I Built a GitHub Action to Stop AI-Generated PRs Before They Reach My Queue

Last year, Daniel Stenberg — the author of curl — shut down his project's bug bounty program. The reason? 20% of the incoming reports were AI-generated garbage. Not just low-quality — worthless. Hallucinated vulnerabilities, copy-pasted exploit templates, fabricated CVEs. His team was spending more time triaging noise than fixing real bugs. This is the asymmetry nobody talks about: AI can generate 500 lines of plausible-looking code in two seconds. Reviewing it still takes a human hours. And it's breaking open source. The industry's fix made things worse When the "AI PR flood" problem became obvious, the market responded with AI code review bots — CodeRabbit, Copilot review, and friends. Here's the problem: they review code the way an anxious intern would. They flood your PR timeline with comments about variable naming, whitespace, missing docstrings. They are glorified linters with a chat interface. Maintainers went from dealing with one source of noise (AI-generated PRs) to dealing w