Workflow options for Rebase for public PRs and Merge Commit for certain internal PRs

The International Components for Unicode (ICU) project recently migrated from SVN to GitHub.  Our workflow has the following requirements:

  1. Every commit needs to contain a Jira ticket ID.

  2. Allow periodic merges from maintenance branch to development branch.

In order to satisfy requirement 1, we set Rebase Merge as the only option for the green button, since the other two green buttons both allow the user to write a possibly-invalid commit message before merging.  We then set up a required status check via a webhook that looks at the commit messages in a PR and ensures they contain valid Jira ticket IDs.  So far this is working for us.

However, it is not clear how to go about requirement 2.  Our desired workflow is to rebase-merge important bug fix PRs to the maintenance branch (for example, maint/maint-63), and then periodically merge the maintenance branch to the development branch (master).  This workflow streamlines the process for maintenance fixes and is used by a number of other open-source projects.  However, with our GitHub locked down in the way it is, it’s not clear to me how to enable the periodic merge commits from maintenance to master.

Our alternate workflow, and the one we were using in SVN, is to make all commits against master, and cherry-pick bug fixes to the maintenance branch.  However, we are hoping to move to the commit-on-maintenance, merge-to-master workflow.

Any suggestions on how to go about implementing this workflow on GitHub while still mostly keeping the repository locked down?