Per-path approval and per-group reviewer suggestions (#4918)

## Why

Cross-domain PRs aren't handled correctly by the current
maintainer-approval workflow. If a PR touches `/cmd/pipelines/` and
`/cmd/apps/`, a single approval from either team covers the whole PR.
Each domain team should approve their own area independently.

The `suggest-reviewers` comment also doesn't surface which ownership
areas need review. It just shows a flat list.

On top of that, the workflow uses `core.setFailed()` to block PRs
missing approval. This shows a red X, which is misleading: "waiting for
approval" isn't an error, it's a normal pending state.

## Changes

**Before:** One exemption check (`isExempted`) that only worked when the
PR author owned all changed files. Cross-domain PRs fell through to
requiring a maintainer. `suggest-reviewers` showed a flat list. Missing
approval = red X.

**Now:** Per-path approval where each ownership group needs at least one
approval from its owners. `suggest-reviewers` shows per-group sections
for cross-domain PRs. Missing approval = yellow pending dot via Commit
Status API.

### `owners.js`

Added `getOwnershipGroups(filenames, rules)` that groups files by their
last-match-wins OWNERS pattern. Returns `Map<pattern, { owners, files
}>`. This is the shared building block used by both the approval check
and reviewer suggestions.

### `maintainer-approval.js`

Replaced `isExempted` with `checkPerPathApproval`. The new flow:

1. Any maintainer approved? -> `success` (unchanged)
2. PR author is a maintainer and has any approval? -> `success` (new,
any second pair of eyes suffices)
3. Group changed files by ownership. Any files matching only `*`? ->
`pending` (needs maintainer)
4. For each ownership group, has at least one owner approved? All
covered -> `success`. Some uncovered -> `pending` (lists which groups
need approval)

Team refs (`@org/team`) are resolved via `getMembershipForUserInOrg`.
The resolution distinguishes 404 (not a member) from permission errors
(logs a warning, falls back to requiring maintainer).

Switched from `core.setFailed()` to `createCommitStatus()` with
`pending`/`success` states, so "waiting for approval" is a yellow dot
instead of a red X. The ruleset should require the `maintainer-approval`
commit status context.

### `suggest-reviewers.js`

When a PR crosses 2+ ownership groups, shows "Reviewers by ownership
area" with per-group sections. Each section lists the matched files,
team refs, and individually ranked owners (by git history score).
Single-domain PRs keep the existing flat format. The wildcard section
(`*` files) only suggests maintainers, since only they can approve those
files.

### `OWNERS`

- Added `/bundle/`, `/acceptance/bundle/`, and `/acceptance/labs/` rules
mirroring their source counterparts
- Added section comments for readability
- Grouped rules by domain

### `maintainer-approval.yml`

- Added `statuses: write` permission (needed for `createCommitStatus`)

## Test plan

- [x] 36 unit tests using Node's built-in `node:test` runner (zero
dependencies)
- 24 tests for `owners.js`: `ownersMatch`, `parseOwnersFile`,
`findOwners`, `getMaintainers`, `getOwnershipGroups`
- 12 tests for `maintainer-approval.js` with mocked GitHub API:
maintainer approval, maintainer-authored PR self-approval, single
domain, cross-domain (both covered and partially covered), wildcard
files, team member approval, non-team-member rejection,
`CHANGES_REQUESTED` exclusion, self-approval exclusion, missing `*` rule
error
- Run: `node --test .github/scripts/owners.test.js
.github/workflows/maintainer-approval.test.js`
- [ ] Verify on a single-domain PR (only `/cmd/pipelines/` files):
pending until pipelines owner approves
- [ ] Verify on a cross-domain PR (`/cmd/pipelines/` + `/cmd/apps/`):
pending until both groups approved
- [ ] Verify on a PR touching only `*` files: pending, message says
"needs maintainer"
- [ ] Verify maintainer approval short-circuits: success status
immediately
- [ ] Update branch ruleset to require `maintainer-approval` commit
status context

### Edge case coverage (from unit tests)

| Scenario | Expected | Tested |
|----------|----------|--------|
| PR touches only `*` files | Maintainer required, pending | yes |
| PR touches one domain only | One domain owner approval suffices | yes
|
| PR touches two domains | Both groups need approval | yes |
| PR touches domain + `*` files | Maintainer required (wildcard forces
it) | yes |
| Maintainer approves | Always success | yes |
| PR author is maintainer + any approval | Success (second pair of eyes)
| yes |
| Team member approves team-owned path | Success (via Teams API) | yes |
| `CHANGES_REQUESTED` review | Does not count as approval | yes |
| PR author self-approval | Excluded from approver list | yes |

Author: simonfaltum

.github/OWNERS

@@ -1,11 +1,25 @@
-*                         @andrewnester @anton-107 @denik @pietern @shreyas-goenka @simonfaltum
-/cmd/bundle/              @andrewnester @anton-107 @denik @pietern @shreyas-goenka @lennartkats-db
-/libs/template/           @andrewnester @anton-107 @denik @pietern @shreyas-goenka @simonfaltum @lennartkats-db
-/acceptance/pipelines/    @jefferycheng1 @kanterov @lennartkats-db
-/cmd/pipelines/           @jefferycheng1 @kanterov @lennartkats-db
-/cmd/labs/                @alexott @nfx
-/cmd/apps/                @databricks/eng-apps-devex
-/cmd/workspace/apps/      @databricks/eng-apps-devex
-/libs/apps/               @databricks/eng-apps-devex
-/acceptance/apps/         @databricks/eng-apps-devex
-/experimental/aitools/    @databricks/eng-apps-devex @lennartkats-db
+# Maintainers (can approve any PR)
+*                           @andrewnester @anton-107 @denik @pietern @shreyas-goenka @simonfaltum
+
+# Bundles
+/bundle/                    @andrewnester @anton-107 @denik @pietern @shreyas-goenka @lennartkats-db
+/cmd/bundle/                @andrewnester @anton-107 @denik @pietern @shreyas-goenka @lennartkats-db
+/acceptance/bundle/         @andrewnester @anton-107 @denik @pietern @shreyas-goenka @lennartkats-db
+/libs/template/             @andrewnester @anton-107 @denik @pietern @shreyas-goenka @simonfaltum @lennartkats-db
+
+# Pipelines
+/cmd/pipelines/             @jefferycheng1 @kanterov @lennartkats-db
+/acceptance/pipelines/      @jefferycheng1 @kanterov @lennartkats-db
+
+# Labs
+/cmd/labs/                  @alexott @nfx
+/acceptance/labs/           @alexott @nfx
+
+# Apps
+/cmd/apps/                  @databricks/eng-apps-devex
+/cmd/workspace/apps/        @databricks/eng-apps-devex
+/libs/apps/                 @databricks/eng-apps-devex
+/acceptance/apps/           @databricks/eng-apps-devex
+
+# Experimental
+/experimental/aitools/      @databricks/eng-apps-devex @lennartkats-db

.github/scripts/owners.js

@@ -65,4 +65,28 @@ function getMaintainers(rules) {
   return catchAll ? catchAll.owners : [];
 }
 
-module.exports = { parseOwnersFile, ownersMatch, findOwners, getMaintainers };
+/**
+ * Group files by their matched OWNERS rule (last-match-wins).
+ * Returns Map<pattern, { owners: string[], files: string[] }>
+ */
+function getOwnershipGroups(filenames, rules) {
+  const groups = new Map();
+  for (const filepath of filenames) {
+    let matchedPattern = null;
+    let matchedOwners = [];
+    for (const rule of rules) {
+      if (ownersMatch(rule.pattern, filepath)) {
+        matchedPattern = rule.pattern;
+        matchedOwners = rule.owners;
+      }
+    }
+    if (!matchedPattern) continue;
+    if (!groups.has(matchedPattern)) {
+      groups.set(matchedPattern, { owners: [...matchedOwners], files: [] });
+    }
+    groups.get(matchedPattern).files.push(filepath);
+  }
+  return groups;
+}
+
+module.exports = { parseOwnersFile, ownersMatch, findOwners, getMaintainers, getOwnershipGroups };

.github/scripts/owners.test.js

@@ -0,0 +1,256 @@
+const { describe, it, before, after } = require("node:test");
+const assert = require("node:assert/strict");
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+
+const {
+  ownersMatch,
+  parseOwnersFile,
+  findOwners,
+  getMaintainers,
+  getOwnershipGroups,
+} = require("./owners");
+
+// --- ownersMatch ---
+
+describe("ownersMatch", () => {
+  it("* matches everything", () => {
+    assert.ok(ownersMatch("*", "any/file/path.go"));
+    assert.ok(ownersMatch("*", "README.md"));
+    assert.ok(ownersMatch("*", ""));
+  });
+
+  it("/dir/ prefix matches files under that directory", () => {
+    assert.ok(ownersMatch("/cmd/pipelines/", "cmd/pipelines/foo.go"));
+    assert.ok(ownersMatch("/cmd/pipelines/", "cmd/pipelines/sub/bar.go"));
+  });
+
+  it("/dir/ does NOT match files in other directories", () => {
+    assert.ok(!ownersMatch("/cmd/pipelines/", "cmd/other/foo.go"));
+    assert.ok(!ownersMatch("/cmd/pipelines/", "cmd/pipeline/foo.go"));
+    assert.ok(!ownersMatch("/cmd/pipelines/", "bundle/pipelines/foo.go"));
+  });
+
+  it("exact file match", () => {
+    assert.ok(ownersMatch("/some/file.go", "some/file.go"));
+    assert.ok(!ownersMatch("/some/file.go", "some/other.go"));
+    assert.ok(!ownersMatch("/some/file.go", "some/file.go/extra"));
+  });
+
+  it("leading / is stripped for matching", () => {
+    assert.ok(ownersMatch("/bundle/", "bundle/config.go"));
+    assert.ok(ownersMatch("/README.md", "README.md"));
+  });
+});
+
+// --- parseOwnersFile ---
+
+describe("parseOwnersFile", () => {
+  let tmpDir;
+  let ownersPath;
+
+  before(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "owners-test-"));
+    ownersPath = path.join(tmpDir, "OWNERS");
+  });
+
+  after(() => {
+    fs.rmSync(tmpDir, { recursive: true });
+  });
+
+  it("parses rules with owners", () => {
+    fs.writeFileSync(
+      ownersPath,
+      [
+        "* @alice @bob",
+        "/cmd/pipelines/ @carol",
+      ].join("\n")
+    );
+    const rules = parseOwnersFile(ownersPath);
+    assert.equal(rules.length, 2);
+    assert.equal(rules[0].pattern, "*");
+    assert.deepEqual(rules[0].owners, ["alice", "bob"]);
+    assert.equal(rules[1].pattern, "/cmd/pipelines/");
+    assert.deepEqual(rules[1].owners, ["carol"]);
+  });
+
+  it("filters out team refs by default", () => {
+    fs.writeFileSync(
+      ownersPath,
+      "/cmd/apps/ @databricks/eng-apps-devex @alice\n"
+    );
+    const rules = parseOwnersFile(ownersPath);
+    assert.equal(rules.length, 1);
+    assert.deepEqual(rules[0].owners, ["alice"]);
+  });
+
+  it("includes team refs with includeTeams option", () => {
+    fs.writeFileSync(
+      ownersPath,
+      "/cmd/apps/ @databricks/eng-apps-devex @alice\n"
+    );
+    const rules = parseOwnersFile(ownersPath, { includeTeams: true });
+    assert.equal(rules.length, 1);
+    assert.deepEqual(rules[0].owners, ["databricks/eng-apps-devex", "alice"]);
+  });
+
+  it("skips comments and blank lines", () => {
+    fs.writeFileSync(
+      ownersPath,
+      [
+        "# This is a comment",
+        "",
+        "  # indented comment",
+        "* @alice",
+        "",
+        "/cmd/ @bob",
+      ].join("\n")
+    );
+    const rules = parseOwnersFile(ownersPath);
+    assert.equal(rules.length, 2);
+  });
+
+  it("strips @ prefix from owners", () => {
+    fs.writeFileSync(ownersPath, "* @alice @bob\n");
+    const rules = parseOwnersFile(ownersPath);
+    assert.deepEqual(rules[0].owners, ["alice", "bob"]);
+  });
+
+  it("skips lines with only a pattern and no owners", () => {
+    fs.writeFileSync(ownersPath, "/lonely/\n* @alice\n");
+    const rules = parseOwnersFile(ownersPath);
+    assert.equal(rules.length, 1);
+    assert.equal(rules[0].pattern, "*");
+  });
+});
+
+// --- findOwners ---
+
+describe("findOwners", () => {
+  const rules = [
+    { pattern: "*", owners: ["maintainer1", "maintainer2"] },
+    { pattern: "/cmd/pipelines/", owners: ["pipelinesOwner"] },
+    { pattern: "/cmd/apps/", owners: ["appsOwner"] },
+  ];
+
+  it("last match wins", () => {
+    const owners = findOwners("cmd/pipelines/foo.go", rules);
+    assert.deepEqual(owners, ["pipelinesOwner"]);
+  });
+
+  it("file matching only * returns catch-all owners", () => {
+    const owners = findOwners("README.md", rules);
+    assert.deepEqual(owners, ["maintainer1", "maintainer2"]);
+  });
+
+  it("file matching specific rule returns that rule's owners", () => {
+    const owners = findOwners("cmd/apps/main.go", rules);
+    assert.deepEqual(owners, ["appsOwner"]);
+  });
+
+  it("returns empty array when no rules match", () => {
+    const noWildcard = [{ pattern: "/cmd/pipelines/", owners: ["owner1"] }];
+    const owners = findOwners("bundle/config.go", noWildcard);
+    assert.deepEqual(owners, []);
+  });
+});
+
+// --- getMaintainers ---
+
+describe("getMaintainers", () => {
+  it("returns owners from * rule", () => {
+    const rules = [
+      { pattern: "*", owners: ["alice", "bob"] },
+      { pattern: "/cmd/", owners: ["carol"] },
+    ];
+    assert.deepEqual(getMaintainers(rules), ["alice", "bob"]);
+  });
+
+  it("returns empty array if no * rule", () => {
+    const rules = [{ pattern: "/cmd/", owners: ["carol"] }];
+    assert.deepEqual(getMaintainers(rules), []);
+  });
+});
+
+// --- getOwnershipGroups ---
+
+describe("getOwnershipGroups", () => {
+  const rules = [
+    { pattern: "*", owners: ["maintainer"] },
+    { pattern: "/cmd/pipelines/", owners: ["pipelinesOwner"] },
+    { pattern: "/cmd/apps/", owners: ["appsOwner"] },
+    { pattern: "/bundle/", owners: ["bundleOwner"] },
+  ];
+
+  it("single file matching one rule -> one group", () => {
+    const groups = getOwnershipGroups(["cmd/pipelines/foo.go"], rules);
+    assert.equal(groups.size, 1);
+    assert.ok(groups.has("/cmd/pipelines/"));
+    assert.deepEqual(groups.get("/cmd/pipelines/").owners, ["pipelinesOwner"]);
+    assert.deepEqual(groups.get("/cmd/pipelines/").files, ["cmd/pipelines/foo.go"]);
+  });
+
+  it("multiple files matching same rule -> grouped together", () => {
+    const groups = getOwnershipGroups(
+      ["cmd/pipelines/foo.go", "cmd/pipelines/bar.go"],
+      rules
+    );
+    assert.equal(groups.size, 1);
+    assert.deepEqual(groups.get("/cmd/pipelines/").files, [
+      "cmd/pipelines/foo.go",
+      "cmd/pipelines/bar.go",
+    ]);
+  });
+
+  it("files matching different rules -> separate groups", () => {
+    const groups = getOwnershipGroups(
+      ["cmd/pipelines/foo.go", "cmd/apps/bar.go"],
+      rules
+    );
+    assert.equal(groups.size, 2);
+    assert.ok(groups.has("/cmd/pipelines/"));
+    assert.ok(groups.has("/cmd/apps/"));
+  });
+
+  it("file matching only * -> group with * key", () => {
+    const groups = getOwnershipGroups(["README.md"], rules);
+    assert.equal(groups.size, 1);
+    assert.ok(groups.has("*"));
+    assert.deepEqual(groups.get("*").owners, ["maintainer"]);
+    assert.deepEqual(groups.get("*").files, ["README.md"]);
+  });
+
+  it("file matching no rule -> skipped", () => {
+    const noWildcard = [{ pattern: "/cmd/pipelines/", owners: ["owner1"] }];
+    const groups = getOwnershipGroups(["unrelated/file.go"], noWildcard);
+    assert.equal(groups.size, 0);
+  });
+
+  it("cross-domain: /cmd/pipelines/ and /cmd/apps/ -> two groups", () => {
+    const groups = getOwnershipGroups(
+      [
+        "cmd/pipelines/a.go",
+        "cmd/pipelines/b.go",
+        "cmd/apps/c.go",
+      ],
+      rules
+    );
+    assert.equal(groups.size, 2);
+    assert.deepEqual(groups.get("/cmd/pipelines/").files, [
+      "cmd/pipelines/a.go",
+      "cmd/pipelines/b.go",
+    ]);
+    assert.deepEqual(groups.get("/cmd/apps/").files, ["cmd/apps/c.go"]);
+  });
+
+  it("mixed: domain files + *-only files -> both groups present", () => {
+    const groups = getOwnershipGroups(
+      ["cmd/pipelines/a.go", "README.md"],
+      rules
+    );
+    assert.equal(groups.size, 2);
+    assert.ok(groups.has("/cmd/pipelines/"));
+    assert.ok(groups.has("*"));
+  });
+});