fix(ci): pass GITHUB_TOKEN to Hypatia scan step

After the HYPATIA_DIR fix in PR #44 got the scanner past the working-directory
error, the next step (`Run Hypatia scan`) is now actually executing — and
failing because the scanner queries Dependabot alerts, which requires
GITHUB_TOKEN. The default GITHUB_TOKEN has the security_events:read scope
that the alerts API needs; passing it via env on the scan step closes the
gap.

Verified by reading the actual scan log:
  Scanning repository: hyperpolymath/affinescript
  Warning: Dependabot alerts unavailable: GITHUB_TOKEN not set — cannot query Dependabot alerts
  ##[error]Process completed with exit code 1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.github/workflows/hypatia-scan.yml

@@ -55,6 +55,11 @@ jobs:
 
       - name: Run Hypatia scan
         id: scan
+        env:
+          # Hypatia uses Dependabot alerts as one of its signal sources.
+          # Without GITHUB_TOKEN it warns and exits 1. The default GITHUB_TOKEN
+          # has the security_events:read scope needed to query alerts.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           echo "Scanning repository: ${{ github.repository }}"