This feels very similar to something I proposed What's the point of becoming a package maintainer? - #24 by UefiPls . A merge bot that checks if the code owners or maintainers of a package have reviewed the code (maybe with other sanity checks) would make the state of a permissionless maintainer more useful.
IMO it would be better than the existing system, where a “maintainer” can’t actually maintain their own packages. They have to helplessly signal to somebody with committer rights when anything has to be merged. A maintainer’s feedback only has subjective value as a committer can simply choose to ignore it.
I started working on GitHub - LoveIsGrief/check-permissions: A generic action to check permissions (which has no documentation whatsoever atm as I had no time to work on it).
The idea was that it would act as a step to check approval count, approval percentage of code owners, and a total number of approvals from code owners. If the step passes, another step could in a trial period at first ping committers and in “production” automatically merge PRs.
What it got held up by was Github’s removal of lastPushedAt information on PRs. There doesn’t seem to be explanation and I can’t think of another way to get reviews that are up still valid, as they might be invalid after a new push to the branch.
Edit: have to check if PullRequestReviewState.DISMISSED can happen automatically after a push to a branch.
Would this be something along the lines of what you’re suggesting @piegames ?