This could have been partially avoided with signed commits.

The replies and the lack-of-public-key-private-key understanding here are so bad it's not worth following up on any replies here. Literally have users hung up on "it's a username" instead of understanding what a signed commit is, and how you verify someone owns said key beyond "their username".

I expected better HN.

A signed commit can only prove that the owner of a key did make a particular commit, it can't prove that they didn't make a commit, for instance by using some other undisclosed key.

This was actually a true impersonation case, because researcher's twitter username was free on github so attacker just created a new account with that username and used it to create the malicious PR.

Not really. The username from the commits is the same one that created the PR. The username evildojo666 was available and the attacker just used it.