Currently, requiring signed commits (the only way to prevent this) would be a massive breaking change, as I would guess that 90%+ of GitHub users don't use GPG to sign their commits. However, they may be able to make that opt in, although it could very well break a ton of automated scripts and would completely break things like squash merging or rebasing by a maintainer.
I was thinking more along the lines of simply checking the email of the (real) commit author against the "email" used in the Git commit. Would this not be possible?
For example, if I were to 'git clone' a project currently on gitlab, create a github repo for it, add that origin, and push... Well, that pushes commits authored by every single person who ever committed to that other repository. Do I have to make all of them re-push only their own commits in order? Can robots not mirror repositories anymore? What about commits authored by people without github accounts?
There's also the obvious issues of me merging a coworker's commit into my branch, or cherry-picking, or rebasing a third-party contributor's commits to update them before merge.
I think the case of "push an existing repo with N authors to a new repo" is a really compelling reason though for why that sort of "you can only push commits with your email" thing would not work.
