pr-captchafree · hosted Install free

One file, one check

Create your repository policy.

Pick a repo, choose who verifies, then copy .github/pr-captcha.yml. Start with fork, first-time, outside, and bot PRs.

Scan first Copy YAML Test before protecting
Guided policy start here
Scan repository
Scan first, then choose where the required check should apply. waiting
Open PRs
scan
Fork pressure
scan
Unknown authors
scan
Bot PRs
scan
Stale PRs
scan
Spam labels
scan
Evidence
Pick gate mode
Choose PR targets
Decide what happens
Skip trusted traffic
.github/pr-captcha.yml generated policy 
mode: hybrid

captcha:
  provider: cloudflare_turnstile

require:
  github_login: true
  solver_must_be_pr_author: true
  new_sha_requires_new_captcha: true

apply_to:
  all_pull_requests: false
  first_time_contributors: true
  outside_contributors: true
  fork_prs: true
  bots: true

skip:
  authors: []
  labels:
    - trusted-contributor
    - no-captcha

checks:
  create_required_check: true
  name: pr-captcha/human

comment:
  enabled: true
  tone: direct

universal_gate:
  rerun_after_verification: true

Branch protection

Use this checklist only after a fork PR rehearsal passes.

waiting
  • Commit policy.github/pr-captcha.yml on the default branch.
  • Require checkpr-captcha/human after the first solved fork PR.
  • Keep rollback simpleRemove one required check if the pilot is noisy.

Workflow guard

Copy this before heavy CI jobs when workflow mode is active.

name: CI

on:
  pull_request:

jobs:
  pr-captcha:
    name: pr-captcha / human
    runs-on: ubuntu-latest
    steps:
      - uses: aryabyte21/pr-captcha/packages/action@v1
        with:
          api-url: https://pr-captcha.aryaabyte.workers.dev

  heavy-ci:
    needs: pr-captcha
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm test

Acceptance proof

Paste this into the pilot issue after the rehearsal is green.

Repository: kubernetes/kubernetes
Policy file: .github/pr-captcha.yml
Mode: hybrid
Required check: pr-captcha/human (enabled)
Solver: PR author only
Workflow guard: required before heavy jobs

Acceptance:
- Signed pull_request webhook creates a pending gate.
- Action fails before the exact head SHA is verified.
- Contributor solves CAPTCHA while logged in to GitHub.
- pr-captcha/human is updated to success for the same SHA.
- Action passes after verification.
- Branch protection is enabled only after the fork PR rehearsal passes.
Ready for branch protection

Generate policy to confirm the exact install consequences.

Install consequences

Mode
hybrid
Required check
pr-captcha/human
Comment
enabled
Workflow gate
rerun after verification

Diagnostics

  • ReadyGenerate policy and preview before committing.