Our automation or a human submitted a PR, it was built and tested in our sandboxed ephemeral CI environments, a human Homebrew maintainer reviewed the CI results and PR diff and approved it for merge which happened automatically if so.

If the ask is "who reviewed the diff": yes, a human didn't do that. That's not actually happening for all packages in any meaningful large ecosystem. I'm still unconvinced a cooldown solves that until e.g. we have an open source security scanner that runs on all Homebrew packages and requires a cooldown. Even in that case, my suggestion would be that we just run it in our own CI and block package release.

> Even in that case, my suggestion would be that we just run it in our own CI and block package release.

I agree.

> open source security scanner that runs on all Homebrew packages and requires a cooldown.

I think that is where all this is going in the longterm.

Until then, any upstream shenanigans are more likely to surface in hours 0-48 after a new release than hours 0-4.