Initial suggestion would be the following (note that most of these are already in place):
- CI must pass, and at least 2 approvals (these can be added as a branch protection rule)
- Depending on the context, PRs may require a specific team or team member approval (e.g., changes that affect TACo would require an approval from nucypher, same for tBTC and KEEP)
- Manual QA on testnet, and ideally mainnet.
- We've found useful to use PR description templates like the following: https://github.com/nucypher/nucypher/blob/main/.github/PULL_REQUEST_TEMPLATE.md
- KEEP has a Keybase ceremony for signing & verifying releases, which we're happy to adopt, but needs a bit of documentation