GitHub is exploring tools to help maintainers deal with an influx of low-quality contributions, including the ability to disable pull requests entirely at the repository level.
The company pinned a discussion last week acknowledging what maintainers have been reporting: they're spending substantial time reviewing contributions that fail to follow project guidelines, get abandoned quickly, and are increasingly AI-generated. The request to disable PRs dates back to 2016.
What GitHub is considering
Short-term options include:
- Repository-level PR controls to disable PRs entirely or restrict them to collaborators only
- The ability to delete PRs from the UI (currently requires workarounds)
Longer-term, GitHub is exploring enhanced permission models with more granular controls over who can create and review PRs, improved triage tools that potentially use AI to evaluate contributions against project standards, and better transparency around AI-assisted contributions.
The timing is notable. GitHub deprecated Dependabot PR commands on January 27, signaling tighter control over PR workflows. Meanwhile, maintainers have been building custom automations to auto-close external PRs, a clear signal that native controls are overdue.
The security angle
Enterprise teams should note the risk: pull requests from forks can expose secrets through GitHub Actions if workflow permissions aren't properly configured. Organization settings for approving fork workflows matter here.
The counterargument
Some maintainers argue that disabling PRs entirely could hide valuable fixes in abandoned repositories. They suggest maintainer-only PR access rather than complete blocks. Others point to existing workarounds like interaction limits or branch protection rules, though these don't fully solve the problem.
The discussion thread shows persistent demand, with multiple requests since 2018 for this exact feature. What's changed is the volume: AI code generation tools have made it trivially easy to submit PRs at scale, and maintainers are feeling it.
GitHub is seeking feedback in the pinned discussion. The real test will be whether the company ships granular controls or just adds another binary toggle.