I am teaching a software development class and I am having students submit projects to GitHub. One of my students submitted their final project and I found another repo on GitHub from 9 months earlier that contained almost identical code. Seems like a cut and dry case of plagiarism right? The student is completely adamant though that they did not copy even though they acknowledge the similarities of the repository. In order to entertain all (most) possibilities, I am thinking through how the student could be telling the truth. My only (silly) option is that my student has a nemesis who copied their project and spoofed the creation date of the repo to get my student in trouble for plagiarism. Obviously that's very far-fetched from a real-life perspective. But I'm curious now if it's possible from a technical perspective?
I know GitHub allows individual commit timestamps to be spoofed but I'm looking at the project creation date (through the GH API) which seems to be a separate concept.
Or is there another more plausible way that my student could be telling the truth that I'm just overlooking?
You can try querying push events for that public repository, but it is not clear how far in time it will go (for github.com)
GET /repos/:owner/:repo/events
The idea is: the push event date is more accurate than the AUTHOR_DATE associated with a commit.
Audit logs are only available for GitHub Enterprise private instances.