Restrict private repository contribution access to pull requests only

Here are my basic requirements for my team.

  1. A two-branch PRIVATE repositories (prod and pre-prod)
  2. Contributors that can only submit changes through pull requests.
  3. Only a select group should be allowed to merge in team pull requests to either branches.

What I am trying to do is avoid having users (team members or outside contributors)
clone the two branches of the repository and mistakenly push directly to it.
In other words, I’m looking for somethinng similar to the review branch restriction available on public repositories.

Using a user account, you can only add contributors, who have write access on the repository, so that’s no good.

Using an organization account, you can add contributors with read-only privileges which allow them to create their own branch but when they attempt to push they get an error (repo not found or access denied) before they can even create a pull request. So that’s no good either. Organization team members cannot be given write access either because that’s just like a contributor of a private repo in a user account.

I’ve tried so many scenarios, I’m running out of ideas.

Is this doable in a free account or should we be using an upgraded account. The requirements seem pretty basic.