I remember we discussed changing our development process to use PRs instead of committing directly to the release branches. This was part of trying to increase our security score, especially the Branch Protection part in scorecard (https://github.com/ossf/scorecard/blob/main/docs/checks.md).
Questions: * how many approvals did we agree on before a PR can be merged? * if a PR is merged into release-2.x, can it be cherry-picked onto 3.0 directly, or does the change to the 3.0 branch need a separate PR? * what to do with the updates to changes.xml? Does that need to be included in the PRs?