diff --git a/.github/workflows/ci-lib-changelog-emitter.yml b/.github/workflows/ci-lib-changelog-emitter.yml
index d2ce878c..60a4326e 100644
--- a/.github/workflows/ci-lib-changelog-emitter.yml
+++ b/.github/workflows/ci-lib-changelog-emitter.yml
@@ -38,7 +38,14 @@ jobs:
         run: pnpm --filter typespec-versioning-changelog run test:coverage
 
       - name: Audit dependencies
+        # Gated to PRs into `main` (and main-context workflow_call invocations) so
+        # advisories that live on `main` and can only be fixed there don't block
+        # PRs into HOLD-* batching branches or other non-main bases. The HOLD → main
+        # checkpoint PR re-runs this audit, so anything live at merge time is gated
+        # at the actionable boundary.
+        #
         # Calls the npm bulk advisory endpoint directly as a workaround for
         # pnpm audit 410 errors (pnpm/pnpm#11265). Remove this script and
         # revert to `pnpm --filter typespec-versioning-changelog run audit` once pnpm ships native support.
+        if: github.base_ref == 'main' || github.ref == 'refs/heads/main'
         run: node ${GITHUB_WORKSPACE}/.github/scripts/audit-deps.js --filter typespec-versioning-changelog
diff --git a/.github/workflows/ci-lib-cli.yml b/.github/workflows/ci-lib-cli.yml
index c5048ccb..1345d83a 100644
--- a/.github/workflows/ci-lib-cli.yml
+++ b/.github/workflows/ci-lib-cli.yml
@@ -43,7 +43,14 @@ jobs:
         run: pnpm --filter @common-grants/cli run build
 
       - name: Audit dependencies
+        # Gated to PRs into `main` (and main-context workflow_call invocations) so
+        # advisories that live on `main` and can only be fixed there don't block
+        # PRs into HOLD-* batching branches or other non-main bases. The HOLD → main
+        # checkpoint PR re-runs this audit, so anything live at merge time is gated
+        # at the actionable boundary.
+        #
         # Calls the npm bulk advisory endpoint directly as a workaround for
         # pnpm audit 410 errors (pnpm/pnpm#11265). Remove this script and
         # revert to `pnpm --filter @common-grants/cli run audit` once pnpm ships native support.
+        if: github.base_ref == 'main' || github.ref == 'refs/heads/main'
         run: node ${GITHUB_WORKSPACE}/.github/scripts/audit-deps.js --filter @common-grants/cli
diff --git a/.github/workflows/ci-lib-core.yml b/.github/workflows/ci-lib-core.yml
index c630e6f4..ec3b01cc 100644
--- a/.github/workflows/ci-lib-core.yml
+++ b/.github/workflows/ci-lib-core.yml
@@ -40,7 +40,14 @@ jobs:
         run: pnpm --filter @common-grants/core run typespec
 
       - name: Audit dependencies
+        # Gated to PRs into `main` (and main-context workflow_call invocations) so
+        # advisories that live on `main` and can only be fixed there don't block
+        # PRs into HOLD-* batching branches or other non-main bases. The HOLD → main
+        # checkpoint PR re-runs this audit, so anything live at merge time is gated
+        # at the actionable boundary.
+        #
         # Calls the npm bulk advisory endpoint directly as a workaround for
         # pnpm audit 410 errors (pnpm/pnpm#11265). Remove this script and
         # revert to `pnpm --filter @common-grants/core run audit` once pnpm ships native support.
+        if: github.base_ref == 'main' || github.ref == 'refs/heads/main'
         run: node ${GITHUB_WORKSPACE}/.github/scripts/audit-deps.js --filter @common-grants/core
diff --git a/.github/workflows/ci-lib-ts-sdk.yml b/.github/workflows/ci-lib-ts-sdk.yml
index 2641b3b4..b634c81d 100644
--- a/.github/workflows/ci-lib-ts-sdk.yml
+++ b/.github/workflows/ci-lib-ts-sdk.yml
@@ -40,7 +40,14 @@ jobs:
         run: pnpm --filter @common-grants/sdk run test:coverage
 
       - name: Audit dependencies
+        # Gated to PRs into `main` (and main-context workflow_call invocations) so
+        # advisories that live on `main` and can only be fixed there don't block
+        # PRs into HOLD-* batching branches or other non-main bases. The HOLD → main
+        # checkpoint PR re-runs this audit, so anything live at merge time is gated
+        # at the actionable boundary.
+        #
         # Calls the npm bulk advisory endpoint directly as a workaround for
         # pnpm audit 410 errors (pnpm/pnpm#11265). Remove this script and
         # revert to `pnpm --filter @common-grants/sdk run audit` once pnpm ships native support.
+        if: github.base_ref == 'main' || github.ref == 'refs/heads/main'
         run: node ${GITHUB_WORKSPACE}/.github/scripts/audit-deps.js --filter @common-grants/sdk