Imo one of the best ways to give partial access to maintainers is:
- Have an official bot regularly run update scripts for packages and create pull requests from that. In practice this could mean making @ryantm’s bot official.
- Merge those updates automatically if they’re approved by the majority of maintainers (and nobody requested changes for some time). This could be done with a GitHub Action workflow.
Yes this is more limited, maintainers only get the permission to merge changes that were done by the update script, and changes to the update script will have to be reviewed manually, but this would already be a big improvement without compromising security.