As a consequence of this, I have to manually approve every run of GitHub actions in his PRs.
I believe this is because the email address they used to create these commits wasn’t linked to their GitHub account. Without that GitHub can’t really tell whether this user has opened a pull request to this repository before. Once they add that email address to their account (which it looks like they’ve now done) they should stop seeing that message!
Thank you. Adding the email solved the issue. However, I expected that merging a pull request created by the GitHub user X to be enough to consider X to be a trusted contributor, even if X is not an author of any commit.