DEV Community

Cover image for I submitted a real PR to a Brazilian open source project — live, using AI as my right hand
Flávio Pimenta
Flávio Pimenta

Posted on

I submitted a real PR to a Brazilian open source project — live, using AI as my right hand

Last Saturday, at the AWS Community Day Brasília, I ran a workshop that combined two things I'm passionate about: open source contribution and AI-powered productivity.

The goal was simple and ambitious: take a real project, understand the codebase, select a viable issue, and submit a legitimate Pull Request — all live, using Kiro as my right hand.

The project I chose was ScanAPI (scanapi.dev) — the first Brazilian project to receive GitHub sponsorship. Created by Camila Maia, it's a Python tool for chained API testing via YAML. It runs on CLI, integrates into CI/CD pipelines, automatically redacts sensitive data, and generates visual reports. A serious project with worldwide contributors.

I started by asking Kiro to analyze open issues. It brought 3 candidates. Issue 957 (replace a deprecated library) looked perfect — but when we checked GitHub, we found a PR had been open for 3 weeks, just awaiting review. Issue 901 too. This was the real-world scenario: your first pick doesn't always work. I had to refine the request: "find open issues with no PR and no assignee."

That's when it found issue 916 — a Docker Hub Image Hash Dependency Check bug. Commit 392 had introduced hash validation in the Dockerfile for security (OpenSSF Scorecard, a Linux Foundation project), but in release 2.13, PIP and SetupTools became outdated, breaking the build. The temporary fix was removing hashes and publishing manually. The project was left vulnerable.

I said: "let's implement." I enabled Kiro's autonomous mode and in ~5 minutes it executed the complete flow:

  1. Fork created on my GitHub account
  2. Remotes configured (origin + upstream)
  3. Specific branch created
  4. Correct hashes obtained via pip download
  5. Dockerfile updated with SHA256 hashes
  6. GitHub Action workflow for automated build created
  7. Dependabot configured for automatic hash updates
  8. Push executed
  9. Pull Request submitted to the official repository

The PR was created and is there, awaiting maintainer review. Merge blocked, as expected — only they can approve.

The message I closed with, and one I always repeat: delegate the arm to AI, but keep the brain with you. Don't close your eyes and walk away. Review, understand, validate. AI accelerates massively, but technical responsibility remains human.

It was special receiving a gift from the Brasília community at the end. Thank you to everyone who participated. The exchange was rich and the small format allowed a level of interaction that large talks can't achieve.

If you've ever wanted to contribute to open source but gave up when you saw the codebase complexity — know that with the right agent, the distance between "never seen this code" and "PR submitted" can be minutes.

🔗 PR submitted: https://github.com/scanapi/scanapi/pull/1001 (issue #916)
🔗 Fork: https://github.com/flap/ScanAPI

Top comments (0)