Steps to reproduce

• Integrate vet-action with your repo (eg. npm based project)
• Do not configure API key to ensure vet uses Query Mode
• Raise a PR to add a known malicious package

Expected behaviour:

• vet should flag the malicious package in PR comment
• vet GHA workflow should fail

cc: @n1lanjan