The issue is, the malicious person can commit code as someone else. You can try this yourself by changing your user.name and user.email config settings and making a commit. If they did this, any special mechanism you had setup to check for authors/committers would be foiled.

In theory if you had everyone GPG sign their commits and somehow checked for this too, it wouldn’t be an issue, but most people don’t GPG sign commits.

What I’d suggest is requiring approval from 2 seperate people with write+ access to the repository if you have enough people to enforce this.

Thanks for your reply! That’s interesting. I hadn’t considered that github has no way to verify whether the listed committer was actually the committer without people signing commits.

I wonder if you could say a user who has pushed to the PR can’t approve it. Surely Github knows who has pushed to a branch (you need to auth for that)

I don’t think it’s true that GitHub can’t verify the committer… here’s a cut-n-paste from the UI:

Test authored and akloss-cibo committed 2 minutes ago

To me, this seems like a tragic gap in the pull request process. Does anyone know something we don’t?

GitLab has this feature:

Prevent approvals by users who add commits When enabled, users who have committed to a merge request cannot approve it.