points.txtto
.github/workflows/super-farm-points.yml - Commit & push to your own repository.
- Wait for the next hour tick (or run the workflow manually).
- Watch your contribution graph skyrocket with automated activity!
Inside the workflow you’ll see jobs that, every hour:
- Generate multiple commits by overwriting a tiny file.
- Open & close issues
- Create, merge & clean up pull requests
- Update the repository wiki
- Tag & publish GitHub Releases
- Comment on the latest issue
All of this runs under one workflow and uses only GitHub’s official Actions tokens and APIs.
- Inflated metrics: The contribution graph can be “gamed” without manual work.
- Resource consumption: Free-tier minutes and API rate limits could be wasted.
- Misleading signals: Recruiters, collaborators or open-source maintainers may be misled by high activity.
- Potential policy violation: GitHub’s Terms of Service discourage abuse of automated workflows and spam.
- Distinguish human vs. scheduled
- Exclude commits made by scheduled workflows from contribution counts.
- Rate-limit scheduled contributions
- Cap the number of workflow‐generated commits/issues per day.
- Flag detected patterns
- Alert users or admins when a single workflow generates high-volume activity.
- Opt-in for counting scheduled events
- Let users choose whether scheduled runs should appear in their public graph.
I’ve also contacted GitHub Security ([email protected]) with this Proof of Concept. My goal is to help make GitHub metrics more trustworthy and to highlight how automation can be misused. If you’re a security researcher or GitHub staffer, you’re welcome to review and follow up here.
- Fork this repo and experiment safely on a throwaway repository.
- Upvote or comment on my GitHub feedback issue.
- Share ideas for community-driven solutions in
docs/suggestions.md(coming soon!). - Spread the word so metrics stay meaningful for everyone.
Thanks for checking this out! If you have questions or improvements, open an issue here or reach out on Twitter @bocaletto_luca. Let’s work together to keep GitHub honest—and fun.
Happy farming (but only for demonstration purposes)!
Luca (@bocaletto-luca)
don't do this, it will certainly be illegal and immoral