> 1) Is it a real problem that allows anyone to push into any repository?
It is not a real problem that allows anyone to push into any repo, but is a real problem that shows a incorrect/unexpected "Merged" pull request status on any repository.
> 2) Is it just a very confusing message?
From the links in paste in the comments you could see that github shows the unauthorized user "merged" the pull request into main, and, the repo's owner received a email says:
FROM: XXXXX
Content: Merged #xxx into main.
It is exactly the SAME as email notification of a normal authorized merge event.
Basically, aside from github's merge button (which does magic inaccessible to mere mortal[0]) the signal github looks for to know whether a PR is merged is whether the PR's head commit is in the target branch.
So if you reset the PR's branch to the target (or any of its commit), as far as github is concerned it's as if the PR had been merged.
[0] the ability to close PRs as merged was requested 3 years ago on the old discourse forum, which was deleted when github deployed the new community thingie, the request was reposted on the new site https://github.com/community/community/discussions/12437
+1 for the feature of marking as merged, as in many projects, e.g., apache arrow, the pull requests are merged in a different way and all pull requests are showed as "closed" rather than "merged".
It would cause some confusion for project management, I guess.
It is not a real problem that allows anyone to push into any repo, but is a real problem that shows a incorrect/unexpected "Merged" pull request status on any repository.
> 2) Is it just a very confusing message?
From the links in paste in the comments you could see that github shows the unauthorized user "merged" the pull request into main, and, the repo's owner received a email says:
FROM: XXXXX Content: Merged #xxx into main.
It is exactly the SAME as email notification of a normal authorized merge event.