[BUG] warn-only set and job fails when having a vulnerability

[dolorsfg]

Describe the bug
This statement in documentation is not true: When warn-only is set to true, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail. The vulnerabilities are reported as warnings but the job fails

To Reproduce
Steps to reproduce the behavior:

1. Having previously configured dependency review as follows:
   uses: actions/dependency-review-action@v4
   with:
   comment-summary-in-pr: always
   fail-on-severity: high
   deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later
   warn-only: true
   base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
   head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
2. Define a pom with this dependency:
   
   org.apache.tomcat.embed
   tomcat-embed-core
   10.1.24
   provided
   
3. Create a PR to upload changes in pom
4. Wait until dependency review finishes
5. See that the vulnerability is correctly detected as a warning but the job fails

Expected behavior
The job ought not to fail

Screenshots

Action version
v4

Examples
https://github.com/dolorsfg/spring-demo/actions/runs/10593485619/job/29355095706?pr=1