As you can see, I closed the PR via a commit to my overlay.
Does gentoo-repo-qa-bot checks that I'm also the user who created the PR or is it possible to close any PR via this mechanism?
It's not in our control, it's github. I could probably work around this by having a separate account for both services but it seems a major hassle for a minor issue. Just don't commit 'Closes:' tags when you don't intend to close a PR.
Well, it doesn't look so minor to me as someone could close all PRs to which gentoo-repo-qa-bot has commit access for fun. Having a separate account for gentoo-mirror could be the best/easiest way to go.
This only applies to repository owners. So far nobody else did that. If it becomes a common nuisance, I can reconsider. However, the effort much exceeds the gain here.
And if someone tries to abuse that, we can simply remove his repository.