diff --git a/CHANGELOG.md b/CHANGELOG.md
index 440a483..52ff14f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## 2.9.1
+
+### Fixes
+
+- Danger - fix pinned action check if the ref is at the end of the file ([#70](https://github.com/getsentry/github-workflows/pull/70))
+
 ## 2.9.0
 
 ### Fixes
diff --git a/danger/CONTRIBUTING.md b/danger/CONTRIBUTING.md
index f8532b5..5bd26ee 100644
--- a/danger/CONTRIBUTING.md
+++ b/danger/CONTRIBUTING.md
@@ -7,12 +7,13 @@
 
 ## TLDR
 
-```shell-script
-export DANGER_GITHUB_API_TOKEN='XXX'
-export DANGER_FAKE_CI="YEP"
-export DANGER_TEST_REPO='username/reponame'
+```pwsh
+$env:DANGER_GITHUB_API_TOKEN = gh auth token
+$env:DANGER_FAKE_CI = 'YEP'
+$env:DANGER_TEST_REPO = 'username/reponame'
+$env:DANGER_TEST_PR = 1234
+
 cd reponame
-export DANGER_TEST_PR='1234'
-git checkout branch-for-pr-1234
+gh pr checkout $env:DANGER_TEST_PR
 npx danger ci --text-only --failOnErrors --dangerfile=../github-workflows/danger/dangerfile.js
 ```
diff --git a/danger/dangerfile.js b/danger/dangerfile.js
index 3b39a3a..17a4b70 100644
--- a/danger/dangerfile.js
+++ b/danger/dangerfile.js
@@ -146,7 +146,7 @@ async function checkActionsArePinned() {
 
   const usesRegex = /^\+? *uses:/;
   const usesActionRegex =
-    /^\+? *uses: *(?<user>[^\/]+)\/(?<action>[^@]+)@(?<ref>[^ ]*)/;
+    /^\+? *uses: *(?<user>[^\/]+)\/(?<action>[^@]+)@(?<ref>[^\s]+)/;
   const usesLocalRegex = /^\+? *uses: *\.\//; // e.g. 'uses: ./.github/actions/something'
   const shaRegex = /^[a-f0-9]{40}$/;
   const whitelistedUsers = ["getsentry", "actions", "github"];