zgosalvez
diff --git a/‎dist/index.js
+22-11 b/‎dist/index.js
+22-11
diff --git a/‎dist/index.js.map
+1-1 b/‎dist/index.js.map
+1-1
diff --git a/‎src/index.js
+22-12 b/‎src/index.js
+22-12
@@ -23,27 +23,31 @@ async function run() {
       }
 
       core.startGroup(workflowsPath + '/' + basename);
-      
+
       for (const job in jobs) {
+        const uses = jobs[job]['uses'];
         const steps = jobs[job]['steps'];
 
-        if (steps === undefined) {
-          core.warning(`The "${job}" job of the "${basename}" workflow does not contain steps.`);
-        }
-
-        for (const step of steps) {
-          const uses = step['uses'];
+        if (uses !== undefined) {
+          if (!assertUsesSHA(uses)) {
+            actionHasError = true;
+            fileHasError = true;
 
-          if (typeof uses === 'string' && uses.includes('@')) {
-            const version = uses.substr(uses.indexOf('@') + 1);
+            core.error(`${uses} is not pinned to a full length commit SHA.`);
+          }
+        } else if (steps !== undefined) {
+          for (const step of steps) {
+            const uses = step['uses'];
 
-            if (!sha1.test(version)) {
+            if (uses !== undefined && !assertUsesSHA(uses)) {
               actionHasError = true;
               fileHasError = true;
 
               core.error(`${uses} is not pinned to a full length commit SHA.`);
             }
           }
+        } else {
+          core.warning(`The "${job}" job of the "${basename}" workflow does not contain steps or uses.`);
         }
       }
 
@@ -53,7 +57,7 @@ async function run() {
 
       core.endGroup();
     }
-    
+
     if (actionHasError) {
       throw new Error('At least one workflow contains an unpinned GitHub Action version.');
     }
@@ -62,4 +66,10 @@ async function run() {
   }
 }
 
-run();
+run();
+
+function assertUsesSHA(uses) {
+  return typeof uses === 'string' &&
+    uses.includes('@') &&
+    sha1.test(uses.substr(uses.indexOf('@') + 1))
+}