Check the timestamp on that commit push. It was from today, an hour or two before the repo was restored, not yesterday when the attack happened. The push actor != the committor or even the actual commit author, and there can be multiple push actors if the commit is pushed multiple times by different actors.
He probably just re-pushed the bad commit while trying to figure out how to fix this.
I find it very plausible that the bot token was compromised, not his user account token, as the attack was simply to push over the tags (which is something the automation bot would have access to do, as tag management is one of its functions)
1. tj-actions-bot PAT spoofs renovatebot commit with malicious code - probably by creating a new unprotected branch, pushing to it spoofing the renovatebot user, then deleting the branch, but we really don't know.
2. Attacker uses PAT to also update release tags, pointing them to the malicious commit, again spoofing renovatebot
3. jackton1 tries to restore older branch, and therefore pushes the commit again. The original commit wouldn't be referenced as pushed in any pull requests
For #3: You don’t have to actually have a commit in a pull request for it to show up in the PR “conversation”. Simply putting the PR # in the commit message like #2460 would result in it showing up like that (“commit referenced this pull request”). The original malicious commit copied a real PR merge commit with #2460, so anyone who pushed it in this repo to any branch would have their push referenced in the PR conversation list. It’s just a misleading UI in my opinion.
He probably just re-pushed the bad commit while trying to figure out how to fix this.
I find it very plausible that the bot token was compromised, not his user account token, as the attack was simply to push over the tags (which is something the automation bot would have access to do, as tag management is one of its functions)