I’ll have to check this, or if anyone has any experience with a GitHub permission setup like this, please let us know!
I think the first step would be to create two teams: one for maintainers and one for regular reviewers. Both should be given write access to the repo.
Then, enable branch restrictions so that only maintainers can push to the master branch.
Finally, enable required reviews for the master branch. Anybody with write access should then be able to submit a review, but I think only maintainers will be allowed to merge.
Also, protected branches cannot be force-pushed or deleted (unless an admin temporarily disables branch protection.) So maintainers should probably not be admins unless you trust them quite a bit. (More info about team permissions is here.)
There’s also a great opportunity here to dogfood some of the bitrise github/PR integration by having a CI job for each step repo and making it a required status check. It can run the audit-this-step and test workflows for each commit so that PRs will be blocked until the tests exist and are passing. (Will have to put some thought into how a test environment can be made for each step without bloating the step repo size.)