We have our repo set up so all PRs must be approved by another engineer before they can be merged to main/master. You can not approve a PR that you have created. We rely on this to stop a single engineer getting code into production without someone else checking it.
But there is a (possible) security hole. A bad actor (eg disgruntled employee) could find a PR that is already open, revert the original changes, commit malicious code, then approve it and merge it.
Is there any way to stop someone from approving a PR if they have any commits in that PR?