{"id":29247084,"url":"https://github.com/bocaletto-luca/bug-github-farms-points","last_synced_at":"2026-04-27T00:31:39.885Z","repository":{"id":302459114,"uuid":"1012520033","full_name":"bocaletto-luca/bug-github-farms-points","owner":"bocaletto-luca","description":"Auto Farms Points BUG in Github Author: Bocaletto Luca Hi there! I’m Luca (@bocaletto-luca), and I’ve put together this repo to demonstrate a surprising “feature” (or vulnerability?) in GitHub’s contribution model. With a single workflow file, you can automatically farm commits, issues, PRs, wiki edits, releases and comments every hour—artificially","archived":false,"fork":false,"pushed_at":"2025-07-11T16:31:39.000Z","size":67,"stargazers_count":5,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-11T18:38:16.818Z","etag":null,"topics":["bocaletto-luca","bug","farms","github","github-bug","hack","hacking","points","security","yaml"],"latest_commit_sha":null,"homepage":"https://bocaletto-luca.github.io/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bocaletto-luca.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-02T13:06:19.000Z","updated_at":"2025-07-11T16:31:42.000Z","dependencies_parsed_at":"2025-07-02T14:26:10.934Z","dependency_job_id":null,"html_url":"https://github.com/bocaletto-luca/bug-github-farms-points","commit_stats":null,"previous_names":["bocaletto-luca/bug-github-farms-points"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/bocaletto-luca/bug-github-farms-points","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bocaletto-luca%2Fbug-github-farms-points","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bocaletto-luca%2Fbug-github-farms-points/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bocaletto-luca%2Fbug-github-farms-points/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bocaletto-luca%2Fbug-github-farms-points/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bocaletto-luca","download_url":"https://codeload.github.com/bocaletto-luca/bug-github-farms-points/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bocaletto-luca%2Fbug-github-farms-points/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32318417,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"ssl_error","status_checked_at":"2026-04-26T23:26:25.802Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bocaletto-luca","bug","farms","github","github-bug","hack","hacking","points","security","yaml"],"created_at":"2025-07-04T00:00:59.734Z","updated_at":"2026-04-27T00:31:39.881Z","avatar_url":"https://github.com/bocaletto-luca.png","language":"HTML","readme":"# Auto Farms Points\n## BUG in Github\n#### Author: Bocaletto Luca\n\nHi there! I’m Luca ([@bocaletto-luca](https://github.com/bocaletto-luca)), and I’ve put together this repo to demonstrate a surprising “feature” (or vulnerability?) in GitHub’s contribution model. With a single workflow file, you can automatically farm commits, issues, PRs, wiki edits, releases and comments every hour—artificially inflating your contribution graph.\n\nFeel free to explore, reproduce, and share feedback. If you agree this could be abused at scale, please consider upvoting my [feedback issue on GitHub](https://github.com/github/feedback) or submitting your own.\n\n[![Read Online](https://img.shields.io/badge/Read%20Online-Here-blue?style=flat-square\u0026logo=github)](https://github.com/bocaletto-luca/bug-github-farms-points/index.html)\n\n---\n\n## 📄 Proof of Concept\n\nYou can find the full workflow YAML in the root as  \n**bug-github-farms-points.txt**  \n\nTo try it yourself:\n\n1. **Clone** this repo.  \n2. **Rename** `bug-github-farms-points.txt` to  \n   `.github/workflows/super-farm-points.yml`  \n3. **Commit \u0026 push** to your own repository.  \n4. Wait for the next hour tick (or run the workflow manually).  \n5. Watch your contribution graph skyrocket with automated activity!\n\n---\n\n## 🔍 What’s happening under the hood\n\nInside the workflow you’ll see jobs that, every hour:\n\n- Generate multiple commits by overwriting a tiny file.\n- Open \u0026 close issues  \n- Create, merge \u0026 clean up pull requests  \n- Update the repository wiki  \n- Tag \u0026 publish GitHub Releases  \n- Comment on the latest issue  \n\nAll of this runs under **one workflow** and uses only GitHub’s official Actions tokens and APIs.\n\n---\n\n## ⚠️ Impact\n\n- **Inflated metrics**: The contribution graph can be “gamed” without manual work.  \n- **Resource consumption**: Free-tier minutes and API rate limits could be wasted.  \n- **Misleading signals**: Recruiters, collaborators or open-source maintainers may be misled by high activity.  \n- **Potential policy violation**: GitHub’s Terms of Service discourage abuse of automated workflows and spam.\n\n---\n\n## 🛠 Suggested Mitigations\n\n1. **Distinguish human vs. scheduled**  \n   - Exclude commits made by scheduled workflows from contribution counts.  \n2. **Rate-limit scheduled contributions**  \n   - Cap the number of workflow‐generated commits/issues per day.  \n3. **Flag detected patterns**  \n   - Alert users or admins when a single workflow generates high-volume activity.  \n4. **Opt-in for counting scheduled events**  \n   - Let users choose whether scheduled runs should appear in their public graph.\n\n---\n\n## 🤝 Responsible Disclosure\n\nI’ve also contacted GitHub Security (security@github.com) with this Proof of Concept. My goal is to help make GitHub metrics more trustworthy and to highlight how automation can be misused. If you’re a security researcher or GitHub staffer, you’re welcome to review and follow up here.\n\n---\n\n## 🚀 Next Steps\n\n- Fork this repo and experiment safely on a throwaway repository.  \n- Upvote or comment on my [GitHub feedback issue](https://github.com/github/feedback).  \n- Share ideas for community-driven solutions in `docs/suggestions.md` (coming soon!).  \n- Spread the word so metrics stay meaningful for everyone.\n\n---\n\nThanks for checking this out! If you have questions or improvements, open an issue here or reach out on Twitter @bocaletto_luca. Let’s work together to keep GitHub honest—and fun.\n\nHappy farming (but only for demonstration purposes)!  \nLuca (@bocaletto-luca)  \n\n---\n\ndon't do this, it will certainly be illegal and immoral\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbocaletto-luca%2Fbug-github-farms-points","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbocaletto-luca%2Fbug-github-farms-points","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbocaletto-luca%2Fbug-github-farms-points/lists"}