Merges cannot be attributed, encode invoker into the merge commit

[Atemu]

Currently, a merge bot merge cannot be directly attributed to any real person. You could go into the PR and look for the last comment before the merge that invoked the bot but GH PR conversations can easily be disappear'd and users can turn into ghosts at any time. We've seen this happen many times before in Nixpkgs. When either of that occurs, it is no longer possible to trace a merge bot merge back to an actual human.

In the commit metadata, the author is set to the merge bot and committer is the generic GH user:

Author:     nixpkgs-merge-bot[bot] <148217876+nixpkgs-merge-bot[bot]@users.noreply.github.com>
AuthorDate: Tue Jun 18 05:23:59 2024 +0000
Commit:     GitHub <noreply@github.com>
CommitDate: Tue Jun 18 05:23:59 2024 +0000

The actual person who invoked the bot should be embedded in this commit ensure clear ownership and thereby responsibility. Since they effectively author the merge, I propose the Author: field to be set to the invoker's details. The Commit:er should then be set to the merge bot info as it performs the actual commit.

If it is not possible to set the Commit:er field to the bot or the Author: field to anything but the bot, the bot would have to remain as the Author: and the invoker should instead be added as Co-authored-by: (GH and other forges interpret this field and links the users' profiles on commits).
We could also invent a new Invoked-By: metadata field here as there is no real standard for this but that likely won't receive support by forges.

What needs investigation is how the invoker's details would be fetched. In case the GH API does not offer that (might very well be the case) we could always use the maintainers list for this though as it contains a GH user <-> email mapping.

[Mic92]

I believe github also provides some pseudo email addresses that could be used in that field.