[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"pack-detail-open-source-maintainer-ai-en":3,"seo:pack:open-source-maintainer-ai:en":98},{"code":4,"message":5,"data":6},200,"ๆ“ไฝœๆˆๅŠŸ",{"pack":7},{"slug":8,"icon":9,"tone":10,"status":11,"status_label":12,"title":13,"description":14,"items":15,"install_cmd":97},"open-source-maintainer-ai","๐Ÿ› ๏ธ","#22D3EE","new","New ยท this week","Open Source Maintainer AI Pack โ€” Run a GitHub Repo End-to-End","The 10 picks a solo or small-team OSS maintainer would wire onto a real GitHub repo: GitHub MCP for AI access, actionlint to keep workflows honest, PR-Agent + reviewdog + Claude Code Security Review for layered PR review, Renovate + Gitleaks for dependency and secret hygiene, Release Please for changelog-driven releases, Docusaurus for docs, Weblate for community translations. Install in this order, AI takes the first pass on issue triage \u002F PR review \u002F release \u002F docs \u002F i18n.",[16,28,38,47,54,61,68,76,83,90],{"id":17,"uuid":18,"slug":19,"title":20,"description":21,"author_name":22,"view_count":23,"vote_count":24,"lang_type":25,"type":26,"type_label":27},393,"679a2650-b97b-4e8e-af6e-b51bafcbf610","github-mcp-server-official-github-ai-integration-679a2650","GitHub MCP Server โ€” Official GitHub AI Integration","GitHub's official MCP server that lets AI assistants manage repos, issues, PRs, Actions, and code search through the Model Context Protocol.","GitHub",188,0,"en","mcp","MCP",{"id":29,"uuid":30,"slug":31,"title":32,"description":33,"author_name":34,"view_count":35,"vote_count":24,"lang_type":25,"type":36,"type_label":37},3214,"2a65110c-eb7a-4e41-ac09-2f700b5043a1","actionlint-lint-github-actions-locally","actionlint โ€” Lint GitHub Actions Locally","actionlint catches syntax mistakes and expression\u002Ftype errors in GitHub Actions workflows before CI runs, so broken YAML never blocks your team.","Script Depot",111,"script","Script",{"id":39,"uuid":40,"slug":41,"title":42,"description":43,"author_name":34,"view_count":44,"vote_count":24,"lang_type":25,"type":45,"type_label":46},237,"2d7fe041-6270-4b2b-a768-cdbc9ca6fcd7","pr-agent-ai-powered-code-review-pull-requests-2d7fe041","PR-Agent โ€” AI-Powered Code Review for Pull Requests","AI code reviewer for GitHub\u002FGitLab\u002FBitbucket PRs. Auto-generates descriptions, reviews code, suggests improvements, answers questions. By Qodo. 10.7K+ stars.",158,"skill","Skill",{"id":48,"uuid":49,"slug":50,"title":51,"description":52,"author_name":34,"view_count":53,"vote_count":24,"lang_type":25,"type":36,"type_label":37},3213,"e9ba168c-1bce-4dc4-be6a-a8d99a670061","reviewdog-turn-lint-into-pr-review-comments","reviewdog โ€” Turn Lint Into PR Review Comments","reviewdog reads any linter output and posts precise PR comments or Checks, so teams can enforce quality without noisy, copy-pasted logs in reviews.",63,{"id":55,"uuid":56,"slug":57,"title":58,"description":59,"author_name":34,"view_count":60,"vote_count":24,"lang_type":25,"type":45,"type_label":46},3185,"8285e471-0fcb-4bb3-a945-cbcac969474e","claude-code-security-review-pr-audit-action","Claude Code Security Review โ€” PR Audit Action","Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.",41,{"id":62,"uuid":63,"slug":64,"title":65,"description":66,"author_name":34,"view_count":67,"vote_count":24,"lang_type":25,"type":45,"type_label":46},1547,"9b8e21a5-3942-11f1-9bc6-00163e2b0d79","renovate-automated-dependency-update-bot-9b8e21a5","Renovate โ€” Automated Dependency Update Bot","Renovate keeps your dependencies fresh by automatically opening pull requests for updates across 90+ package managers, with fine-grained control over grouping, scheduling, and automerge.",75,{"id":69,"uuid":70,"slug":71,"title":72,"description":73,"author_name":74,"view_count":75,"vote_count":24,"lang_type":25,"type":45,"type_label":46},1194,"40b108c4-372b-11f1-9bc6-00163e2b0d79","gitleaks-find-secrets-git-repos-code-40b108c4","Gitleaks โ€” Find Secrets in Git Repos and Code","Gitleaks is a fast SAST tool for detecting hardcoded secrets like passwords, API keys, and tokens in Git repositories. It scans commit history and source code using regex patterns, preventing secret leaks before they reach production.","AI Open Source",125,{"id":77,"uuid":78,"slug":79,"title":80,"description":81,"author_name":34,"view_count":82,"vote_count":24,"lang_type":25,"type":45,"type_label":46},4019,"2bb669cb-5058-11f1-9bc6-00163e2b0d79","release-please-automated-releases-based-conventional-commits-2bb669cb","Release Please โ€” Automated Releases Based on Conventional Commits","Release Please generates release pull requests and changelogs from Conventional Commit messages, automating semantic versioning and publishing for GitHub repositories.",62,{"id":84,"uuid":85,"slug":86,"title":87,"description":88,"author_name":74,"view_count":89,"vote_count":24,"lang_type":25,"type":45,"type_label":46},453,"2c489776-4de1-435c-a5a7-15b33e34efeb","docusaurus-documentation-sites-made-easy-2c489776","Docusaurus โ€” Documentation Sites Made Easy","Build fast, SEO-friendly documentation websites with React and Markdown. By Meta. Powers 10K+ sites. 64K+ GitHub stars.",220,{"id":91,"uuid":92,"slug":93,"title":94,"description":95,"author_name":74,"view_count":96,"vote_count":24,"lang_type":25,"type":45,"type_label":46},1776,"cb2ceff8-3bca-11f1-9bc6-00163e2b0d79","weblate-web-based-continuous-localization-platform-cb2ceff8","Weblate โ€” Web-Based Continuous Localization Platform","A web-based translation management system with tight version control integration. Weblate automates the localization workflow with translation memory, machine translation, and quality checks.",122,"tokrepo install pack\u002Fopen-source-maintainer-ai",{"pageType":99,"pageKey":8,"locale":25,"title":100,"metaDescription":101,"h1":102,"tldr":103,"bodyMarkdown":104,"faq":105,"schema":121,"internalLinks":158,"citations":171,"wordCount":184,"generatedAt":185},"pack","Open Source Maintainer AI Pack โ€” 10 Tools to Run a GitHub Repo End-to-End","GitHub MCP, actionlint, PR-Agent, reviewdog, Claude Code Security Review, Renovate, Gitleaks, Release Please, Docusaurus, Weblate โ€” install in this order and AI handles the boring layer of issue triage, PR review, releases, docs, and translation. Install via TokRepo.","Open Source Maintainer AI Pack โ€” A 10-Tool Rig for the Solo (or Tiny-Team) OSS Maintainer","Ten picks in install order across five layers โ€” issue\u002FPR access (GitHub MCP, actionlint), PR review (PR-Agent + reviewdog + Claude Code Security Review), dependencies + secrets (Renovate, Gitleaks), release + changelog (Release Please), and docs + community translation (Docusaurus, Weblate). AI takes the first pass on every layer; you keep the merge button, the release decision, and the tone of voice.","## What's in this pack\n\nYou maintain an open-source repo. Maybe alone, maybe with one or two others. Issues pile up faster than you can triage. Every dependency update is a possible 2am page. Releases drift because changelog-writing feels like homework. The docs site is two versions behind the code. A friendly translator showed up six months ago and you still haven't merged their PR.\n\nThis pack is the **10 tools** a working OSS maintainer would actually wire onto a real GitHub repo to put AI in front of the boring layer โ€” so humans stay on the parts only humans can do: API design, breaking-change calls, community tone, who gets commit bit.\n\nThe pack covers **five layers**:\n\n- **Issue & PR access** โ€” give an AI agent typed, safe access to your repo (GitHub MCP) and keep the Actions workflows themselves honest (actionlint).\n- **PR review** โ€” a layered first pass before a human opens the diff: AI reviewer (PR-Agent), lint-as-inline-comments (reviewdog), security-specific audit (Claude Code Security Review).\n- **Dependencies & secrets** โ€” keep the supply chain moving without 2am pages: Renovate for grouped, scheduled updates; Gitleaks to catch accidental secret commits.\n- **Release & changelog** โ€” Release Please reads conventional commits and ships PRs that update CHANGELOG, bump versions, cut GitHub Releases.\n- **Docs & community translation** โ€” Docusaurus for a docs site that doesn't rot; Weblate so the eighteen people who'd love to translate your README don't have to file a PR per string.\n\nWho this is **not** for: a 50-engineer corporate monorepo (you have an internal platform team โ€” different problem). A 100-star side project (overkill โ€” install GitHub MCP + actionlint and stop). The sweet spot is **a repo with 500-50,000 stars, 1-5 maintainers, real outside contributors, and at least one paid downstream that complains when you break things**.\n\n## Install in this order\n\n1. **GitHub MCP Server โ€” Official GitHub AI Integration** โ€” Foundation. Wire Claude (or any MCP-compatible agent) into GitHub: issues, PRs, diffs, comments, labels, branches, Actions status, security alerts. Every later AI step in this pack assumes the agent can *talk to GitHub*. Without MCP your AI is reading screenshots.\n2. **actionlint โ€” Lint GitHub Actions Locally** โ€” Before you trust any GitHub Action to do anything (including everything else in this pack), run actionlint on `.github\u002Fworkflows\u002F`. Catches shell-injection holes, missing `permissions:` blocks, broken `if:` conditionals, expired `actions\u002Fcheckout@v3` pins. Cheapest insurance you'll ever buy. Run on pre-commit and in CI.\n3. **PR-Agent โ€” AI-Powered Code Review for Pull Requests** โ€” On every PR open: structured description, multi-section review (key changes \u002F suggestions \u002F security \u002F tests), and `\u002Fask` follow-ups in comments. The AI first pass that catches the boring 60% so reviewers start at architecture, not formatting.\n4. **reviewdog โ€” Turn Lint Into PR Review Comments** โ€” Whatever linters you already run (ESLint \u002F golangci-lint \u002F ruff \u002F clippy \u002F etc.), reviewdog reposts their findings **as inline comments on the exact diff line**. Stop hunting through CI logs. Pairs with PR-Agent: AI does prose review, reviewdog does deterministic lint.\n5. **Claude Code Security Review โ€” PR Audit Action** โ€” A second AI reviewer with a *security-specific prompt*: SQL injection, auth bypass, leaked secrets, unsafe deserialization, supply-chain weirdness. Distinct from PR-Agent because it has threat-model context. Mute on docs-only PRs.\n6. **Renovate โ€” Automated Dependency Update Bot** โ€” Grouped, scheduled, configurable. Beats the default Dependabot setup once you have >50 deps: combine all patch updates into one PR, schedule majors for Tuesday morning, auto-merge devDependencies after CI green. Free for OSS; one config file.\n7. **Gitleaks โ€” Find Secrets in Git Repos and Code** โ€” Pre-commit hook + GitHub Action. The day you accept an outside PR that contains a `.env.example` with a real token, you'll wish you'd installed this last week. Cheap, catches the obvious, runs in seconds.\n8. **Release Please โ€” Automated Releases Based on Conventional Commits** โ€” Reads conventional commits since last tag, opens a release PR with version bump + CHANGELOG diff. Merge the release PR โ†’ it tags, cuts a GitHub Release, optionally publishes. The release ritual collapses from \"write changelog, bump version, tag, push, write release notes\" to \"approve the bot's PR.\"\n9. **Docusaurus โ€” Documentation Sites Made Easy** โ€” React-based docs site (Meta-built, MIT). Versioning, dark mode, search via Algolia DocSearch, MDX. Deploys to GitHub Pages with one Action. The docs site that doesn't make you cringe to send people to.\n10. **Weblate โ€” Web-Based Continuous Localization Platform** โ€” Community translators get a web UI to translate strings; their work flows back as PRs to your repo. Self-host or use Hosted Weblate (free for libre projects). This is how you stop losing the translator who showed up in March and how you actually ship in 7 languages.\n\n## How they fit together\n\n```\n Contributor GitHub repo Maintainer (you)\n โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€\n opens issue โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถ Issues โ”€โ”€โ”€ GitHub MCP (#1) โ”€โ”€โ–ถ AI triage (label, assign, ask for repro)\n โ”‚\n โ–ผ\n opens PR โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถ PR opens โ”€โ”€โ–ถ actionlint (#2 on workflow files)\n PR-Agent (#3 prose review)\n reviewdog (#4 lint inline)\n Security Review (#5 audit)\n โ”‚\n โ–ผ\n you see: 3-line AI summary\n + 5 ranked comments\n + green CI\n you decide: merge \u002F nudge \u002F close\n โ”‚\n Renovate (#6) โ”€โ”€โ”€ opens dep-update PRs โ”€โ”€โ”€โ”€โ”€โ–ถ โ”€โ”€ same review pipeline โ”€โ”˜\n Gitleaks (#7) โ”€โ”€โ”€ blocks secret commits before merge\n โ”‚\n โ–ผ\n Release Please (#8) opens release PR\n reads conventional commits since last tag\n โ†’ CHANGELOG diff + version bump\n โ”‚\n merge release PR โ”€โ–ถ tag + GitHub Release\n โ”‚\n โ–ผ\n Docusaurus (#9) docs site rebuilds\n Weblate (#10) pulls new strings โ†’ translators โ†’ back as PRs\n```\n\nThe load-bearing trio is **GitHub MCP (#1) + reviewdog (#4) + Release Please (#8)** โ€” access, signal-to-noise transform on every PR, and the release loop that finally closes by itself. Add the AI reviewers (#3, #5) for prose judgment; add Renovate (#6) and Gitleaks (#7) once the review pipeline can actually digest their PRs; add docs (#9) and translation (#10) once the repo deserves them.\n\n## Tradeoffs you'll hit\n\n- **Auto-merge on dependency PRs is a footgun.** Renovate + green CI + auto-merge sounds great until a patch-level update of a transitive dep bricks production. Auto-merge **only** for `devDependencies` and only after a full test run (not just lint). Majors stay manual forever.\n- **AI reviewers can read as condescending in OSS.** A first-time contributor opens a 12-line PR and gets a 400-word \"the AI thinks you should restructure this\" reply. That contributor doesn't come back. Set PR-Agent + Security Review to **only post on \"high\" or \"critical\"** by default. Reserve the verbose review for trusted contributors or label-gated `ai-review` opt-in.\n- **Machine translation quality varies wildly.** Weblate can suggest translations from DeepL \u002F OpenAI \u002F Google โ€” useful for *kickstarting* a locale, dangerous as the final string. Always require a human reviewer for any locale that's marketing-facing (README, docs landing) before merging machine-suggested PRs.\n- **Release Please's changelog can read like a robot wrote it.** Because one did. If your audience is users (not just other developers), spend 5 minutes editing the release PR description into human prose before merging. The bot writes \"feat(api): add retry-after header support\"; you rewrite to \"You can now configure how long the client backs off after a 429.\"\n- **Stale-bot logic is intentionally left out of this pack.** Closing inactive issues automatically tends to anger users who reported real bugs that you didn't get to. If you must, run it manually with a high threshold (180+ days) and a personally-written message, not on a cron with template prose.\n\n## Common pitfalls\n\n- **Auto-stale closes valid issues.** A bug filed against v2.1 that you fixed in v3.0 sits in the queue with no comments. The stale bot closes it. The original reporter sees a notification 6 months later: \"Closed as inactive.\" They tell their friends your project is unwelcoming. **Don't auto-close. Auto-label `needs-triage`. Triage manually or with AI assist (#1).**\n- **Auto-merging Renovate dependabot-style breaks transitive deps.** Lockfile-only updates *look* safe but can bump a transitive that changes behavior. **Require full test suite green, not just install green.** And do not auto-merge anything that ships in production binaries.\n- **PR-Agent \u002F Bug Hunter labels the PR with the wrong area.** Most AI label classifiers get 80% right and 20% confidently wrong. Treat AI labels as *suggestions*; require a human (or a deterministic CODEOWNERS-based) label for anything that routes notifications. Wrong label = wrong reviewer = PR dies.\n- **Changelog reads like `feat(api): add new flag`.** That's the commit message, not the release note. Either edit Release Please's PR before merging, or set its config to use a different section template so user-facing wins are surfaced separately from internal refactors.\n- **Docusaurus deployed to `gh-pages` once, never again.** The Action ran on a 2-year-old token. The token expired. Nobody noticed for 8 months. The docs are 8 months behind the code. **Use GitHub Pages deploy via GITHUB_TOKEN (auto-refreshed), not a PAT. And add a weekly cron that just verifies the docs site is reachable.**",[106,109,112,115,118],{"q":107,"a":108},"Is it safe to auto-merge Renovate \u002F dependabot PRs?","Conditionally yes for devDependencies, almost never for production dependencies. Safe pattern: auto-merge `devDependencies` patch + minor after the full test suite (not just lint) is green; require human approval for any prod dep, any major bump, and any change that touches lockfile-resolved transitives in your runtime path. The blast radius of an unattended bad merge in your build tools is small; in your shipped binary it can be a service incident. Configure with `automerge: false` as the default and explicit `packageRules` for the safe categories.",{"q":110,"a":111},"Does AI review (PR-Agent, Claude Code Security Review) replace human reviewers?","No โ€” it shifts what humans review. AI catches the boring 60% (style, missing tests, obvious security smells, breaking-change naming). Humans still do the load-bearing 40%: is this the right abstraction, does this feature belong in the project at all, what's the upgrade path for users on the old API, can we live with this for 5 years. On a healthy OSS repo, AI review means *more* PRs get any review at all (the queue stops being the bottleneck), but the merge decision stays human.",{"q":113,"a":114},"Which translation tool โ€” Weblate, Crowdin, or just Pull Requests with Markdown?","Weblate if you want self-hosted control and have any contributors who'd rather use a web UI than write YAML. Crowdin (commercial, free OSS plan) if you want a polished product and don't mind a SaaS dependency. Plain PRs against `docs\u002Fi18n\u002F*.md` if you have 2-3 strong technical translators who already know git. Picking Weblate here because it's open, self-hostable, integrates back into git as PRs (so it survives migration), and Hosted Weblate is free for libre projects so you don't even have to run it yourself to start.",{"q":116,"a":117},"How do I actually deploy AI issue triage without it labeling everything wrong?","Three-step ramp. Step 1: connect GitHub MCP (#1) and run an agent over open issues *in read-only mode* โ€” have it propose labels in a Markdown report, you spot-check. Step 2: enable write access but only for a non-routing label like `triaged-ai`; humans still apply routing labels. Step 3: once you've watched accuracy for two weeks and it's consistently 90%+, enable writing area labels. Always keep `needs-human-triage` as the default for low-confidence cases โ€” better an unlabeled issue than a wrong-labeled one that lands in the wrong reviewer's inbox.",{"q":119,"a":120},"How do I make Release Please \u002F changelog generators not read like a robot?","Three knobs. (1) Enforce conventional commits at commit time (use Commitlint, separate skill) โ€” `fix: handle empty array` is fine; `update stuff` becomes the bot's input. Garbage in, robot-prose out. (2) Configure Release Please's section types so user-visible categories (`feat`, `fix`, `perf`) render under prose-friendly headers like \"What's new\" \u002F \"Fixed\" \u002F \"Performance,\" and internal categories (`chore`, `refactor`) get hidden or collapsed. (3) Before merging the release PR, spend 5 minutes editing the body. Lead with the user-visible win in one sentence (\"This release adds opt-in retry-after handling so your client respects rate limits.\"), then let the auto-generated list follow. The bot drafts; you finish.",{"@context":122,"@type":123,"name":124,"description":125,"numberOfItems":126,"inLanguage":25,"itemListElement":127},"https:\u002F\u002Fschema.org","ItemList","Open Source Maintainer AI Pack","Ten picks in install order for a working OSS maintainer โ€” GitHub MCP, actionlint, PR-Agent, reviewdog, Claude Code Security Review, Renovate, Gitleaks, Release Please, Docusaurus, Weblate โ€” covering issue triage, PR review, dependencies, releases, docs, and community translation.",10,[128,132,135,138,141,144,147,150,153,156],{"@type":129,"position":130,"url":131,"name":20},"ListItem",1,"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Fgithub-mcp-server-official-github-ai-integration-679a2650",{"@type":129,"position":133,"url":134,"name":32},2,"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Factionlint-lint-github-actions-locally-2a65110c",{"@type":129,"position":136,"url":137,"name":42},3,"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Fpr-agent-ai-powered-code-review-pull-requests-2d7fe041",{"@type":129,"position":139,"url":140,"name":51},4,"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Freviewdog-turn-lint-into-pr-review-comments-e9ba168c",{"@type":129,"position":142,"url":143,"name":58},5,"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Fclaude-code-security-review-pr-audit-action-8285e471",{"@type":129,"position":145,"url":146,"name":65},6,"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Frenovate-automated-dependency-update-bot-9b8e21a5",{"@type":129,"position":148,"url":149,"name":72},7,"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Fgitleaks-find-secrets-git-repos-code-40b108c4",{"@type":129,"position":151,"url":152,"name":80},8,"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Frelease-please-automated-releases-based-conventional-commits-2bb669cb",{"@type":129,"position":154,"url":155,"name":87},9,"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Fdocusaurus-documentation-sites-made-easy-2c489776",{"@type":129,"position":126,"url":157,"name":94},"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Fweblate-web-based-continuous-localization-platform-cb2ceff8",[159,163,167],{"url":160,"anchor":161,"reason":162},"\u002Fen\u002Ftopics\u002Fpr-review-automation","PR Review Automation Pack","Deeper dive on the PR-Agent + reviewdog + Security Review trio used inside this maintainer rig",{"url":164,"anchor":165,"reason":166},"\u002Fen\u002Fai-tools-for\u002Fcoding","AI tools for coding","Compare AI coding assistants you'd hand the repo to once the review pipeline is in place",{"url":168,"anchor":169,"reason":170},"\u002Fen\u002Ffeatured","Featured assets on TokRepo","Browse the broader curated catalog of skills, MCP servers, and CI integrations referenced here",[172,176,180],{"claim":173,"source_name":174,"source_url":175},"GitHub MCP Server is the official GitHub integration for Model Context Protocol clients","github\u002Fgithub-mcp-server","https:\u002F\u002Fgithub.com\u002Fgithub\u002Fgithub-mcp-server",{"claim":177,"source_name":178,"source_url":179},"Release Please automates release PRs from conventional commits","googleapis\u002Frelease-please","https:\u002F\u002Fgithub.com\u002Fgoogleapis\u002Frelease-please",{"claim":181,"source_name":182,"source_url":183},"Weblate is a libre web-based continuous localization platform","Weblate official site","https:\u002F\u002Fweblate.org\u002F",1506,"2026-05-23T12:00:00Z"]