Fix maintainer-approval runner and clean up OWNERS (#4914)

## Why

The maintainer-approval workflow from #4912 used `ubuntu-latest` (GitHub
public runners), which can't make API calls against the `databricks` org
due to the IP allow-list. Also, `@simonfaltum` was listed on the
`/cmd/bundle/` OWNERS rule but isn't on the bundle team.

## Changes

1. Switch `maintainer-approval.yml` from `ubuntu-latest` to the
`databricks-deco-testing-runner-group` custom runner, matching all other
workflows in the repo.
2. Remove `@simonfaltum` from `/cmd/bundle/` in `.github/OWNERS` since
he's not on the bundle team.

## Test plan

- [x] `suggest-reviewers / suggest-reviewers` fired and posted a
reviewer suggestion comment with round-robin fallback
- [ ] After merge, verify `Maintainer approval / check` runs on the
custom runner (requires a new PR since `pull_request_target` reads
workflows from the base branch)

Author: simonfaltum

.github/OWNERS

@@ -1,5 +1,5 @@
 *                         @andrewnester @anton-107 @denik @pietern @shreyas-goenka @simonfaltum
-/cmd/bundle/              @andrewnester @anton-107 @denik @pietern @shreyas-goenka @simonfaltum @lennartkats-db
+/cmd/bundle/              @andrewnester @anton-107 @denik @pietern @shreyas-goenka @lennartkats-db
 /libs/template/           @andrewnester @anton-107 @denik @pietern @shreyas-goenka @simonfaltum @lennartkats-db
 /acceptance/pipelines/    @jefferycheng1 @kanterov @lennartkats-db
 /cmd/pipelines/           @jefferycheng1 @kanterov @lennartkats-db

.github/scripts/owners.js

@@ -57,12 +57,12 @@ function findOwners(filepath, rules) {
 }
 
 /**
- * Get core team from the * catch-all rule.
+ * Get maintainers from the * catch-all rule.
  * @returns {string[]} logins
  */
-function getCoreTeam(rules) {
+function getMaintainers(rules) {
   const catchAll = rules.find((r) => r.pattern === "*");
   return catchAll ? catchAll.owners : [];
 }
 
-module.exports = { parseOwnersFile, ownersMatch, findOwners, getCoreTeam };
+module.exports = { parseOwnersFile, ownersMatch, findOwners, getMaintainers };

.github/workflows/maintainer-approval.js

@@ -2,19 +2,19 @@ const path = require("path");
 const {
   parseOwnersFile,
   findOwners,
-  getCoreTeam,
+  getMaintainers,
 } = require("../scripts/owners");
 
 // Check if the PR author is exempted.
-// If ALL changed files are owned by non-core-team owners that include the
-// author, the PR can merge with any approval (not necessarily core team).
-function isExempted(authorLogin, files, rules, coreTeam) {
+// If ALL changed files are owned by non-maintainer owners that include the
+// author, the PR can merge with any approval (not necessarily a maintainer).
+function isExempted(authorLogin, files, rules, maintainers) {
   if (files.length === 0) return false;
-  const coreSet = new Set(coreTeam);
+  const maintainerSet = new Set(maintainers);
   for (const { filename } of files) {
     const owners = findOwners(filename, rules);
-    const nonCoreOwners = owners.filter((o) => !coreSet.has(o));
-    if (nonCoreOwners.length === 0 || !nonCoreOwners.includes(authorLogin)) {
+    const nonMaintainers = owners.filter((o) => !maintainerSet.has(o));
+    if (nonMaintainers.length === 0 || !nonMaintainers.includes(authorLogin)) {
       return false;
     }
   }
@@ -28,11 +28,11 @@ module.exports = async ({ github, context, core }) => {
     "OWNERS"
   );
   const rules = parseOwnersFile(ownersPath);
-  const coreTeam = getCoreTeam(rules);
+  const maintainers = getMaintainers(rules);
 
-  if (coreTeam.length === 0) {
+  if (maintainers.length === 0) {
     core.setFailed(
-      "Could not determine core team from .github/OWNERS (no * rule found)."
+      "Could not determine maintainers from .github/OWNERS (no * rule found)."
     );
     return;
   }
@@ -43,17 +43,17 @@ module.exports = async ({ github, context, core }) => {
     pull_number: context.issue.number,
   });
 
-  const coreTeamApproved = reviews.some(
+  const maintainerApproved = reviews.some(
     ({ state, user }) =>
-      state === "APPROVED" && user && coreTeam.includes(user.login)
+      state === "APPROVED" && user && maintainers.includes(user.login)
   );
 
-  if (coreTeamApproved) {
+  if (maintainerApproved) {
     const approver = reviews.find(
       ({ state, user }) =>
-        state === "APPROVED" && user && coreTeam.includes(user.login)
+        state === "APPROVED" && user && maintainers.includes(user.login)
     );
-    core.info(`Core team approval from @${approver.user.login}`);
+    core.info(`Maintainer approval from @${approver.user.login}`);
     return;
   }
 
@@ -67,7 +67,7 @@ module.exports = async ({ github, context, core }) => {
     pull_number: context.issue.number,
   });
 
-  if (authorLogin && isExempted(authorLogin, files, rules, coreTeam)) {
+  if (authorLogin && isExempted(authorLogin, files, rules, maintainers)) {
     const hasAnyApproval = reviews.some(({ state }) => state === "APPROVED");
     if (!hasAnyApproval) {
       core.setFailed(
@@ -78,6 +78,6 @@ module.exports = async ({ github, context, core }) => {
   }
 
   core.setFailed(
-    `Requires approval from a core team member: ${coreTeam.join(", ")}.`
+    `Requires approval from a maintainer: ${maintainers.join(", ")}.`
   );
 };

.github/workflows/maintainer-approval.yml

@@ -11,7 +11,9 @@ defaults:
 
 jobs:
   check:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
     timeout-minutes: 5
     permissions:
       pull-requests: read