docs: add PR review policy for maintainers (#9032)

docs/community/maintainer/pr-review.md

@@ -0,0 +1,24 @@
+# Pull Request Review Policy
+
+This document outlines the review policy for pull requests in the Trivy project.
+
+## Core Principles
+
+### 1. All Changes Through Pull Requests
+All changes to the `main` branch must be made through pull requests.
+Direct commits to `main` are not allowed.
+
+### 2. Required Approvals
+Every pull request requires approval from at least one CODEOWNER before merging.
+
+For changes that span multiple domains (e.g., both vulnerability and misconfiguration scanning), approval from at least one code owner from each affected domain is required.
+
+When a pull request is created by the only code owner of a domain, approval from any other maintainer is required.
+
+When a code owner wants additional input from other owners or maintainers, they should comment requesting feedback and wait for others to approve before providing their own approval.
+This prevents accidental merging by the PR author.
+
+### 3. Merge Responsibility
+- **General Rule**: The pull request author should click the merge button after receiving required approvals
+- **Exception**: For urgent fixes (hotfixes), a CODEOWNER may merge the PR directly
+- **External Contributors**: Pull requests from external contributors should be merged by a CODEOWNER

mkdocs.yml

@@ -224,6 +224,7 @@ nav:
           - Overview: community/contribute/checks/overview.md
           - Add Service Support: community/contribute/checks/service-support.md
       - Maintainer:
+          - PR Review: community/maintainer/pr-review.md
           - Release Flow: community/maintainer/release-flow.md
           - Backporting: community/maintainer/backporting.md
           - Help Wanted: community/maintainer/help-wanted.md