Add read_group_runners group policy rule

What does this MR do and why?

Describe in detail what your merge request does and why.

This MR:

• adds the read_group_runners group policy rule and replaces existing logic that was falling back to the :admin_group rule. Both are available only to group owners;
• changes the level used for register_group_runners/admin_group_runners (currently maintainer-level) so that they are not more permissive than read_group_runners (owner-level);
• changes the copy in the project runners settings page so that it mentions 'group owners' instead of 'group maintainers', since group maintainers were never able to manage group runners.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

No functional changes should occur, this is only a change of rules that reuse the same permissions.

1. Log in as root user

2. Visit http://gdk.localhost:3000/groups/gitlab-org/-/group_members

3. Ensure you have a non-admin user with maintainer access (e.g. josh)

4. Visit http://gdk.localhost:3000/gitlab-org. The CI/CD -> Runners nav menu item should be available:

   

5. Ensure you can log in with josh. If you don't know the password for the user, you can reset it in the Rails console as follows:

   user = User.find_by_username 'josh'; user.password = user.password_confirmation = 'secret_pass'; user.save!

6. Log in as josh and visit http://gdk.localhost:3000/gitlab-org. The CI/CD -> Runners nav menu item should not be available:

   

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.

Closes #349786 (closed)