Welcome OSS contributors with AI review

Volunteer maintainer with a day job. Gets 5-15 PRs/week. Review time available: maybe 2-3 hours on weekends. Result: PRs sit for days, drive-by contributors lose interest, the project's velocity drops, the maintainer burns out.

AI code review fills the gap. Within 60 seconds of PR open, contributor gets feedback: bugs flagged, style improvements suggested, security smells caught. Conversation starts immediately, before contributor context-switches away.

Maintainer's role shifts: instead of doing the entire review, they sanity-check AI findings + provide architectural judgment + decide on merge. Time-per-PR drops from 30-60 minutes to 5-10 minutes.

Open-source repos face supply-chain attack vectors that closed repos don't: forks can open PRs that exploit workflow misconfigurations (pull_request_target combined with checking out fork code → secret exfiltration).

LGTM Security's CI/CD detector set catches these patterns at PR review time. Self-hosted runner abuse, mutable action references, dangerous trigger combinations — all flagged as blocker-severity, blocking merge until resolved.

Specifically tuned for the OSS threat model: the runtime watchdog runs as a GitHub Action installed on default branch and triggers on every push (including direct commits if a maintainer goes rogue). Defense in depth for the most-attacked OSS pathway.

Free plan covers most OSS use cases: 20 reviews/month, all 6 agents, all 16 security detectors, BYOK. Sufficient for a typical OSS project with moderate PR volume.

Higher-volume OSS: Pro at ₹399/mo or USD equivalent. Or: ask for OSS sponsorship — established OSS projects with public health metrics (GitHub Sponsors, OpenCollective, etc.) can email tarinagarwal@gmail.com for free Pro access.

BYOK approach: keys you bring are yours — but if you want LGTM-provided keys for an OSS project (so contributors don't need accounts), the sponsorship path covers this.

First-time contributor PR feedback is delicate. Aggressive nitpicking drives people away. LGTM's tone is configurable: Settings → Repos → {repo} → Tone → 'OSS Welcome'.

OSS Welcome tone changes: findings are framed as suggestions, not commands. Cosmetic findings get rolled into the summary rather than inline (less visual noise). Security findings still surface as blocker-severity (those matter).

Comparison: 'OSS Welcome' vs default 'Standard' tone. Standard says 'This is wrong — fix X'. OSS Welcome says 'Consider X — this would improve Y' for non-critical findings. For critical findings (security, blocker bugs), both tones are direct because correctness matters more than feelings.

LGTM's review comment includes a friendly opener for first-time contributors to the repo (detected via GitHub's `author_association` field on the PR). 'Welcome to {repo}! Here's some automated feedback before a maintainer reviews...'

Findings include 'why' context, not just 'what'. 'This null check is redundant because X is already validated above on line N' — teaches the contributor, doesn't just dictate.

Contributor's response to AI findings (resolved / ignored / disputed) is captured in the audit log. Useful data for maintainers to see which agents are most/least useful for their project.