rewrite artifacts client to have public and internal implementations

packages/artifact/src/internal/shared/artifact-twirp-client.ts

@@ -3,6 +3,7 @@ import {BearerCredentialHandler} from '@actions/http-client/lib/auth'
 import {info, debug} from '@actions/core'
 import {ArtifactServiceClientJSON} from '../../generated'
 import {getResultsServiceUrl, getRuntimeToken} from './config'
+import {getUserAgentString} from './user-agent'
 
 // The twirp http client must implement this interface
 interface Rpc {
@@ -157,17 +158,16 @@ class ArtifactHttpClient implements Rpc {
   }
 }
 
-export function createArtifactTwirpClient(
-  type: 'upload' | 'download',
-  maxAttempts?: number,
-  baseRetryIntervalMilliseconds?: number,
+export function internalArtifactTwirpClient(options?: {
+  maxAttempts?: number
+  baseRetryIntervalMilliseconds?: number
   retryMultiplier?: number
-): ArtifactServiceClientJSON {
+}): ArtifactServiceClientJSON {
   const client = new ArtifactHttpClient(
-    `@actions/artifact-${type}`,
-    maxAttempts,
-    baseRetryIntervalMilliseconds,
-    retryMultiplier
+    getUserAgentString(),
+    options?.maxAttempts,
+    options?.baseRetryIntervalMilliseconds,
+    options?.retryMultiplier
   )
   return new ArtifactServiceClientJSON(client)
 }

packages/artifact/src/internal/shared/interfaces.ts

@@ -120,13 +120,21 @@ export interface Artifact {
    */
   id: number
 
-  /**
-   * The URL of the artifact
-   */
-  url: string
-
   /**
    * The size of the artifact in bytes
    */
   size: number
 }
+
+// LookupOptions are for fetching Artifact(s) out of the scope of the current run.
+// Must specify a PAT with actions:read scope for cross run/repo lookup otherwise these will be ignored.
+export interface LookupOptions {
+  // Token with actions:read permissions
+  token: string
+  // WorkflowRun of the artifact(s) to lookup
+  workflowRunId: number
+  // Repository owner
+  repositoryOwner: string
+  // Repository name
+  repositoryName: string
+}

packages/artifact/src/internal/shared/util.ts

@@ -1,3 +1,4 @@
+import * as core from '@actions/core'
 import {getRuntimeToken} from './config'
 import jwt_decode from 'jwt-decode'
 
@@ -11,7 +12,7 @@ interface ActionsToken {
 }
 
 const InvalidJwtError = new Error(
-  'Failed to get backend IDs: The provided JWT token is invalid'
+  'Failed to get backend IDs: The provided JWT token is invalid and/or missing claims'
 )
 
 // uses the JWT token claims to get the
@@ -41,24 +42,29 @@ export function getBackendIdsFromToken(): BackendIds {
 
   for (const scopes of scpParts) {
     const scopeParts = scopes.split(':')
+    if (scopeParts?.[0] !== 'Actions.Results') {
+      // not the Actions.Results scope
+      continue
+    }
+
     /*
      * example scopeParts:
      * ["Actions.Results", "ce7f54c7-61c7-4aae-887f-30da475f5f1a", "ca395085-040a-526b-2ce8-bdc85f692774"]
      */
     if (scopeParts.length !== 3) {
-      // not the Actions.Results scope
-      continue
+      // missing expected number of claims
+      throw InvalidJwtError
     }
 
-    if (scopeParts[0] !== 'Actions.Results') {
-      // not the Actions.Results scope
-      continue
-    }
-
-    return {
+    const ids = {
       workflowRunBackendId: scopeParts[1],
       workflowJobRunBackendId: scopeParts[2]
     }
+
+    core.debug(`Workflow Run Backend ID: ${ids.workflowRunBackendId}`)
+    core.debug(`Workflow Job Run Backend ID: ${ids.workflowJobRunBackendId}`)
+
+    return ids
   }
 
   throw InvalidJwtError