ci: add production topic channel spam audit mode

[mashbean]

Why

We need a read-only production DB audit for the topic-channel spam exposure incident. The existing production query workflow already has VPN, production environment approval, and DB access boundaries, but it only supports federation export event lookup.

What changed

• Adds an article_id=0 audit mode to the existing production query workflow.
• The audit runs SELECT-only SQL against target topic channels: 生活, 書影音, 時事, 還有.
• It prints aggregate counts for high-score spam-like rows and a limited sample set for incident verification.

Safety

• No production mutation.
• Keeps environment: production, so branch policy and required reviewers remain enforced.
• This can be reverted after the audit if we do not want to keep the mode.

Validation

• YAML parsed locally with python3.
• Branch dispatch was attempted and failed before runner start because production environment only allows main and master, confirming this must land on an allowed branch before it can access production.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.39%. Comparing base (89f67f5) to head (027de26).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4866      +/-   ##
==========================================
+ Coverage   73.12%   73.39%   +0.26%     
==========================================
  Files        1081     1081              
  Lines       21644    21874     +230     
  Branches     4735     4824      +89     
==========================================
+ Hits        15828    16055     +227     
- Misses       5339     5342       +3     
  Partials      477      477              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mashbean]

Closing this audit workflow PR. Merging query-only incident tooling into master is not the right production boundary for this check. We should run the read-only SQL through an existing approved DB access path or have an operator run it directly, without changing the production branch.