rewrite artifacts client to have public and internal implementations

packages/artifact/src/internal/client.ts

@@ -6,12 +6,16 @@ import {
   DownloadArtifactOptions,
   GetArtifactResponse,
   ListArtifactsResponse,
-  DownloadArtifactResponse
+  DownloadArtifactResponse,
+  LookupOptions
 } from './shared/interfaces'
 import {uploadArtifact} from './upload/upload-artifact'
-import {downloadArtifact} from './download/download-artifact'
-import {getArtifact} from './find/get-artifact'
-import {listArtifacts} from './find/list-artifacts'
+import {
+  downloadArtifactPublic,
+  downloadArtifactInternal
+} from './download/download-artifact'
+import {getArtifactPublic, getArtifactInternal} from './find/get-artifact'
+import {listArtifactsPublic, listArtifactsInternal} from './find/list-artifacts'
 
 export interface ArtifactClient {
   /**
@@ -31,62 +35,46 @@ export interface ArtifactClient {
   ): Promise<UploadResponse>
 
   /**
-   * Lists all artifacts that are part of a workflow run.
+   * Lists all artifacts that are part of the current workflow run.
+   * This function will return at most 1000 artifacts per workflow run.
    *
-   * This calls the public List-Artifacts API https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
-   * Due to paginated responses from the public API. This function will return at most 1000 artifacts per workflow run (100 per page * maximum 10 calls)
+   * If options.token is specified, this will call the public List-Artifacts API which can list from other runs.
+   * https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
    *
-   * @param workflowRunId The workflow run id that the artifact belongs to
-   * @param repositoryOwner The owner of the repository that the artifact belongs to
-   * @param repositoryName The name of the repository that the artifact belongs to
-   * @param token A token with the appropriate permission to the repository to list artifacts
+   * @param options Extra options that allow for the customization of the list behavior
    * @returns ListArtifactResponse object
    */
-  listArtifacts(
-    workflowRunId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string
-  ): Promise<ListArtifactsResponse>
+  listArtifacts(options?: LookupOptions): Promise<ListArtifactsResponse>
 
   /**
-   * Finds an artifact by name given a repository and workflow run id.
+   * Finds an artifact by name.
    *
-   * This calls the public List-Artifacts API with a name filter https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
+   * If options.token is specified, this will use the public List Artifacts API with a name filter which can get artifacts from other runs.
+   * https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
    * @actions/artifact > 2.0.0 does not allow for creating multiple artifacts with the same name in the same workflow run.
-   * It is possible to have multiple artifacts with the same name in the same workflow run by using old versions of upload-artifact (v1,v2 and v3) or @actions/artifact < v2.0.0
+   * It is possible to have multiple artifacts with the same name in the same workflow run by using old versions of upload-artifact (v1,v2 and v3), @actions/artifact < v2.0.0 or it is a rerun.
    * If there are multiple artifacts with the same name in the same workflow run this function will return the first artifact that matches the name.
    *
    * @param artifactName The name of the artifact to find
-   * @param workflowRunId The workflow run id that the artifact belongs to
-   * @param repositoryOwner The owner of the repository that the artifact belongs to
-   * @param repositoryName The name of the repository that the artifact belongs to
-   * @param token A token with the appropriate permission to the repository to find the artifact
+   * @param options Extra options that allow for the customization of the get behavior
    */
   getArtifact(
     artifactName: string,
-    workflowRunId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string
+    options?: LookupOptions
   ): Promise<GetArtifactResponse>
 
   /**
-   * Downloads an artifact and unzips the content
+   * Downloads an artifact and unzips the content.
+   *
+   * If options.token is specified, this will use the public Download Artifact API https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#download-an-artifact
    *
    * @param artifactId The name of the artifact to download
-   * @param repositoryOwner The owner of the repository that the artifact belongs to
-   * @param repositoryName The name of the repository that the artifact belongs to
-   * @param token A token with the appropriate permission to the repository to download the artifact
    * @param options Extra options that allow for the customization of the download behavior
    * @returns single DownloadArtifactResponse object
    */
   downloadArtifact(
     artifactId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string,
-    options?: DownloadArtifactOptions
+    options?: DownloadArtifactOptions & LookupOptions
   ): Promise<DownloadArtifactResponse>
 }
 
@@ -137,10 +125,7 @@ If the error persists, please check whether Actions is operating normally at [ht
    */
   async downloadArtifact(
     artifactId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string,
-    options?: DownloadArtifactOptions
+    options?: DownloadArtifactOptions & LookupOptions
   ): Promise<DownloadArtifactResponse> {
     if (isGhes()) {
       warning(
@@ -152,13 +137,19 @@ If the error persists, please check whether Actions is operating normally at [ht
     }
 
     try {
-      return downloadArtifact(
-        artifactId,
-        repositoryOwner,
-        repositoryName,
-        token,
-        options
-      )
+      if (options?.token) {
+        const {repositoryOwner, repositoryName, token, ...downloadOptions} =
+          options
+        return downloadArtifactPublic(
+          artifactId,
+          repositoryOwner,
+          repositoryName,
+          token,
+          downloadOptions
+        )
+      }
+
+      return downloadArtifactInternal(artifactId)
     } catch (error) {
       warning(
         `Artifact download failed with error: ${error}.
@@ -177,12 +168,7 @@ If the error persists, please check whether Actions and API requests are operati
   /**
    * List Artifacts
    */
-  async listArtifacts(
-    workflowRunId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string
-  ): Promise<ListArtifactsResponse> {
+  async listArtifacts(options?: LookupOptions): Promise<ListArtifactsResponse> {
     if (isGhes()) {
       warning(
         `@actions/artifact v2.0.0+ and download-artifact@v4+ are not currently supported on GHES.`
@@ -193,12 +179,16 @@ If the error persists, please check whether Actions and API requests are operati
     }
 
     try {
-      return listArtifacts(
-        workflowRunId,
-        repositoryOwner,
-        repositoryName,
-        token
-      )
+      if (options?.token) {
+        return listArtifactsPublic(
+          options.workflowRunId,
+          options.repositoryOwner,
+          options.repositoryName,
+          options.token
+        )
+      }
+
+      return listArtifactsInternal()
     } catch (error: unknown) {
       warning(
         `Listing Artifacts failed with error: ${error}.
@@ -219,10 +209,7 @@ If the error persists, please check whether Actions and API requests are operati
    */
   async getArtifact(
     artifactName: string,
-    workflowRunId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string
+    options?: LookupOptions
   ): Promise<GetArtifactResponse> {
     if (isGhes()) {
       warning(
@@ -234,13 +221,17 @@ If the error persists, please check whether Actions and API requests are operati
     }
 
     try {
-      return getArtifact(
-        artifactName,
-        workflowRunId,
-        repositoryOwner,
-        repositoryName,
-        token
-      )
+      if (options?.token) {
+        return getArtifactPublic(
+          artifactName,
+          options.workflowRunId,
+          options.repositoryOwner,
+          options.repositoryName,
+          options.token
+        )
+      }
+
+      return getArtifactInternal(artifactName)
     } catch (error: unknown) {
       warning(
         `Fetching Artifact failed with error: ${error}.

packages/artifact/src/internal/download/download-artifact.ts

@@ -9,6 +9,9 @@ import {
 } from '../shared/interfaces'
 import {getUserAgentString} from '../shared/user-agent'
 import {getGitHubWorkspaceDir} from '../shared/config'
+import {internalArtifactTwirpClient} from '../shared/artifact-twirp-client'
+import {GetSignedArtifactURLRequest, ListArtifactsRequest} from 'src/generated'
+import {getBackendIdsFromToken} from '../shared/util'
 
 const scrubQueryParameters = (url: string): string => {
   const parsed = new URL(url)
@@ -42,23 +45,14 @@ async function streamExtract(url: string, directory: string): Promise<void> {
   return response.message.pipe(unzipper.Extract({path: directory})).promise()
 }
 
-export async function downloadArtifact(
+export async function downloadArtifactPublic(
   artifactId: number,
   repositoryOwner: string,
   repositoryName: string,
   token: string,
   options?: DownloadArtifactOptions
 ): Promise<DownloadArtifactResponse> {
-  const downloadPath = options?.path || getGitHubWorkspaceDir()
-
-  if (!(await exists(downloadPath))) {
-    core.debug(
-      `Artifact destination folder does not exist, creating: ${downloadPath}`
-    )
-    await fs.mkdir(downloadPath, {recursive: true})
-  } else {
-    core.debug(`Artifact destination folder already exists: ${downloadPath}`)
-  }
+  const downloadPath = await resolveOrCreateDirectory(options?.path)
 
   const api = github.getOctokit(token)
 
@@ -99,3 +93,72 @@ export async function downloadArtifact(
 
   return {success: true, downloadPath}
 }
+
+export async function downloadArtifactInternal(
+  artifactId: number,
+  options?: DownloadArtifactOptions
+): Promise<DownloadArtifactResponse> {
+  const downloadPath = await resolveOrCreateDirectory(options?.path)
+
+  const artifactClient = internalArtifactTwirpClient()
+
+  const {workflowRunBackendId, workflowJobRunBackendId} =
+    getBackendIdsFromToken()
+
+  const listReq: ListArtifactsRequest = {
+    workflowRunBackendId,
+    workflowJobRunBackendId,
+    nameFilter: '',
+    idFilter: '0' // TODO(robherley): zero values are awkward, use pb wrappers
+  }
+
+  const {artifacts} = await artifactClient.ListArtifacts(listReq)
+
+  if (artifacts.length === 0) {
+    core.warning(
+      `No artifacts found for ID: ${artifactId}\nAre you trying to download from a different run? Try specifying a github-token with \`actions:read\` scope.`
+    )
+    return {success: false}
+  }
+
+  if (artifacts.length > 1) {
+    core.warning('Multiple artifacts found, defaulting to first.')
+  }
+
+  const signedReq: GetSignedArtifactURLRequest = {
+    workflowRunBackendId: artifacts[0].workflowRunBackendId,
+    workflowJobRunBackendId: artifacts[0].workflowJobRunBackendId,
+    name: artifacts[0].name
+  }
+
+  const {signedUrl} = await artifactClient.GetSignedArtifactURL(signedReq)
+
+  core.info(
+    `Redirecting to blob download url: ${scrubQueryParameters(signedUrl)}`
+  )
+
+  try {
+    core.info(`Starting download of artifact to: ${downloadPath}`)
+    await streamExtract(signedUrl, downloadPath)
+    core.info(`Artifact download completed successfully.`)
+  } catch (error) {
+    throw new Error(`Unable to download and extract artifact: ${error.message}`)
+  }
+
+  return {success: true, downloadPath}
+}
+
+async function resolveOrCreateDirectory(
+  downloadPath = getGitHubWorkspaceDir()
+): Promise<string> {
+  if (!(await exists(downloadPath))) {
+    core.debug(
+      `Artifact destination folder does not exist, creating: ${downloadPath}`
+    )
+    await fs.mkdir(downloadPath, {recursive: true})
+  } else {
+    core.debug(`Artifact destination folder already exists: ${downloadPath}`)
+  }
+
+  return downloadPath
+}

packages/artifact/src/internal/find/get-artifact.ts

@@ -1,14 +1,17 @@
-import {GetArtifactResponse} from '../shared/interfaces'
 import {getOctokit} from '@actions/github'
-import {getUserAgentString} from '../shared/user-agent'
-import {defaults as defaultGitHubOptions} from '@actions/github/lib/utils'
-import {getRetryOptions} from './retry-options'
-import {requestLog} from '@octokit/plugin-request-log'
 import {retry} from '@octokit/plugin-retry'
 import * as core from '@actions/core'
 import {OctokitOptions} from '@octokit/core/dist-types/types'
+import {defaults as defaultGitHubOptions} from '@actions/github/lib/utils'
+import {getRetryOptions} from './retry-options'
+import {requestLog} from '@octokit/plugin-request-log'
+import {GetArtifactResponse} from '../shared/interfaces'
+import {getBackendIdsFromToken} from '../shared/util'
+import {getUserAgentString} from '../shared/user-agent'
+import {internalArtifactTwirpClient} from '../shared/artifact-twirp-client'
+import {ListArtifactsRequest} from '../../generated'
 
-export async function getArtifact(
+export async function getArtifactPublic(
   artifactName: string,
   workflowRunId: number,
   repositoryOwner: string,
@@ -62,8 +65,55 @@ export async function getArtifact(
     artifact: {
       name: getArtifactResp.data.artifacts[0].name,
       id: getArtifactResp.data.artifacts[0].id,
-      url: getArtifactResp.data.artifacts[0].url,
       size: getArtifactResp.data.artifacts[0].size_in_bytes
     }
   }
 }
+
+export async function getArtifactInternal(
+  artifactName: string
+): Promise<GetArtifactResponse> {
+  const artifactClient = internalArtifactTwirpClient()
+
+  const {workflowRunBackendId, workflowJobRunBackendId} =
+    getBackendIdsFromToken()
+
+  const req: ListArtifactsRequest = {
+    workflowRunBackendId,
+    workflowJobRunBackendId,
+    nameFilter: artifactName,
+    idFilter: '0' // TODO(robherley): int64 zero value, change this to be optional
+  }
+
+  const res = await artifactClient.ListArtifacts(req)
+
+  if (res.artifacts.length === 0) {
+    core.warning('no artifacts found')
+    return {
+      success: false
+    }
+  }
+
+  if (res.artifacts.length > 1) {
+    core.warning(
+      'more than one artifact found for a single name, returning first'
+    )
+  }
+
+  // In the case of reruns, we may have artifacts with the same name scoped under the same workflow run.
+  // Let's prefer the artifact closest scoped to this run.
+  // If it doesn't exist (e.g. partial rerun) we'll use the first match.
+  const artifact =
+    res.artifacts.find(
+      artifact => artifact.workflowRunBackendId === workflowRunBackendId
+    ) || res.artifacts[0]
+
+  return {
+    success: true,
+    artifact: {
+      name: artifact.name,
+      id: Number(artifact.databaseId),
+      size: Number(artifact.size)
+    }
+  }
+}

packages/artifact/src/internal/find/list-artifacts.ts

@@ -7,13 +7,16 @@ import {defaults as defaultGitHubOptions} from '@actions/github/lib/utils'
 import {requestLog} from '@octokit/plugin-request-log'
 import {retry} from '@octokit/plugin-retry'
 import {OctokitOptions} from '@octokit/core/dist-types/types'
+import {internalArtifactTwirpClient} from '../shared/artifact-twirp-client'
+import {getBackendIdsFromToken} from '../shared/util'
+import {ListArtifactsRequest} from 'src/generated'
 
 // Limiting to 1000 for perf reasons
 const maximumArtifactCount = 1000
 const paginationCount = 100
 const maxNumberOfPages = maximumArtifactCount / paginationCount
 
-export async function listArtifacts(
+export async function listArtifactsPublic(
   workflowRunId: number,
   repositoryOwner: string,
   repositoryName: string,
@@ -62,7 +65,6 @@ export async function listArtifacts(
     artifacts.push({
       name: artifact.name,
       id: artifact.id,
-      url: artifact.url,
       size: artifact.size_in_bytes
     })
   }
@@ -89,13 +91,39 @@ export async function listArtifacts(
       artifacts.push({
         name: artifact.name,
         id: artifact.id,
-        url: artifact.url,
         size: artifact.size_in_bytes
       })
     }
   }
 
-  info(`Finished fetching artifact list`)
+  info(`Found ${artifacts.length} artifact(s)`)
+
+  return {
+    artifacts
+  }
+}
+
+export async function listArtifactsInternal(): Promise<ListArtifactsResponse> {
+  const artifactClient = internalArtifactTwirpClient()
+
+  const {workflowRunBackendId, workflowJobRunBackendId} =
+    getBackendIdsFromToken()
+
+  const req: ListArtifactsRequest = {
+    workflowRunBackendId,
+    workflowJobRunBackendId,
+    nameFilter: '',
+    idFilter: '0' // TODO(robherley): zero values are awkward, use pb wrappers
+  }
+
+  const res = await artifactClient.ListArtifacts(req)
+  const artifacts = res.artifacts.map(artifact => ({
+    name: artifact.name,
+    id: Number(artifact.databaseId),
+    size: Number(artifact.size)
+  }))
+
+  info(`Found ${artifacts.length} artifact(s)`)
 
   return {
     artifacts

packages/artifact/src/internal/shared/artifact-twirp-client.ts

@@ -3,6 +3,7 @@ import {BearerCredentialHandler} from '@actions/http-client/lib/auth'
 import {info, debug} from '@actions/core'
 import {ArtifactServiceClientJSON} from '../../generated'
 import {getResultsServiceUrl, getRuntimeToken} from './config'
+import {getUserAgentString} from './user-agent'
 
 // The twirp http client must implement this interface
 interface Rpc {
@@ -157,17 +158,16 @@ class ArtifactHttpClient implements Rpc {
   }
 }
 
-export function createArtifactTwirpClient(
-  type: 'upload' | 'download',
-  maxAttempts?: number,
-  baseRetryIntervalMilliseconds?: number,
+export function internalArtifactTwirpClient(options?: {
+  maxAttempts?: number
+  baseRetryIntervalMilliseconds?: number
   retryMultiplier?: number
-): ArtifactServiceClientJSON {
+}): ArtifactServiceClientJSON {
   const client = new ArtifactHttpClient(
-    `@actions/artifact-${type}`,
-    maxAttempts,
-    baseRetryIntervalMilliseconds,
-    retryMultiplier
+    getUserAgentString(),
+    options?.maxAttempts,
+    options?.baseRetryIntervalMilliseconds,
+    options?.retryMultiplier
   )
   return new ArtifactServiceClientJSON(client)
 }

packages/artifact/src/internal/shared/interfaces.ts

@@ -120,13 +120,21 @@ export interface Artifact {
    */
   id: number
 
-  /**
-   * The URL of the artifact
-   */
-  url: string
-
   /**
    * The size of the artifact in bytes
    */
   size: number
 }
+
+// LookupOptions are for fetching Artifact(s) out of the scope of the current run.
+// Must specify a PAT with actions:read scope for cross run/repo lookup otherwise these will be ignored.
+export interface LookupOptions {
+  // Token with actions:read permissions
+  token: string
+  // WorkflowRun of the artifact(s) to lookup
+  workflowRunId: number
+  // Repository owner
+  repositoryOwner: string
+  // Repository name
+  repositoryName: string
+}

packages/artifact/src/internal/shared/util.ts

@@ -1,3 +1,4 @@
+import * as core from '@actions/core'
 import {getRuntimeToken} from './config'
 import jwt_decode from 'jwt-decode'
 
@@ -11,7 +12,7 @@ interface ActionsToken {
 }
 
 const InvalidJwtError = new Error(
-  'Failed to get backend IDs: The provided JWT token is invalid'
+  'Failed to get backend IDs: The provided JWT token is invalid and/or missing claims'
 )
 
 // uses the JWT token claims to get the
@@ -41,24 +42,29 @@ export function getBackendIdsFromToken(): BackendIds {
 
   for (const scopes of scpParts) {
     const scopeParts = scopes.split(':')
+    if (scopeParts?.[0] !== 'Actions.Results') {
+      // not the Actions.Results scope
+      continue
+    }
+
     /*
      * example scopeParts:
      * ["Actions.Results", "ce7f54c7-61c7-4aae-887f-30da475f5f1a", "ca395085-040a-526b-2ce8-bdc85f692774"]
      */
     if (scopeParts.length !== 3) {
-      // not the Actions.Results scope
-      continue
+      // missing expected number of claims
+      throw InvalidJwtError
     }
 
-    if (scopeParts[0] !== 'Actions.Results') {
-      // not the Actions.Results scope
-      continue
-    }
-
-    return {
+    const ids = {
       workflowRunBackendId: scopeParts[1],
       workflowJobRunBackendId: scopeParts[2]
     }
+
+    core.debug(`Workflow Run Backend ID: ${ids.workflowRunBackendId}`)
+    core.debug(`Workflow Job Run Backend ID: ${ids.workflowJobRunBackendId}`)
+
+    return ids
   }
 
   throw InvalidJwtError

packages/artifact/src/internal/upload/upload-artifact.ts

@@ -2,7 +2,7 @@ import * as core from '@actions/core'
 import {UploadOptions, UploadResponse} from '../shared/interfaces'
 import {getExpiration} from './retention'
 import {validateArtifactName} from './path-and-artifact-name-validation'
-import {createArtifactTwirpClient} from '../shared/artifact-twirp-client'
+import {internalArtifactTwirpClient} from '../shared/artifact-twirp-client'
 import {
   UploadZipSpecification,
   getUploadZipSpecification,
@@ -44,21 +44,9 @@ export async function uploadArtifact(
 
   // get the IDs needed for the artifact creation
   const backendIds = getBackendIdsFromToken()
-  if (!backendIds.workflowRunBackendId || !backendIds.workflowJobRunBackendId) {
-    core.warning(
-      `Failed to get the necessary backend ids which are required to create the artifact`
-    )
-    return {
-      success: false
-    }
-  }
-  core.debug(`Workflow Run Backend ID: ${backendIds.workflowRunBackendId}`)
-  core.debug(
-    `Workflow Job Run Backend ID: ${backendIds.workflowJobRunBackendId}`
-  )
 
   // create the artifact client
-  const artifactClient = createArtifactTwirpClient('upload')
+  const artifactClient = internalArtifactTwirpClient()
 
   // create the artifact
   const createArtifactReq: CreateArtifactRequest = {