IIRC GitHub set it up like this as default a while back, but they've also added an option of "only folks new to GitHub" and on most open source projects that I work on we've flipped to that as it seems to do good enough at keeping the spam / bitcoin miners down, whilst still making life easy for drive-by contributors.
I was surprised to see on https://github.com/adrienverge/yamllint/pull/588 that this requires maintainer approval, even though I'm relatively experienced on GitHub...
IIRC GitHub set it up like this as default a while back, but they've also added an option of "only folks new to GitHub" and on most open source projects that I work on we've flipped to that as it seems to do good enough at keeping the spam / bitcoin miners down, whilst still making life easy for drive-by contributors.