Fix: skip unchanged GitHub team memberships in provisioner (#86)

## Summary

Root cause fix for the CODEOWNER self-merge regression.

The provisioner was calling `PUT /teams/{slug}/memberships/{user}` on
every run for every member, even when the role was already correct. This
re-added members via the API, changing their membership state from
"org-owner implicit" to "explicit API-added", which caused GitHub to
block self-merge on CODEOWNER-required PRs.

Now fetches current member roles first and only calls PUT when a role
change is actually needed.

## What happened
1. PR #80 changed provisioner to default `role: member`
2. Registry #16 merged → provisioner ran for first time with new code
3. Provisioner called `PUT memberships/alexanderamiri {"role":
"maintainer"}` — role was already maintainer, but the API call changed
the membership source
4. GitHub stopped allowing self-merge on CODEOWNER PRs

## Also reverted
Removed the org-admin bypass actor from the ruleset (was a band-aid, not
the fix).

## Test plan
- [ ] Merge this PR (should be self-mergeable — provisioner hasn't run
again)
- [ ] Trigger provisioner via registry merge
- [ ] Verify team membership unchanged (check GitHub API)
- [ ] Create a test PR → verify self-merge still works

Author: Alexanderamiri

terraform/lambda-src/team_provisioner/handler.py

@@ -568,23 +568,26 @@ def sync_github_team(team):
         else:
             logger.info("Created GitHub team %s", team_slug)
 
-    # Current team members (paginated — GitHub returns max 100 per page)
-    current_members = set()
-    page = 1
-    while True:
-        members_resp = _github_api(
-            "GET",
-            f"/orgs/{GITHUB_ORG}/teams/{team_slug}/members?per_page=100&page={page}",
-            token,
-        )
-        if not isinstance(members_resp, list) or not members_resp:
-            break
-        current_members.update(m["login"].lower() for m in members_resp)
-        if len(members_resp) < 100:
-            break
-        page += 1
-
-    # Desired members
+    # Current team members with roles (paginated — GitHub returns max 100 per page)
+    # We need roles to avoid unnecessary PUT calls that can change membership state.
+    current_members = {}  # login -> role
+    for role_filter in ("maintainer", "member"):
+        page = 1
+        while True:
+            members_resp = _github_api(
+                "GET",
+                f"/orgs/{GITHUB_ORG}/teams/{team_slug}/members?role={role_filter}&per_page=100&page={page}",
+                token,
+            )
+            if not isinstance(members_resp, list) or not members_resp:
+                break
+            for m in members_resp:
+                current_members[m["login"].lower()] = role_filter
+            if len(members_resp) < 100:
+                break
+            page += 1
+
+    # Desired members — only call PUT if role needs changing
     desired_users = set()
     for member in team.get("members", []):
         m = _normalize_member(member)
@@ -601,6 +604,10 @@ def sync_github_team(team):
         if github_role not in ("maintainer", "member"):
             logger.warning("Invalid role '%s' for %s — defaulting to member", github_role, github_user)
             github_role = "member"
+        current_role = current_members.get(github_user)
+        if current_role == github_role:
+            logger.info("Skipping %s in team %s — already %s", github_user, team_slug, github_role)
+            continue
         _github_api(
             "PUT",
             f"/orgs/{GITHUB_ORG}/teams/{team_slug}/memberships/{github_user}",
@@ -610,7 +617,7 @@ def sync_github_team(team):
         logger.info("Set %s as %s in team %s", github_user, github_role, team_slug)
 
     # Remove members no longer in the team definition
-    for login in current_members - desired_users:
+    for login in set(current_members.keys()) - desired_users:
         _github_api(
             "DELETE",
             f"/orgs/{GITHUB_ORG}/teams/{team_slug}/memberships/{login}",