[lambada]

If the PR is from a fork, then a repository maintainer needs to approve it. By default this is for first-time contributors, but is configurable https://docs.github.com/en/actions/managing-workflow-runs/ap...

NB: I've never played with configuring it.

[OJFord]

Ah yes, new in April: https://github.blog/2021-04-22-github-actions-update-helping...

I can't find anything on configuring it though, that only mentions for first-time contributors as you say. I have a 'contributor' badge for pretty minor contributions to all sorts of projects, doesn't necessarily mean they should trust me any more than a first-time contributor! (I can be trusted! I just don't think my contribution to some of them is too much of a barrier for a malicious actor...)

[lambada]

https://docs.github.com/en/github/administering-a-repository... contains details for configuring it on a repository basis. Looks like you can require it for new github accounts XOR first time contributors XOR all forks.

It's also configurable at the organisation and enterprise level, if those are relvent to anyone.

Organization settings: https://docs.github.com/en/organizations/managing-organizati... Enterprise settings: https://docs.github.com/en/github/setting-up-and-managing-yo...