[BUG] Update actions/dependency-review-action from 4 to 5 breaks on Unknown License

[hspaans]

Describe the bug
Update actions/dependency-review-action from 4 to 5 breaks as actions/dependency-review-action has no license detected. While in the OpenSSF scorecard it is detected.

To Reproduce
Have a workflow to run the dependency review action with a list of allowed licenses including the MIT license defined in the repository of actions/dependency-review-action:

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout repository'
        uses: actions/checkout@v6

      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v5
        # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
        with:
          comment-summary-in-pr: always
          allow-licenses: GPL-2.0-or-later, LGPL-2.1-or-later, GFDL-1.1-or-later, MIT, MPL-2.0, CC-BY-4.0, CC-BY-SA-4.0, Apache-2.0

Expected behavior
The license definitions would match.

Screenshots

Action version
v5

Note: if you're not running the latest release please try that first!

Examples
Already attached as screenshot and under to reproduce.

Additional context
Upgrade was triggered by Dependabot to go from v4 to v5.

[ahpook]

Hm, I don't think this is a regression due to the new version - the Dependency Graph database does not have license data for any actions, so AFAIK it would not succeed on these workflow updates if the allow-licenses list is specified.

[hspaans]

Correct it doesn't seem to be a regression bug, but it was highlighted due to the upgrade. If none of the actions have their license info in the dependency graph then allow-dependencies-licenses would be the only workaround most likely.