The CI workflow already described production dependency audit as an
informational PR signal, but the job still surfaced as a failing check.
That left release PRs in an unstable state even after the real merge-gate
jobs were green. This keeps PR audits visible as warnings while still
letting main-branch pushes fail if production dependency audit actually
returns a non-zero exit.
Constraint: Preserve production audit visibility while avoiding false-red PR status
Rejected: Remove audit from CI entirely | loses vulnerability visibility
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Keep audit informational on pull requests unless branch protection is intentionally tightened later
Tested: YAML parse via ruby; git diff --check
Not-tested: Full GitHub Actions rerun pending after push
cita-777
57db7fd107