[BUG] warn-only set and job fails when having a vulnerability

[dolorsfg]

Describe the bug
This statement in documentation is not true: When warn-only is set to true, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail. The vulnerabilities are reported as warnings but the job fails

To Reproduce
Steps to reproduce the behavior:

1. Having previously configured dependency review as follows:
   uses: actions/dependency-review-action@v4
   with:
   comment-summary-in-pr: always
   fail-on-severity: high
   deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later
   warn-only: true
   base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
   head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
2. Define a pom with this dependency:
   
   org.apache.tomcat.embed
   tomcat-embed-core
   10.1.24
   provided
   
3. Create a PR to upload changes in pom
4. Wait until dependency review finishes
5. See that the vulnerability is correctly detected as a warning but the job fails

Expected behavior
The job ought not to fail

Screenshots

Action version
v4

Examples
https://github.com/dolorsfg/spring-demo/actions/runs/10593485619/job/29355095706?pr=1

[github-actions]

👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.

[github-actions]

👋 This issue has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details.