fix: use fromJSON for numeric comparison in auto-approval condition

[marcusburghardt]

Summary

Fix the dependabot auto-approval condition that silently fails on every PR due to lexicographic string comparison instead of numeric comparison.

GitHub Actions >= operator performs lexicographic string comparison when both operands come from the env context (both are strings). This causes "117" >= "24" to evaluate as false because '1' < '2' in ASCII order — even though numerically 117 >= 24 is true.

The fix wraps both operands in fromJSON() to force numeric casting:

• fromJSON(env.RELEASE_AGE_HOURS) >= fromJSON(env.MIN_RELEASE_AGE_HOURS)
• fromJSON(needs...release_age_hours) >= fromJSON(env.MIN_RELEASE_AGE_HOURS)

Impact: Without this fix, no dependabot PR can be auto-approved because the release age comparison always fails. This affects all org repos consuming ci_dependencies.yml.

Evidence: PR #197 (actions/upload-artifact 7.0.0 → 7.0.1) meets all criteria (risk=low, review=success, release_age=117h) but the auto-approve step was skipped.

Related Issues

• Fixes auto-approval regression introduced in feat: robust dependabot auto-approval with release age check #189
• Unblocks ci(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 #197 (and all pending dependabot PRs across org repos)

Review Hints

• Single file changed: .github/workflows/ci_dependencies.yml (2 lines)
• Two fromJSON() wrappers added: one in the step if: condition (L91), one in the PR comment auto-approval display (L67)
• The MIN_RELEASE_AGE_HOURS env constant remains centralized (Principle I) — only the comparison method changed
• After merging, re-run the Dependencies workflow on ci(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 #197 to verify the fix