On a project I contribute to, we ask people to register on our main website, which has a pretty good anti-spam. We do that in part to get to know our contributors more and better engage (after all, we develop a FOSS CRM). Gitlab uses that authentication source as an LDAP server.

So far in the past 2 years, we have had only 1 spam merge-request.