Merge pull request #2176 from actions/prepare-exec-2.0.0-release

Prepare @actions/exec 2.0.0 release
update package json
2025-11-18 14:13:24 +00:00 · 2025-11-04 13:53:28 +00:00 · 2025-11-04 13:50:24 +00:00 · 2025-10-31 15:55:29 +00:00 · 2025-10-31 15:27:38 +00:00 · 2025-10-31 15:27:26 +00:00
183 changed files with 26380 additions and 8273 deletions
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@ -43,7 +43,7 @@ Note that before a PR will be accepted, you must ensure:
 1. In a new branch, create a new Lerna package:

 ```console
-$ npm run create-package new-package
+$ npm run new-package [name]
 ```

 This will ask you some questions about the new package. Start with `0.0.0` as the first version (look generally at some of the other packages for how the package.json is structured).
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,27 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/packages/artifact"
+    schedule:
+      interval: "daily"
+    groups:
+      # Group minor and patch updates together but keep major separate
+      artifact-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "npm"
+    directory: "/packages/cache"
+    schedule:
+      interval: "daily"
+    groups:
+      # Group minor and patch updates together but keep major separate
+      cache-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
--- a/.github/workflows/artifact-tests.yml
+++ b/.github/workflows/artifact-tests.yml
@ -1,5 +1,3 @@
-# Temporarily disabled while v2.0.0 of @actions/artifact is under development
-
 name: artifact-unit-tests
 on:
  push:
@ -12,8 +10,8 @@ on:
      - '**.md'

 jobs:
-  build:
-    name: Build
+  upload:
+    name: Upload

    strategy:
      matrix:
@ -24,12 +22,12 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v5

-    - name: Set Node.js 20.x
-      uses: actions/setup-node@v3
+    - name: Set Node.js 24.x
+      uses: actions/setup-node@v5
      with:
-        node-version: 20.x
+        node-version: 24.x

    # Need root node_modules because certain npm packages like jest are configured for the entire repository and it won't be possible
    # without these to just compile the artifacts package
@ -42,53 +40,49 @@ jobs:
        npm run tsc
      working-directory: packages/artifact

-    - name: Set artifact file contents
-      shell: bash
-      run: |
-        echo "file1=hello from file 1" >> $GITHUB_ENV
-        echo "file2=hello from file 2" >> $GITHUB_ENV
-
    - name: Create files that will be uploaded
      run: |
        mkdir artifact-path
-        echo '${{ env.file1 }}' > artifact-path/first.txt
-        echo '${{ env.file2 }}' > artifact-path/second.txt
+        echo -n 'hello from file 1' > artifact-path/first.txt
+        echo -n 'hello from file 2' > artifact-path/second.txt

-    - name: Upload Artifacts using actions/github-script@v6
-      uses: actions/github-script@v6
+    - name: Upload Artifacts
+      uses: actions/github-script@v8
      with:
        script: |
-          const artifact = require('./packages/artifact/lib/artifact')
+          const {default: artifact} = require('./packages/artifact/lib/artifact')

          const artifactName = 'my-artifact-${{ matrix.runs-on }}'
          console.log('artifactName: ' + artifactName)

          const fileContents = ['artifact-path/first.txt','artifact-path/second.txt']

-          const uploadResult = await artifact.create().uploadArtifact(artifactName, fileContents, './')
+          const uploadResult = await artifact.uploadArtifact(artifactName, fileContents, './')
          console.log(uploadResult)

-          const success = uploadResult.success
          const size = uploadResult.size
          const id = uploadResult.id

-          if (!success) {
-            throw new Error('Failed to upload artifact')
-          } else {
-            console.log(`Successfully uploaded artifact ${id}`)
+          console.log(`Successfully uploaded artifact ${id}`)
+
+          try {
+            await artifact.uploadArtifact(artifactName, fileContents, './')
+            throw new Error('should have failed second upload')
+          } catch (err) {
+            console.log('Successfully blocked second artifact upload')
          }
-           
  verify:
+    name: Verify and Delete
    runs-on: ubuntu-latest
-    needs: [build]
+    needs: [upload]
    steps:
    - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v5

-    - name: Set Node.js 20.x
-      uses: actions/setup-node@v3
+    - name: Set Node.js 24.x
+      uses: actions/setup-node@v5
      with:
-        node-version: 20.x
+        node-version: 24.x

    # Need root node_modules because certain npm packages like jest are configured for the entire repository and it won't be possible
    # without these to just compile the artifacts package
@ -101,35 +95,100 @@ jobs:
        npm run tsc
      working-directory: packages/artifact

-    - name: List artifacts using actions/github-script@v6
-      uses: actions/github-script@v6
+    - name: List and Download Artifacts
+      uses: actions/github-script@v8
      with:
        script: |
-          const artifact = require('./packages/artifact/lib/artifact')
+          const {default: artifactClient} = require('./packages/artifact/lib/artifact')

-          const workflowRunId = process.env.GITHUB_RUN_ID
-          const repository = process.env.GITHUB_REPOSITORY
-          const repositoryOwner = repository.split('/')[0]
-          const repositoryName = repository.split('/')[1]
+          const {readFile} = require('fs/promises')
+          const path = require('path')

-          const listResult = await artifact.create().listArtifacts(workflowRunId, repositoryOwner, repositoryName, '${{ secrets.GITHUB_TOKEN }}')
+          const findBy = {
+            repositoryOwner: process.env.GITHUB_REPOSITORY.split('/')[0],
+            repositoryName: process.env.GITHUB_REPOSITORY.split('/')[1],
+            token: '${{ secrets.GITHUB_TOKEN }}',
+            workflowRunId: process.env.GITHUB_RUN_ID
+          }
+
+          const listResult = await artifactClient.listArtifacts({latest: true, findBy})
          console.log(listResult)

          const artifacts = listResult.artifacts
+          const expected = [
+            'my-artifact-ubuntu-latest',
+            'my-artifact-windows-latest',
+            'my-artifact-macos-latest'
+          ]

-          if (artifacts.length !== 3) {
-            throw new Error('Expected 3 artifacts but only found ' + artifacts.length + ' artifacts')
-          }
+          const foundArtifacts = artifacts.filter(artifact =>
+            expected.includes(artifact.name)
+          )

-          const artifactNames = artifacts.map(artifact => artifact.name)
-          if (!artifactNames.includes('my-artifact-ubuntu-latest')){
-            throw new Error("Expected artifact list to contain an artifact named my-artifact-ubuntu-latest but it's missing")
-          }
-          if (!artifactNames.includes('my-artifact-windows-latest')){
-            throw new Error("Expected artifact list to contain an artifact named my-artifact-windows-latest but it's missing")
-          }
-          if (!artifactNames.includes('my-artifact-macos-latest')){
-            throw new Error("Expected artifact list to contain an artifact named my-artifact-macos-latest but it's missing")
+          if (foundArtifacts.length !== 3) {
+            console.log('Unexpected length of found artifacts', foundArtifacts)
+            throw new Error(
+              `Expected 3 artifacts but found ${foundArtifacts.length} artifacts.`
+            )
          }

          console.log('Successfully listed artifacts that were uploaded')
+
+          const files = [
+            {name: 'artifact-path/first.txt', content: 'hello from file 1'},
+            {name: 'artifact-path/second.txt', content: 'hello from file 2'}
+          ]
+
+          for (const artifact of foundArtifacts) {
+            const {downloadPath} = await artifactClient.downloadArtifact(artifact.id, {
+              path: artifact.name,
+              findBy
+            })
+
+            console.log('Downloaded artifact to:', downloadPath)
+
+            for (const file of files) {
+              const filepath = path.join(
+                process.env.GITHUB_WORKSPACE,
+                downloadPath,
+                file.name
+              )
+
+              console.log('Checking file:', filepath)
+
+              const content = await readFile(filepath, 'utf8')
+              if (content.trim() !== file.content.trim()) {
+                throw new Error(
+                  `Expected file '${file.name}' to contain '${file.content}' but found '${content}'`
+                )
+              }
+            }
+          }
+    - name: Delete Artifacts
+      uses: actions/github-script@v8
+      with:
+        script: |
+          const {default: artifactClient} = require('./packages/artifact/lib/artifact')
+
+          const artifactsToDelete = [
+            'my-artifact-ubuntu-latest',
+            'my-artifact-windows-latest',
+            'my-artifact-macos-latest'
+          ]
+
+          for (const artifactName of artifactsToDelete) {
+            const {id} = await artifactClient.deleteArtifact(artifactName)
+          }
+
+          const {artifacts} = await artifactClient.listArtifacts({latest: true})
+          const foundArtifacts = artifacts.filter(artifact =>
+            artifactsToDelete.includes(artifact.name)
+          )
+
+          if (foundArtifacts.length !== 0) {
+            console.log('Unexpected length of found artifacts:', foundArtifacts)
+            throw new Error(
+              `Expected 0 artifacts but found ${foundArtifacts.length} artifacts.`
+            )
+          }
+
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@ -18,12 +18,12 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v5

-    - name: Set Node.js 20.x
-      uses: actions/setup-node@v3
+    - name: Set Node.js 24.x
+      uses: actions/setup-node@v5
      with:
-        node-version: 20.x
+        node-version: 24.x

    - name: npm install
      run: npm install
@ -32,7 +32,7 @@ jobs:
      run: npm run bootstrap

    - name: audit tools (without allow-list)
-      run: npm audit --audit-level=moderate
+      run: npm audit --audit-level=moderate --omit dev

    - name: audit packages
      run: npm run audit-all
--- a/.github/workflows/cache-tests.yml
+++ b/.github/workflows/cache-tests.yml
@ -22,12 +22,12 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v5

-    - name: Set Node.js 20.x
-      uses: actions/setup-node@v3
+    - name: Set Node.js 24.x
+      uses: actions/setup-node@v5
      with:
-        node-version: 20.x
+        node-version: 24.x

    # In order to save & restore cache from a shell script, certain env variables need to be set that are only available in the
    # node context. This runs a local action that gets and sets the necessary env variables that are needed
@ -39,9 +39,11 @@ jobs:
    - name: Install root npm packages
      run: npm ci

+    # We need to install only runtime dependencies (omit dev dependencies) to verify that what we're shipping is all
+    # that is needed
    - name: Compile cache package
      run: |
-        npm ci
+        npm ci --omit=dev
        npm run tsc
      working-directory: packages/cache
    
--- a/.github/workflows/cache-windows-test.yml
+++ b/.github/workflows/cache-windows-test.yml
@ -17,16 +17,16 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v5

    - shell: bash
      run: |
        rm "C:\Program Files\Git\usr\bin\tar.exe"

-    - name: Set Node.js 20.x
-      uses: actions/setup-node@v1
+    - name: Set Node.js 24.x
+      uses: actions/setup-node@v5
      with:
-        node-version: 20.x
+        node-version: 24.x

    # In order to save & restore cache from a shell script, certain env variables need to be set that are only available in the
    # node context. This runs a local action that gets and sets the necessary env variables that are needed
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -20,18 +20,18 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v5

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
      with:
         languages: javascript
        
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@ -1,27 +1,42 @@
 name: Publish NPM

+run-name: Publish NPM - ${{ github.event.inputs.package }}
+
 on:
  workflow_dispatch:
    inputs:
      package:
+        type: choice
        required: true
-        description: 'core, artifact, cache, exec, github, glob, http-client, io, tool-cache'
+        description: 'Which package to release'
+        options:
+          - artifact
+          - attest
+          - cache
+          - core
+          - exec
+          - github
+          - glob
+          - http-client
+          - io
+          - tool-cache
+          

 jobs:
  test:
-    runs-on: macos-latest
+    runs-on: macos-latest-large

    steps:
      - name: setup repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5

      - name: verify package exists
        run: ls packages/${{ github.event.inputs.package }}

-      - name: Set Node.js 20.x
-        uses: actions/setup-node@v3
+      - name: Set Node.js 24.x
+        uses: actions/setup-node@v5
        with:
-          node-version: 20.x
+          node-version: 24.x

      - name: npm install
        run: npm install
@ -40,19 +55,22 @@ jobs:
        working-directory: packages/${{ github.event.inputs.package }}

      - name: upload artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: ${{ github.event.inputs.package }}
          path: packages/${{ github.event.inputs.package }}/*.tgz

  publish:
-    runs-on: macos-latest
+    runs-on: macos-latest-large
    needs: test
    environment: npm-publish
+    permissions:
+      contents: read
+      id-token: write
    steps:

      - name: download artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: ${{ github.event.inputs.package }}

@ -62,7 +80,7 @@ jobs:
          NPM_TOKEN: ${{ secrets.TOKEN }}

      - name: publish
-        run: npm publish *.tgz
+        run: npm publish --provenance *.tgz

      - name: notify slack on failure
        if: failure()
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@ -16,19 +16,23 @@ jobs:

    strategy:
      matrix:
-        runs-on: [ubuntu-latest, macos-latest, windows-latest]
+        runs-on: [ubuntu-latest, macos-latest-large, windows-latest]
+
+        # Node 20 is the currently supported stable Node version for actions - https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runsusing-for-javascript-actions
+        # Node 24 is the new version being added with support in actions runners
+        node-version: [20.x, 24.x]
      fail-fast: false

    runs-on: ${{ matrix.runs-on }}

    steps:
    - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v5

-    - name: Set Node.js 20.x
-      uses: actions/setup-node@v3
+    - name: Set up Node ${{ matrix.node-version }}
+      uses: actions/setup-node@v5
      with:
-        node-version: 20.x
+        node-version: ${{ matrix.node-version }}

    - name: npm install
      run: npm install
--- a/.github/workflows/update-github.yaml
+++ b/.github/workflows/update-github.yaml
@ -9,7 +9,7 @@ jobs:
    if: ${{ github.repository_owner == 'actions' }}
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v5
    - name: Update Octokit
      working-directory: packages/github 
      run: |
--- a/1
+++ b/1
@ -2,3 +2,4 @@

 /packages/artifact/   @actions/artifacts-actions
 /packages/cache/      @actions/actions-cache
+/packages/attest/      @actions/package-security
--- a/README.md
+++ b/README.md
@ -24,7 +24,7 @@ The GitHub Actions ToolKit provides a set of packages to make creating actions e
 Provides functions for inputs, outputs, results, logging, secrets and variables. Read more [here](packages/core)

 ```bash
-$ npm install @actions/core
+npm install @actions/core
 ```
 <br/>

@ -33,7 +33,7 @@ $ npm install @actions/core
 Provides functions to exec cli tools and process output. Read more [here](packages/exec)

 ```bash
-$ npm install @actions/exec
+npm install @actions/exec
 ```
 <br/>

@ -42,7 +42,7 @@ $ npm install @actions/exec
 Provides functions to search for files matching glob patterns. Read more [here](packages/glob)

 ```bash
-$ npm install @actions/glob
+npm install @actions/glob
 ```
 <br/>

@ -51,7 +51,7 @@ $ npm install @actions/glob
 A lightweight HTTP client optimized for building actions. Read more [here](packages/http-client)

 ```bash
-$ npm install @actions/http-client
+npm install @actions/http-client
 ```
 <br/>

@ -60,7 +60,7 @@ $ npm install @actions/http-client
 Provides disk i/o functions like cp, mv, rmRF, which etc. Read more [here](packages/io)

 ```bash
-$ npm install @actions/io
+npm install @actions/io
 ```
 <br/>

@ -71,7 +71,7 @@ Provides functions for downloading and caching tools.  e.g. setup-* actions. Rea
 See @actions/cache for caching workflow dependencies.

 ```bash
-$ npm install @actions/tool-cache
+npm install @actions/tool-cache
 ```
 <br/>

@ -80,7 +80,7 @@ $ npm install @actions/tool-cache
 Provides an Octokit client hydrated with the context that the current action is being run in. Read more [here](packages/github)

 ```bash
-$ npm install @actions/github
+npm install @actions/github
 ```
 <br/>

@ -89,7 +89,7 @@ $ npm install @actions/github
 Provides functions to interact with actions artifacts. Read more [here](packages/artifact)

 ```bash
-$ npm install @actions/artifact
+npm install @actions/artifact
 ```
 <br/>

@ -98,7 +98,16 @@ $ npm install @actions/artifact
 Provides functions to cache dependencies and build outputs to improve workflow execution time. Read more [here](packages/cache)

 ```bash
-$ npm install @actions/cache
+npm install @actions/cache
+```
+<br/>
+
+:lock_with_ink_pen: [@actions/attest](packages/attest)
+
+Provides functions to write attestations for workflow artifacts. Read more [here](packages/attest)
+
+```bash
+npm install @actions/attest
 ```
 <br/>

@ -218,9 +227,23 @@ console.log(`We can even get context data, like the repo: ${context.repo.repo}`)
 ```
 <br/>

-## Contributing
+## Note

-We welcome contributions.  See [how to contribute](.github/CONTRIBUTING.md).
+Thank you for your interest in this GitHub repo, however, right now we are not taking contributions. 
+
+We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in.
+
+We are taking the following steps to better direct requests related to GitHub Actions, including:
+
+1. We will be directing questions and support requests to our [Community Discussions area](https://github.com/orgs/community/discussions/categories/actions)
+
+2. High Priority bugs can be reported through Community Discussions or you can report these to our support team https://support.github.com/contact/bug-report.
+
+3. Security Issues should be handled as per our [security.md](SECURITY.md).
+
+We will still provide security updates for this project and fix major breaking changes during this time.
+
+You are welcome to still raise bugs in this repo.

 ## Code of Conduct

--- a/docs/action-types.md
+++ b/docs/action-types.md
@ -32,7 +32,7 @@ jobs:
        os: [ubuntu-16.04, windows-2019]
    runs-on: ${{matrix.os}}
    actions:
-    - uses: actions/setup-node@v3
+    - uses: actions/setup-node@v5
      with:
        version: ${{matrix.node}}
    - run: | 
--- a/docs/container-action.md
+++ b/docs/container-action.md
@ -18,7 +18,7 @@ e.g. To use https://github.com/actions/setup-node, users will author:

 ```yaml
 steps:
-    using: actions/setup-node@v3
+    using: actions/setup-node@v5
 ```

 # Define Metadata
--- a/jest.config.js
+++ b/jest.config.js
@ -8,4 +8,4 @@ module.exports = {
    '^.+\\.ts$': 'ts-jest'
  },
  verbose: true
-}
+}
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "root",
-  "private": true,
+  "private": true, 
  "scripts": {
    "audit-all": "lerna run audit-moderate",
    "bootstrap": "lerna exec -- npm install",
@ -13,11 +13,11 @@
    "lint": "eslint packages/**/*.ts",
    "lint-fix": "eslint packages/**/*.ts --fix",
    "new-package": "scripts/create-package",
-    "test": "jest --testTimeout 10000"
+    "test": "jest --testTimeout 70000"
  },
  "devDependencies": {
-    "@types/jest": "^27.0.2",
-    "@types/node": "^16.18.1",
+    "@types/jest": "^29.5.4",
+    "@types/node": "^24.1.0",
    "@types/signale": "^1.4.1",
    "concurrently": "^6.1.0",
    "eslint": "^8.0.1",
@ -26,11 +26,25 @@
    "eslint-plugin-jest": "^27.2.3",
    "eslint-plugin-prettier": "^5.0.0",
    "flow-bin": "^0.115.0",
-    "jest": "^27.2.5",
-    "lerna": "^7.1.4",
+    "jest": "^29.6.4",
+    "lerna": "^6.4.1",
    "nx": "16.6.0",
    "prettier": "^3.0.0",
-    "ts-jest": "^27.0.5",
-    "typescript": "^3.9.9"
+    "ts-jest": "^29.1.1",
+    "typescript": "^5.2.2"
+  },
+  "overrides": {
+    "semver": "^7.6.0",
+    "tar": "^6.2.1",
+    "@octokit/plugin-paginate-rest": "^9.2.2",
+    "@octokit/request": "^8.4.1",
+    "@octokit/request-error": "^5.1.1",
+    "@octokit/core": "^5.0.3",
+    "tmp": "^0.2.4",
+    "@types/node": "^24.1.0",
+    "brace-expansion": "^2.0.2",
+    "form-data": "^4.0.4",
+    "uri-js": "npm:uri-js-replace@^1.0.1",
+    "node-fetch": "^3.3.2"
  }
 }
--- a/packages/artifact/CONTRIBUTIONS.md
+++ b/packages/artifact/CONTRIBUTIONS.md
@ -1,30 +1,44 @@
 # Contributions

-This package is used internally by the v2+ versions of [upload-artifact](https://github.com/actions/upload-artifact) and [download-artifact](https://github.com/actions/download-artifact). This package can also be used by other actions to interact with artifacts. Any changes or updates to this package will propagate updates to these actions so it is important that major changes or updates get properly tested. 
+This package is used internally by the v4 versions of [upload-artifact](https://github.com/actions/upload-artifact) and [download-artifact](https://github.com/actions/download-artifact). This package can also be used by other actions to interact with artifacts. Any changes or updates to this package will propagate updates to these actions so it is important that major changes or updates get properly tested.

 Any issues or feature requests that are related to the artifact actions should be filled in the appropriate repo.

 A limited range of unit tests run as part of each PR when making changes to the artifact packages. For small contributions and fixes, they should be sufficient.

-If making large changes, there are a few scenarios that should be tested.
+If making large changes, there are a few scenarios that should be tested:

- Uploading very large artifacts (large artifacts get compressed using gzip so compression/decompression must be tested)
- Uploading artifacts with lots of small files (each file is uploaded with its own HTTP call, timeouts and non-success HTTP responses can be expected so they must be properly handled)
+- Uploading very large artifacts
+- Uploading artifacts with lots of small files
 - Uploading artifacts using a self-hosted runner (uploads and downloads behave differently due to extra latency)
 - Downloading a single artifact (large and small, if lots of small files are part of an artifact, timeouts and non-success HTTP responses can be expected)
 - Downloading all artifacts at once

 Large architectural changes can impact upload/download performance so it is important to separately run extra tests. We request that any large contributions/changes have extra detailed testing so we can verify performance and possible regressions.

-It is not possible to run end-to-end tests for artifacts as part of a PR in this repo because certain env variables such as `ACTIONS_RUNTIME_URL` are only available from the context of an action as opposed to a shell script. These env variables are needed in order to make the necessary API calls.
+Tests will run for every push/pull_request [via Actions](https://github.com/actions/toolkit/blob/main/.github/workflows/artifact-tests.yml).

 # Testing

-Any easy way to test changes is to fork the artifact actions and to use `npm link` to test your changes.
+## Package tests

-1. Fork the [upload-artifact](https://github.com/actions/upload-artifact) and [download-artifact](https://github.com/actions/download-artifact) repos
-2. Clone the forks locally
-3. With your local changes to the toolkit repo, type `npm link` after ensuring there are no errors when running `tsc`
-4. In the locally cloned fork, type `npm link @actions/artifact`
-4. Create a new release for your local fork using `tsc` and `npm run release` (this will create a new `dist/index.js` file using `@vercel/ncc`)
-5. Commit and push your local changes, you will then be able to test your changes with your forked action
+To run unit tests for the `@actions/artifact` package:
+
+1. Clone `actions/toolkit` locally
+2. Install dependencies: `npm bootstrap`
+3. Change working directory to `packages/artifact`
+4. Run jest tests: `npm run test`
+
+## Within upload-artifact or download-artifact actions
+
+Any easy way to test changes for the official upload/download actions is to fork them, compile changes and run them.
+
+1. For your local `actions/toolkit` changes:
+   1. Change directory to `packages/artifact`
+   2. Compile the changes: `npm run tsc`
+   3. Symlink your package change: `npm link`
+2. Fork and clone either [upload-artifact](https://github.com/actions/upload-artifact) and [download-artifact](https://github.com/actions/download-artifact)
+   1. In the locally cloned fork, link to your local toolkit changes: `npm link @actions/artifact`
+   2. Then, compile your changes with: `npm run release`. The local `dist/index.js` should be updated with your changes.
+   3. Commit and push to your fork, you can then test with a `uses:` in your workflow pointed at your fork.
+   4. The format for the above is `<username>/<repository-name>/@<ref>`, i.e. `me/myrepo/@HEAD`
--- a/packages/artifact/README.md
+++ b/packages/artifact/README.md
@ -1,13 +1,192 @@
 # `@actions/artifact`

-## Usage
+Interact programmatically with [Actions Artifacts](https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts).

-You can use this package to interact with the Actions artifacts.
+This is the core library that powers the [`@actions/upload-artifact`](https://github.com/actions/upload-artifact) and [`@actions/download-artifact`](https://github.com/actions/download-artifact) actions.

-This most recently published version of this package (`1.1.1`) can be found [here](https://github.com/actions/toolkit/tree/@actions/artifact@1.1.1/packages/artifact)

-## 🚧 Under construction 🚧
+- [`@actions/artifact`](#actionsartifact)
+  - [v2 - What's New](#v2---whats-new)
+    - [Improvements](#improvements)
+    - [Breaking changes](#breaking-changes)
+  - [Quick Start](#quick-start)
+  - [Examples](#examples)
+    - [Upload and Download](#upload-and-download)
+    - [Delete an Artifact](#delete-an-artifact)
+    - [Downloading from other workflow runs or repos](#downloading-from-other-workflow-runs-or-repos)
+    - [Speeding up large uploads](#speeding-up-large-uploads)
+  - [Additional Resources](#additional-resources)

-This package is currently undergoing a major overhaul in preparation for `v4` versions of `upload-artifact` and `download-artifact` (these Actions will use a new `2.0.0` version of `@actions/artifact` that will soon be released). The upcoming version of `@actions/artifact` will take advantage of a major re-architecture with entirely new APIs.
+## v2 - What's New

-The upcoming `2.0.0` package and `v4` artifact Actions aim to solve some of the major pain-points that have made artifact usage difficult up until now.
+> [!IMPORTANT]
+> @actions/artifact v2+, upload-artifact@v4+, and download-artifact@v4+ are not currently supported on GHES yet. The previous version of this package can be found at [this tag](https://github.com/actions/toolkit/tree/@actions/artifact@1.1.2/packages/artifact) and [on npm](https://www.npmjs.com/package/@actions/artifact/v/1.1.2).
+
+The release of `@actions/artifact@v2` (including `upload-artifact@v4` and `download-artifact@v4`) are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.
+
+### Improvements
+
+1. All upload and download operations are much quicker, up to 80% faster download times and 96% faster upload times in worst case scenarios.
+2. Once uploaded, an Artifact ID is returned and Artifacts are immediately available in the UI and [REST API](https://docs.github.com/en/rest/actions/artifacts). Previously, you would have to wait for the run to be completed before an ID was available or any APIs could be utilized.
+3. Artifacts can now be downloaded and deleted from the UI _before_ the entire workflow run finishes.
+4. The contents of an Artifact are uploaded together into an _immutable_ archive. They cannot be altered by subsequent jobs. Both of these factors help reduce the possibility of accidentally corrupting Artifact files. (Digest/integrity hash coming soon in the API!)
+5. This library (and `actions/download-artifact`) now support downloading Artifacts from _other_ repositories and runs if a `GITHUB_TOKEN` with sufficient `actions:read` permissions are provided.
+
+### Breaking changes
+
+1. Firewall rules required for self-hosted runners.
+
+    If you are using self-hosted runners behind a firewall, you must have flows open to [Actions endpoints](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github). If you cannot use wildcard rules for your firewall, see the GitHub [meta endpoint](https://api.github.com/meta) for specific endpoints.
+
+    e.g.
+
+    ```bash
+    curl https://api.github.com/meta | jq .domains.actions
+    ```
+
+2. Uploading to the same named Artifact multiple times.
+
+    Due to how Artifacts are created in this new version, it is no longer possible to upload to the same named Artifact multiple times. You must either split the uploads into multiple Artifacts with different names, or only upload once.
+
+3. Limit of Artifacts for an individual job.
+
+    Each job in a workflow run now has a limit of 10 artifacts.
+
+## Quick Start
+
+Install the package:
+
+```bash
+npm i @actions/artifact
+```
+
+Import the module:
+
+```js
+// ES6 module
+import {DefaultArtifactClient} from '@actions/artifact'
+
+// CommonJS
+const {DefaultArtifactClient} = require('@actions/artifact')
+```
+
+Then instantiate:
+
+```js
+const artifact = new DefaultArtifactClient()
+```
+
+ℹ️ For a comprehensive list of classes, interfaces, functions and more, see the [generated documentation](./docs/generated/README.md).
+
+## Examples
+
+### Upload and Download
+
+The most basic scenario is uploading one or more files to an Artifact, then downloading that Artifact. Downloads are based on the Artifact ID, which can be obtained in the response of `uploadArtifact`, `getArtifact`, `listArtifacts` or via the [REST API](https://docs.github.com/en/rest/actions/artifacts).
+
+```js
+const {id, size} = await artifact.uploadArtifact(
+  // name of the artifact
+  'my-artifact',
+  // files to include (supports absolute and relative paths)
+  ['/absolute/path/file1.txt', './relative/file2.txt'],
+  {
+    // optional: how long to retain the artifact
+    // if unspecified, defaults to repository/org retention settings (the limit of this value)
+    retentionDays: 10
+  }
+)
+
+console.log(`Created artifact with id: ${id} (bytes: ${size}`)
+
+const {downloadPath} = await artifact.downloadArtifact(id, {
+  // optional: download destination path. otherwise defaults to $GITHUB_WORKSPACE
+  path: '/tmp/dst/path',
+})
+
+console.log(`Downloaded artifact ${id} to: ${downloadPath}`)
+```
+
+### Delete an Artifact
+
+To delete an artifact, all you need is the name.
+
+```js
+const {id} = await artifact.deleteArtifact(
+  // name of the artifact
+  'my-artifact'
+)
+
+console.log(`Deleted Artifact ID '${id}'`)
+```
+
+It also supports options to delete from other repos/runs given a github token with `actions:write` permissions on the target repository is supplied.
+
+```js
+const findBy = {
+  // must have actions:write permission on target repository
+  token: process.env['GITHUB_TOKEN'],
+  workflowRunId: 123,
+  repositoryOwner: 'actions',
+  repositoryName: 'toolkit'
+}
+
+
+const {id} = await artifact.deleteArtifact(
+  // name of the artifact
+  'my-artifact',
+  // options to find by other repo/owner
+  { findBy }
+)
+
+console.log(`Deleted Artifact ID '${id}' from ${findBy.repositoryOwner}/ ${findBy.repositoryName}`)
+```
+
+### Downloading from other workflow runs or repos
+
+It may be useful to download Artifacts from other workflow runs, or even other repositories. By default, the permissions are scoped so they can only download Artifacts within the current workflow run. To elevate permissions for this scenario, you must specify `options.findBy` to `downloadArtifact`.
+
+```ts
+const findBy = {
+  // must have actions:read permission on target repository
+  token: process.env['GITHUB_TOKEN'],
+  workflowRunId: 123,
+  repositoryOwner: 'actions',
+  repositoryName: 'toolkit'
+}
+
+await artifact.downloadArtifact(1337, {
+  findBy
+})
+
+// can also be used in other methods
+
+await artifact.getArtifact('my-artifact', {
+  findBy
+})
+
+await artifact.listArtifacts({
+  findBy
+})
+```
+
+### Speeding up large uploads
+
+If you have large files that need to be uploaded (or file types that don't compress well), you may benefit from changing the compression level of the Artifact archive. NOTE: This is a tradeoff between artifact upload time and stored data size.
+
+```ts
+await artifact.uploadArtifact('my-massive-artifact', ['big_file.bin'], {
+  // The level of compression for Zlib to be applied to the artifact archive.
+  // - 0: No compression
+  // - 1: Best speed
+  // - 6: Default compression (same as GNU Gzip)
+  // - 9: Best compression
+  compressionLevel: 0
+})
+```
+
+## Additional Resources
+
+- [Releases](./RELEASES.md)
+- [Contribution Guide](./CONTRIBUTIONS.md)
+- [Frequently Asked Questions](./docs/faq.md)
--- a/packages/artifact/RELEASES.md
+++ b/packages/artifact/RELEASES.md
@ -1,15 +1,178 @@
 # @actions/artifact Releases

-### 0.1.0
+### 4.0.0

- Initial release
+- Add support for Node 24 [#2110](https://github.com/actions/toolkit/pull/2110)
+- Fix: artifact pagination bugs and configurable artifact count limits [#2165](https://github.com/actions/toolkit/pull/2165)
+- Fix: reject the promise on timeout [#2124](https://github.com/actions/toolkit/pull/2124)
+- Update dependency versions

-### 0.2.0
+### 2.3.3

- Fixes to TCP connections not closing
- GZip file compression to speed up downloads
- Improved logging and output
- Extra documentation
+- Dependency updates [#2049](https://github.com/actions/toolkit/pull/2049)
+
+### 2.3.2
+
+- Added masking for Shared Access Signature (SAS) artifact URLs [#1982](https://github.com/actions/toolkit/pull/1982)
+- Change hash to digest for consistent terminology across runner logs [#1991](https://github.com/actions/toolkit/pull/1991) 
+
+### 2.3.1
+
+- Fix comment typo on expectedHash. [#1986](https://github.com/actions/toolkit/pull/1986)
+
+### 2.3.0
+
+- Allow ArtifactClient to perform digest comparisons, if supplied. [#1975](https://github.com/actions/toolkit/pull/1975)
+
+### 2.2.2
+
+- Default concurrency to 5 for uploading artifacts [#1962](https://github.com/actions/toolkit/pull/1962)
+
+### 2.2.1
+
+- Add `ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY` and `ACTIONS_ARTIFACT_UPLOAD_TIMEOUT_MS` environment variables [#1928](https://github.com/actions/toolkit/pull/1928)
+
+### 2.2.0
+
+- Return artifact digest on upload [#1896](https://github.com/actions/toolkit/pull/1896)
+
+### 2.1.11
+
+- Fixed a bug with relative symlinks resolution [#1844](https://github.com/actions/toolkit/pull/1844)
+- Use native `crypto` [#1815](https://github.com/actions/toolkit/pull/1815)
+
+### 2.1.10
+
+- Fixed a regression with symlinks not being automatically resolved [#1830](https://github.com/actions/toolkit/pull/1830)
+- Fixed a regression with chunk timeout [#1786](https://github.com/actions/toolkit/pull/1786)
+
+### 2.1.9
+
+- Fixed artifact upload chunk timeout logic [#1774](https://github.com/actions/toolkit/pull/1774)
+- Use lazy stream to prevent issues with open file limits [#1771](https://github.com/actions/toolkit/pull/1771)
+
+### 2.1.8
+
+- Allows `*.localhost` domains for hostname checks for local development.
+
+### 2.1.7
+
+- Update unzip-stream dependency and reverted to using `unzip.Extract()`
+
+### 2.1.6
+
+- Will retry on invalid request responses.
+
+### 2.1.5
+
+- Bumped `archiver` dependency to 7.0.1
+
+### 2.1.4
+
+- Adds info-level logging for zip extraction
+
+### 2.1.3
+
+- Fixes a bug in the extract logic updated in 2.1.2
+
+### 2.1.2
+
+- Updated the stream extract functionality to use `unzip.Parse()` instead of `unzip.Extract()` for greater control of unzipping artifacts
+
+### 2.1.1
+
+- Updated `isGhes` check to include `.ghe.com` and `.ghe.localhost` as accepted hosts
+
+### 2.1.0
+
+- Added `ArtifactClient#deleteArtifact` to delete artifacts by name [#1626](https://github.com/actions/toolkit/pull/1626)
+- Update error messaging to be more useful [#1628](https://github.com/actions/toolkit/pull/1628)
+
+### 2.0.1
+
+- Patch to fix transient request timeouts https://github.com/actions/download-artifact/issues/249
+
+### 2.0.0
+
+- Major release. Supports new Artifact backend for improved speed, reliability and behavior.
+- Numerous API changes, [some breaking](./README.md#breaking-changes).
+
+- [Blog post with more info](https://github.blog/2024-02-12-get-started-with-v4-of-github-actions-artifacts/)
+
+### 1.1.1
+
+- Fixed a bug in Node16 where if an HTTP download finished too quickly (<1ms, e.g. when it's mocked) we attempt to delete a temp file that has not been created yet [#1278](https://github.com/actions/toolkit/pull/1278/commits/b9de68a590daf37c6747e38d3cb4f1dd2cfb791c)
+
+### 1.1.0
+
+- Add `x-actions-results-crc64` and `x-actions-results-md5` checksum headers on upload [#1063](https://github.com/actions/toolkit/pull/1063)
+
+### 1.0.2
+
+- Update to v2.0.1 of `@actions/http-client` [#1087](https://github.com/actions/toolkit/pull/1087)
+
+### 1.0.1
+
+- Update to v2.0.0 of `@actions/http-client`
+
+### 1.0.0
+
+- Update `lockfileVersion` to `v2` in `package-lock.json` [#1009](https://github.com/actions/toolkit/pull/1009)
+
+### 0.6.1
+
+- Fix for failing 0 byte file uploads on Windows [#962](https://github.com/actions/toolkit/pull/962)
+
+### 0.6.0
+
+- Support upload from named pipes [#748](https://github.com/actions/toolkit/pull/748)
+- Fixes to percentage values being greater than 100% when downloading all artifacts [#889](https://github.com/actions/toolkit/pull/889)
+- Improved logging and output during artifact upload [#949](https://github.com/actions/toolkit/pull/949)
+- Improvements to client-side validation for certain invalid characters not allowed during upload: [#951](https://github.com/actions/toolkit/pull/951)
+- Faster upload speeds for certain types of large files by exempting gzip compression [#956](https://github.com/actions/toolkit/pull/956)
+- More detailed logging when dealing with chunked uploads [#957](https://github.com/actions/toolkit/pull/957)
+  
+### 0.5.2
+
+- Add HTTP 500 as a retryable status code for artifact upload and download.
+  
+### 0.5.1
+
+- Bump @actions/http-client to version 1.0.11 to fix proxy related issues during artifact upload and download
+
+### 0.5.0
+
+- Improved retry-ability for all http calls during artifact upload and download if an error is encountered
+
+### 0.4.2
+
+- Improved retry-ability when a partial artifact download is encountered
+
+### 0.4.1
+
+- Update to latest @actions/core version
+
+### 0.4.0
+
+- Add option to specify custom retentions on artifacts
+- 
+### 0.3.5
+
+- Retry in the event of a 413 response
+
+### 0.3.3
+
+- Increase chunk size during upload from 4MB to 8MB
+- Improve user-agent strings during API calls to help internally diagnose issues
+
+### 0.3.2
+
+- Fix to ensure readstreams get correctly reset in the event of a retry
+
+### 0.3.1
+
+- Fix to ensure temporary gzip files get correctly deleted during artifact upload
+- Remove spaces as a forbidden character during upload

 ### 0.3.0

@ -20,77 +183,13 @@
 - Clearer error message if storage quota has been reached
 - Improved logging and output during artifact download

-### 0.3.1
+### 0.2.0

- Fix to ensure temporary gzip files get correctly deleted during artifact upload
- Remove spaces as a forbidden character during upload
+- Fixes to TCP connections not closing
+- GZip file compression to speed up downloads
+- Improved logging and output
+- Extra documentation

-### 0.3.2
+### 0.1.0

- Fix to ensure readstreams get correctly reset in the event of a retry
-
-### 0.3.3
-
- Increase chunk size during upload from 4MB to 8MB
- Improve user-agent strings during API calls to help internally diagnose issues
-
-### 0.3.5
-
- Retry in the event of a 413 response
-
-### 0.4.0
-
- Add option to specify custom retentions on artifacts
-
-### 0.4.1
-
- Update to latest @actions/core version
-
-### 0.4.2
-
- Improved retry-ability when a partial artifact download is encountered
-
-### 0.5.0
-
- Improved retry-ability for all http calls during artifact upload and download if an error is encountered
-
-### 0.5.1
-
- Bump @actions/http-client to version 1.0.11 to fix proxy related issues during artifact upload and download
-
-### 0.5.2
-
- Add HTTP 500 as a retryable status code for artifact upload and download.
-
-### 0.6.0
-
- Support upload from named pipes [#748](https://github.com/actions/toolkit/pull/748)
- Fixes to percentage values being greater than 100% when downloading all artifacts [#889](https://github.com/actions/toolkit/pull/889)
- Improved logging and output during artifact upload [#949](https://github.com/actions/toolkit/pull/949)
- Improvements to client-side validation for certain invalid characters not allowed during upload: [#951](https://github.com/actions/toolkit/pull/951)
- Faster upload speeds for certain types of large files by exempting gzip compression [#956](https://github.com/actions/toolkit/pull/956)
- More detailed logging when dealing with chunked uploads [#957](https://github.com/actions/toolkit/pull/957)
-
-### 0.6.1
-
- Fix for failing 0 byte file uploads on Windows [#962](https://github.com/actions/toolkit/pull/962)
-
-### 1.0.0
-
- Update `lockfileVersion` to `v2` in `package-lock.json` [#1009](https://github.com/actions/toolkit/pull/1009)
-
-### 1.0.1
-
- Update to v2.0.0 of `@actions/http-client`
-
-### 1.0.2
-
- Update to v2.0.1 of `@actions/http-client` [#1087](https://github.com/actions/toolkit/pull/1087)
-
-### 1.1.0
-
- Add `x-actions-results-crc64` and `x-actions-results-md5` checksum headers on upload [#1063](https://github.com/actions/toolkit/pull/1063)
-
-### 1.1.1
-
- Fixed a bug in Node16 where if an HTTP download finished too quickly (<1ms, e.g. when it's mocked) we attempt to delete a temp file that has not been created yet [#1278](https://github.com/actions/toolkit/pull/1278/commits/b9de68a590daf37c6747e38d3cb4f1dd2cfb791c)
+- Initial release
--- a/packages/artifact/tests/artifact-http-client.test.ts
+++ b/packages/artifact/tests/artifact-http-client.test.ts
@ -2,18 +2,21 @@ import * as http from 'http'
 import * as net from 'net'
 import {HttpClient} from '@actions/http-client'
 import * as config from '../src/internal/shared/config'
-import {createArtifactTwirpClient} from '../src/internal/shared/artifact-twirp-client'
-import * as core from '@actions/core'
+import {internalArtifactTwirpClient} from '../src/internal/shared/artifact-twirp-client'
+import {noopLogs} from './common'
+import {NetworkError, UsageError} from '../src/internal/shared/errors'

 jest.mock('@actions/http-client')

+const clientOptions = {
+  maxAttempts: 5,
+  retryIntervalMs: 1,
+  retryMultiplier: 1.5
+}
+
 describe('artifact-http-client', () => {
  beforeAll(() => {
-    // mock all output so that there is less noise when running tests
-    jest.spyOn(console, 'log').mockImplementation(() => {})
-    jest.spyOn(core, 'debug').mockImplementation(() => {})
-    jest.spyOn(core, 'info').mockImplementation(() => {})
-    jest.spyOn(core, 'warning').mockImplementation(() => {})
+    noopLogs()
    jest
      .spyOn(config, 'getResultsServiceUrl')
      .mockReturnValue('http://localhost:8080')
@ -25,7 +28,7 @@ describe('artifact-http-client', () => {
  })

  it('should successfully create a client', () => {
-    const client = createArtifactTwirpClient('upload')
+    const client = internalArtifactTwirpClient()
    expect(client).toBeDefined()
  })

@ -50,7 +53,7 @@ describe('artifact-http-client', () => {
      }
    })

-    const client = createArtifactTwirpClient('upload')
+    const client = internalArtifactTwirpClient()
    const artifact = await client.CreateArtifact({
      workflowRunBackendId: '1234',
      workflowJobRunBackendId: '5678',
@ -98,12 +101,55 @@ describe('artifact-http-client', () => {
      }
    })

-    const client = createArtifactTwirpClient(
-      'upload',
-      5, // retry 5 times
-      1, // wait 1 ms
-      1.5 // backoff factor
-    )
+    const client = internalArtifactTwirpClient(clientOptions)
+    const artifact = await client.CreateArtifact({
+      workflowRunBackendId: '1234',
+      workflowJobRunBackendId: '5678',
+      name: 'artifact',
+      version: 4
+    })
+
+    expect(mockHttpClient).toHaveBeenCalledTimes(1)
+    expect(artifact).toBeDefined()
+    expect(artifact.ok).toBe(true)
+    expect(artifact.signedUploadUrl).toBe('http://localhost:8080/upload')
+    expect(mockPost).toHaveBeenCalledTimes(2)
+  })
+
+  it('should retry if invalid body response', async () => {
+    const mockPost = jest
+      .fn(() => {
+        const msgSucceeded = new http.IncomingMessage(new net.Socket())
+        msgSucceeded.statusCode = 200
+        return {
+          message: msgSucceeded,
+          readBody: async () => {
+            return Promise.resolve(
+              `{"ok": true, "signedUploadUrl": "http://localhost:8080/upload"}`
+            )
+          }
+        }
+      })
+      .mockImplementationOnce(() => {
+        const msgFailed = new http.IncomingMessage(new net.Socket())
+        msgFailed.statusCode = 502
+        msgFailed.statusMessage = 'Bad Gateway'
+        return {
+          message: msgFailed,
+          readBody: async () => {
+            return Promise.resolve('💥')
+          }
+        }
+      })
+    const mockHttpClient = (
+      HttpClient as unknown as jest.Mock
+    ).mockImplementation(() => {
+      return {
+        post: mockPost
+      }
+    })
+
+    const client = internalArtifactTwirpClient(clientOptions)
    const artifact = await client.CreateArtifact({
      workflowRunBackendId: '1234',
      workflowJobRunBackendId: '5678',
@ -138,12 +184,7 @@ describe('artifact-http-client', () => {
        post: mockPost
      }
    })
-    const client = createArtifactTwirpClient(
-      'upload',
-      5, // retry 5 times
-      1, // wait 1 ms
-      1.5 // backoff factor
-    )
+    const client = internalArtifactTwirpClient(clientOptions)
    await expect(async () => {
      await client.CreateArtifact({
        workflowRunBackendId: '1234',
@ -178,12 +219,7 @@ describe('artifact-http-client', () => {
        post: mockPost
      }
    })
-    const client = createArtifactTwirpClient(
-      'upload',
-      5, // retry 5 times
-      1, // wait 1 ms
-      1.5 // backoff factor
-    )
+    const client = internalArtifactTwirpClient(clientOptions)
    await expect(async () => {
      await client.CreateArtifact({
        workflowRunBackendId: '1234',
@ -197,4 +233,116 @@ describe('artifact-http-client', () => {
    expect(mockHttpClient).toHaveBeenCalledTimes(1)
    expect(mockPost).toHaveBeenCalledTimes(1)
  })
+
+  it('should fail with a descriptive error', async () => {
+    // 409 duplicate error
+    const mockPost = jest.fn(() => {
+      const msgFailed = new http.IncomingMessage(new net.Socket())
+      msgFailed.statusCode = 409
+      msgFailed.statusMessage = 'Conflict'
+      return {
+        message: msgFailed,
+        readBody: async () => {
+          return Promise.resolve(
+            `{"msg": "an artifact with this name already exists on the workflow run"}`
+          )
+        }
+      }
+    })
+
+    const mockHttpClient = (
+      HttpClient as unknown as jest.Mock
+    ).mockImplementation(() => {
+      return {
+        post: mockPost
+      }
+    })
+    const client = internalArtifactTwirpClient(clientOptions)
+    await expect(async () => {
+      await client.CreateArtifact({
+        workflowRunBackendId: '1234',
+        workflowJobRunBackendId: '5678',
+        name: 'artifact',
+        version: 4
+      })
+      await client.CreateArtifact({
+        workflowRunBackendId: '1234',
+        workflowJobRunBackendId: '5678',
+        name: 'artifact',
+        version: 4
+      })
+    }).rejects.toThrowError(
+      'Failed to CreateArtifact: Received non-retryable error: Failed request: (409) Conflict: an artifact with this name already exists on the workflow run'
+    )
+    expect(mockHttpClient).toHaveBeenCalledTimes(1)
+    expect(mockPost).toHaveBeenCalledTimes(1)
+  })
+
+  it('should properly describe a network failure', async () => {
+    class FakeNodeError extends Error {
+      code: string
+      constructor(code: string) {
+        super()
+        this.code = code
+      }
+    }
+
+    const mockPost = jest.fn(() => {
+      throw new FakeNodeError('ENOTFOUND')
+    })
+
+    const mockHttpClient = (
+      HttpClient as unknown as jest.Mock
+    ).mockImplementation(() => {
+      return {
+        post: mockPost
+      }
+    })
+    const client = internalArtifactTwirpClient()
+    await expect(async () => {
+      await client.CreateArtifact({
+        workflowRunBackendId: '1234',
+        workflowJobRunBackendId: '5678',
+        name: 'artifact',
+        version: 4
+      })
+    }).rejects.toThrowError(new NetworkError('ENOTFOUND').message)
+    expect(mockHttpClient).toHaveBeenCalledTimes(1)
+    expect(mockPost).toHaveBeenCalledTimes(1)
+  })
+
+  it('should properly describe a usage error', async () => {
+    const mockPost = jest.fn(() => {
+      const msgFailed = new http.IncomingMessage(new net.Socket())
+      msgFailed.statusCode = 403
+      msgFailed.statusMessage = 'Forbidden'
+      return {
+        message: msgFailed,
+        readBody: async () => {
+          return Promise.resolve(
+            `{"msg": "insufficient usage to create artifact"}`
+          )
+        }
+      }
+    })
+
+    const mockHttpClient = (
+      HttpClient as unknown as jest.Mock
+    ).mockImplementation(() => {
+      return {
+        post: mockPost
+      }
+    })
+    const client = internalArtifactTwirpClient()
+    await expect(async () => {
+      await client.CreateArtifact({
+        workflowRunBackendId: '1234',
+        workflowJobRunBackendId: '5678',
+        name: 'artifact',
+        version: 4
+      })
+    }).rejects.toThrowError(new UsageError().message)
+    expect(mockHttpClient).toHaveBeenCalledTimes(1)
+    expect(mockPost).toHaveBeenCalledTimes(1)
+  })
 })
--- a/packages/artifact/tests/common.ts
+++ b/packages/artifact/tests/common.ts
@ -0,0 +1,9 @@
+import * as core from '@actions/core'
+
+// noopLogs mocks the console.log and core.* functions to prevent output in the console while testing
+export const noopLogs = (): void => {
+  jest.spyOn(console, 'log').mockImplementation(() => {})
+  jest.spyOn(core, 'debug').mockImplementation(() => {})
+  jest.spyOn(core, 'info').mockImplementation(() => {})
+  jest.spyOn(core, 'warning').mockImplementation(() => {})
+}
--- a/packages/artifact/tests/config.test.ts
+++ b/packages/artifact/tests/config.test.ts
@ -0,0 +1,149 @@
+import * as config from '../src/internal/shared/config'
+import os from 'os'
+
+// Mock the `cpus()` function in the `os` module
+jest.mock('os', () => {
+  const osActual = jest.requireActual('os')
+  return {
+    ...osActual,
+    cpus: jest.fn()
+  }
+})
+
+beforeEach(() => {
+  jest.resetModules()
+})
+
+describe('isGhes', () => {
+  it('should return false when the request domain is github.com', () => {
+    process.env.GITHUB_SERVER_URL = 'https://github.com'
+    expect(config.isGhes()).toBe(false)
+  })
+
+  it('should return false when the request domain ends with ghe.com', () => {
+    process.env.GITHUB_SERVER_URL = 'https://my.domain.ghe.com'
+    expect(config.isGhes()).toBe(false)
+  })
+
+  it('should return false when the request domain ends with ghe.localhost', () => {
+    process.env.GITHUB_SERVER_URL = 'https://my.domain.ghe.localhost'
+    expect(config.isGhes()).toBe(false)
+  })
+
+  it('should return false when the request domain ends with .localhost', () => {
+    process.env.GITHUB_SERVER_URL = 'https://github.localhost'
+    expect(config.isGhes()).toBe(false)
+  })
+
+  it('should return false when the request domain is specific to an enterprise', () => {
+    process.env.GITHUB_SERVER_URL = 'https://my-enterprise.github.com'
+    expect(config.isGhes()).toBe(true)
+  })
+})
+
+describe('uploadChunkTimeoutEnv', () => {
+  it('should return default 300000 when no env set', () => {
+    expect(config.getUploadChunkTimeout()).toBe(300000)
+  })
+
+  it('should return value set in ACTIONS_ARTIFACT_UPLOAD_TIMEOUT_MS', () => {
+    process.env.ACTIONS_ARTIFACT_UPLOAD_TIMEOUT_MS = '150000'
+    expect(config.getUploadChunkTimeout()).toBe(150000)
+  })
+
+  it('should throw if value set in ACTIONS_ARTIFACT_UPLOAD_TIMEOUT_MS is invalid', () => {
+    process.env.ACTIONS_ARTIFACT_UPLOAD_TIMEOUT_MS = 'abc'
+    expect(() => {
+      config.getUploadChunkTimeout()
+    }).toThrow()
+  })
+})
+
+describe('uploadConcurrencyEnv', () => {
+  it('Concurrency default to 5', () => {
+    ;(os.cpus as jest.Mock).mockReturnValue(new Array(4))
+    expect(config.getConcurrency()).toBe(5)
+  })
+
+  it('Concurrency max out at 300 on systems with many CPUs', () => {
+    ;(os.cpus as jest.Mock).mockReturnValue(new Array(32))
+    process.env.ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY = '301'
+    expect(config.getConcurrency()).toBe(300)
+  })
+
+  it('Concurrency can be set to 32 when cpu num is <= 4', () => {
+    ;(os.cpus as jest.Mock).mockReturnValue(new Array(4))
+    process.env.ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY = '32'
+    expect(config.getConcurrency()).toBe(32)
+  })
+
+  it('Concurrency can be set 16 * num of cpu when cpu num is > 4', () => {
+    ;(os.cpus as jest.Mock).mockReturnValue(new Array(6))
+    process.env.ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY = '96'
+    expect(config.getConcurrency()).toBe(96)
+  })
+
+  it('Concurrency can be overridden by env var ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY', () => {
+    ;(os.cpus as jest.Mock).mockReturnValue(new Array(4))
+    process.env.ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY = '10'
+    expect(config.getConcurrency()).toBe(10)
+  })
+
+  it('should throw with invalid value of ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY', () => {
+    ;(os.cpus as jest.Mock).mockReturnValue(new Array(4))
+    process.env.ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY = 'abc'
+    expect(() => {
+      config.getConcurrency()
+    }).toThrow()
+  })
+
+  it('should throw if ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY is < 1', () => {
+    ;(os.cpus as jest.Mock).mockReturnValue(new Array(4))
+    process.env.ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY = '0'
+    expect(() => {
+      config.getConcurrency()
+    }).toThrow()
+  })
+})
+
+describe('getMaxArtifactListCount', () => {
+  beforeEach(() => {
+    delete process.env.ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT
+  })
+
+  it('should return default 1000 when no env set', () => {
+    expect(config.getMaxArtifactListCount()).toBe(1000)
+  })
+
+  it('should return value set in ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT', () => {
+    process.env.ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT = '2000'
+    expect(config.getMaxArtifactListCount()).toBe(2000)
+  })
+
+  it('should throw if value set in ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT is invalid', () => {
+    process.env.ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT = 'abc'
+    expect(() => {
+      config.getMaxArtifactListCount()
+    }).toThrow(
+      'Invalid value set for ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT env variable'
+    )
+  })
+
+  it('should throw if ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT is < 1', () => {
+    process.env.ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT = '0'
+    expect(() => {
+      config.getMaxArtifactListCount()
+    }).toThrow(
+      'Invalid value set for ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT env variable'
+    )
+  })
+
+  it('should throw if ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT is negative', () => {
+    process.env.ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT = '-100'
+    expect(() => {
+      config.getMaxArtifactListCount()
+    }).toThrow(
+      'Invalid value set for ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT env variable'
+    )
+  })
+})
--- a/packages/artifact/tests/delete-artifacts.test.ts
+++ b/packages/artifact/tests/delete-artifacts.test.ts
@ -0,0 +1,192 @@
+import * as github from '@actions/github'
+import type {RestEndpointMethods} from '@octokit/plugin-rest-endpoint-methods/dist-types/generated/method-types'
+import type {RequestInterface} from '@octokit/types'
+import {
+  deleteArtifactInternal,
+  deleteArtifactPublic
+} from '../src/internal/delete/delete-artifact'
+import * as config from '../src/internal/shared/config'
+import {ArtifactServiceClientJSON, Timestamp} from '../src/generated'
+import * as util from '../src/internal/shared/util'
+import {noopLogs} from './common'
+
+type MockedRequest = jest.MockedFunction<RequestInterface<object>>
+
+type MockedDeleteArtifact = jest.MockedFunction<
+  RestEndpointMethods['actions']['deleteArtifact']
+>
+
+jest.mock('@actions/github', () => ({
+  getOctokit: jest.fn().mockReturnValue({
+    request: jest.fn(),
+    rest: {
+      actions: {
+        deleteArtifact: jest.fn()
+      }
+    }
+  })
+}))
+
+const fixtures = {
+  repo: 'toolkit',
+  owner: 'actions',
+  token: 'ghp_1234567890',
+  runId: 123,
+  backendIds: {
+    workflowRunBackendId: 'c4d7c21f-ba3f-4ddc-a8c8-6f2f626f8422',
+    workflowJobRunBackendId: '760803a1-f890-4d25-9a6e-a3fc01a0c7cf'
+  },
+  artifacts: [
+    {
+      id: 1,
+      name: 'my-artifact',
+      size: 456,
+      createdAt: new Date('2023-12-01')
+    },
+    {
+      id: 2,
+      name: 'my-artifact',
+      size: 456,
+      createdAt: new Date('2023-12-02')
+    }
+  ]
+}
+
+describe('delete-artifact', () => {
+  beforeAll(() => {
+    noopLogs()
+  })
+
+  describe('public', () => {
+    it('should delete an artifact', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+      mockRequest.mockResolvedValueOnce({
+        status: 200,
+        headers: {},
+        url: '',
+        data: {
+          artifacts: [
+            {
+              name: fixtures.artifacts[0].name,
+              id: fixtures.artifacts[0].id,
+              size_in_bytes: fixtures.artifacts[0].size,
+              created_at: fixtures.artifacts[0].createdAt.toISOString()
+            }
+          ]
+        }
+      })
+
+      const mockDeleteArtifact = github.getOctokit(fixtures.token).rest.actions
+        .deleteArtifact as MockedDeleteArtifact
+      mockDeleteArtifact.mockResolvedValueOnce({
+        status: 204,
+        headers: {},
+        url: '',
+        data: null as never
+      })
+
+      const response = await deleteArtifactPublic(
+        fixtures.artifacts[0].name,
+        fixtures.runId,
+        fixtures.owner,
+        fixtures.repo,
+        fixtures.token
+      )
+
+      expect(response).toEqual({
+        id: fixtures.artifacts[0].id
+      })
+    })
+
+    it('should fail if non-200 response', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+      mockRequest.mockResolvedValueOnce({
+        status: 200,
+        headers: {},
+        url: '',
+        data: {
+          artifacts: [
+            {
+              name: fixtures.artifacts[0].name,
+              id: fixtures.artifacts[0].id,
+              size_in_bytes: fixtures.artifacts[0].size,
+              created_at: fixtures.artifacts[0].createdAt.toISOString()
+            }
+          ]
+        }
+      })
+
+      const mockDeleteArtifact = github.getOctokit(fixtures.token).rest.actions
+        .deleteArtifact as MockedDeleteArtifact
+      mockDeleteArtifact.mockRejectedValue(new Error('boom'))
+
+      await expect(
+        deleteArtifactPublic(
+          fixtures.artifacts[0].name,
+          fixtures.runId,
+          fixtures.owner,
+          fixtures.repo,
+          fixtures.token
+        )
+      ).rejects.toThrow('boom')
+    })
+  })
+
+  describe('internal', () => {
+    beforeEach(() => {
+      jest.spyOn(config, 'getRuntimeToken').mockReturnValue('test-token')
+      jest
+        .spyOn(util, 'getBackendIdsFromToken')
+        .mockReturnValue(fixtures.backendIds)
+      jest
+        .spyOn(config, 'getResultsServiceUrl')
+        .mockReturnValue('https://results.local')
+    })
+
+    it('should delete an artifact', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: fixtures.artifacts.map(artifact => ({
+            ...fixtures.backendIds,
+            databaseId: artifact.id.toString(),
+            name: artifact.name,
+            size: artifact.size.toString(),
+            createdAt: Timestamp.fromDate(artifact.createdAt)
+          }))
+        })
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'DeleteArtifact')
+        .mockResolvedValue({
+          ok: true,
+          artifactId: fixtures.artifacts[0].id.toString()
+        })
+      const response = await deleteArtifactInternal(fixtures.artifacts[0].name)
+      expect(response).toEqual({
+        id: fixtures.artifacts[0].id
+      })
+    })
+
+    it('should fail if non-200 response', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: fixtures.artifacts.map(artifact => ({
+            ...fixtures.backendIds,
+            databaseId: artifact.id.toString(),
+            name: artifact.name,
+            size: artifact.size.toString(),
+            createdAt: Timestamp.fromDate(artifact.createdAt)
+          }))
+        })
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'DeleteArtifact')
+        .mockRejectedValue(new Error('boom'))
+      await expect(
+        deleteArtifactInternal(fixtures.artifacts[0].id)
+      ).rejects.toThrow('boom')
+    })
+  })
+})
--- a/packages/artifact/tests/download-artifact.test.ts
+++ b/packages/artifact/tests/download-artifact.test.ts
@ -2,14 +2,21 @@ import fs from 'fs'
 import * as http from 'http'
 import * as net from 'net'
 import * as path from 'path'
-import * as core from '@actions/core'
 import * as github from '@actions/github'
 import {HttpClient} from '@actions/http-client'
 import type {RestEndpointMethods} from '@octokit/plugin-rest-endpoint-methods/dist-types/generated/method-types'
 import archiver from 'archiver'

-import {downloadArtifact} from '../src/internal/download/download-artifact'
+import {
+  downloadArtifactInternal,
+  downloadArtifactPublic,
+  streamExtractExternal
+} from '../src/internal/download/download-artifact'
 import {getUserAgentString} from '../src/internal/shared/user-agent'
+import {noopLogs} from './common'
+import * as config from '../src/internal/shared/config'
+import {ArtifactServiceClientJSON} from '../src/generated'
+import * as util from '../src/internal/shared/util'

 type MockedDownloadArtifact = jest.MockedFunction<
  RestEndpointMethods['actions']['downloadArtifact']
@ -32,10 +39,16 @@ const fixtures = {
    ]
  },
  artifactID: 1234,
+  artifactName: 'my-artifact',
+  artifactSize: 123456,
  repositoryOwner: 'actions',
  repositoryName: 'toolkit',
  token: 'ghp_1234567890',
-  blobStorageUrl: 'https://blob-storage.local?signed=true'
+  blobStorageUrl: 'https://blob-storage.local?signed=true',
+  backendIds: {
+    workflowRunBackendId: 'c4d7c21f-ba3f-4ddc-a8c8-6f2f626f8422',
+    workflowJobRunBackendId: '760803a1-f890-4d25-9a6e-a3fc01a0c7cf'
+  }
 }

 jest.mock('@actions/github', () => ({
@ -74,206 +87,566 @@ const expectExtractedArchive = async (dir: string): Promise<void> => {
  }
 }

+const setup = async (): Promise<void> => {
+  noopLogs()
+  await fs.promises.mkdir(testDir, {recursive: true})
+  await createTestArchive()
+
+  process.env['GITHUB_WORKSPACE'] = fixtures.workspaceDir
+}
+
+const cleanup = async (): Promise<void> => {
+  jest.restoreAllMocks()
+  await fs.promises.rm(testDir, {recursive: true})
+  delete process.env['GITHUB_WORKSPACE']
+}
+
+const mockGetArtifactSuccess = jest.fn(() => {
+  const message = new http.IncomingMessage(new net.Socket())
+  message.statusCode = 200
+  message.push(fs.readFileSync(fixtures.exampleArtifact.path))
+  message.push(null)
+  return {
+    message
+  }
+})
+
+const mockGetArtifactHung = jest.fn(() => {
+  const message = new http.IncomingMessage(new net.Socket())
+  message.statusCode = 200
+  // Don't push any data or call push(null) to end the stream
+  // This creates a stream that hangs and never completes
+  return {
+    message
+  }
+})
+
+const mockGetArtifactFailure = jest.fn(() => {
+  const message = new http.IncomingMessage(new net.Socket())
+  message.statusCode = 500
+  message.push('Internal Server Error')
+  message.push(null)
+  return {
+    message
+  }
+})
+
+const mockGetArtifactMalicious = jest.fn(() => {
+  const message = new http.IncomingMessage(new net.Socket())
+  message.statusCode = 200
+  message.push(fs.readFileSync(path.join(__dirname, 'fixtures', 'evil.zip'))) // evil.zip contains files that are formatted x/../../etc/hosts
+  message.push(null)
+  return {
+    message
+  }
+})
+
 describe('download-artifact', () => {
-  beforeEach(async () => {
-    jest.spyOn(core, 'debug').mockImplementation(() => {})
-    jest.spyOn(core, 'info').mockImplementation(() => {})
-    jest.spyOn(core, 'warning').mockImplementation(() => {})
+  describe('public', () => {
+    beforeEach(setup)
+    afterEach(cleanup)

-    await fs.promises.mkdir(testDir, {recursive: true})
-    await createTestArchive()
+    it('should successfully download an artifact to $GITHUB_WORKSPACE', async () => {
+      const downloadArtifactMock = github.getOctokit(fixtures.token).rest
+        .actions.downloadArtifact as MockedDownloadArtifact
+      downloadArtifactMock.mockResolvedValueOnce({
+        headers: {
+          location: fixtures.blobStorageUrl
+        },
+        status: 302,
+        url: '',
+        data: Buffer.from('')
+      })

-    process.env['GITHUB_WORKSPACE'] = fixtures.workspaceDir
+      const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
+        () => {
+          return {
+            get: mockGetArtifactSuccess
+          }
+        }
+      )
+
+      const response = await downloadArtifactPublic(
+        fixtures.artifactID,
+        fixtures.repositoryOwner,
+        fixtures.repositoryName,
+        fixtures.token
+      )
+
+      expect(downloadArtifactMock).toHaveBeenCalledWith({
+        owner: fixtures.repositoryOwner,
+        repo: fixtures.repositoryName,
+        artifact_id: fixtures.artifactID,
+        archive_format: 'zip',
+        request: {
+          redirect: 'manual'
+        }
+      })
+      expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
+      expect(mockGetArtifactSuccess).toHaveBeenCalledWith(
+        fixtures.blobStorageUrl
+      )
+      expectExtractedArchive(fixtures.workspaceDir)
+      expect(response.downloadPath).toBe(fixtures.workspaceDir)
+    })
+
+    it('should not allow path traversal from malicious artifacts', async () => {
+      const downloadArtifactMock = github.getOctokit(fixtures.token).rest
+        .actions.downloadArtifact as MockedDownloadArtifact
+      downloadArtifactMock.mockResolvedValueOnce({
+        headers: {
+          location: fixtures.blobStorageUrl
+        },
+        status: 302,
+        url: '',
+        data: Buffer.from('')
+      })
+
+      const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
+        () => {
+          return {
+            get: mockGetArtifactMalicious
+          }
+        }
+      )
+
+      const response = await downloadArtifactPublic(
+        fixtures.artifactID,
+        fixtures.repositoryOwner,
+        fixtures.repositoryName,
+        fixtures.token
+      )
+
+      expect(downloadArtifactMock).toHaveBeenCalledWith({
+        owner: fixtures.repositoryOwner,
+        repo: fixtures.repositoryName,
+        artifact_id: fixtures.artifactID,
+        archive_format: 'zip',
+        request: {
+          redirect: 'manual'
+        }
+      })
+
+      expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
+      expect(mockGetArtifactMalicious).toHaveBeenCalledWith(
+        fixtures.blobStorageUrl
+      )
+
+      // ensure path traversal was not possible
+      expect(
+        fs.existsSync(path.join(fixtures.workspaceDir, 'x/etc/hosts'))
+      ).toBe(true)
+      expect(
+        fs.existsSync(path.join(fixtures.workspaceDir, 'y/etc/hosts'))
+      ).toBe(true)
+
+      expect(response.downloadPath).toBe(fixtures.workspaceDir)
+    })
+
+    it('should successfully download an artifact to user defined path', async () => {
+      const customPath = path.join(testDir, 'custom')
+
+      const downloadArtifactMock = github.getOctokit(fixtures.token).rest
+        .actions.downloadArtifact as MockedDownloadArtifact
+      downloadArtifactMock.mockResolvedValueOnce({
+        headers: {
+          location: fixtures.blobStorageUrl
+        },
+        status: 302,
+        url: '',
+        data: Buffer.from('')
+      })
+
+      const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
+        () => {
+          return {
+            get: mockGetArtifactSuccess
+          }
+        }
+      )
+
+      const response = await downloadArtifactPublic(
+        fixtures.artifactID,
+        fixtures.repositoryOwner,
+        fixtures.repositoryName,
+        fixtures.token,
+        {
+          path: customPath
+        }
+      )
+
+      expect(downloadArtifactMock).toHaveBeenCalledWith({
+        owner: fixtures.repositoryOwner,
+        repo: fixtures.repositoryName,
+        artifact_id: fixtures.artifactID,
+        archive_format: 'zip',
+        request: {
+          redirect: 'manual'
+        }
+      })
+      expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
+      expect(mockGetArtifactSuccess).toHaveBeenCalledWith(
+        fixtures.blobStorageUrl
+      )
+      expectExtractedArchive(customPath)
+      expect(response.downloadPath).toBe(customPath)
+    })
+
+    it('should fail if download artifact API does not respond with location', async () => {
+      const downloadArtifactMock = github.getOctokit(fixtures.token).rest
+        .actions.downloadArtifact as MockedDownloadArtifact
+      downloadArtifactMock.mockResolvedValueOnce({
+        headers: {},
+        status: 302,
+        url: '',
+        data: Buffer.from('')
+      })
+
+      await expect(
+        downloadArtifactPublic(
+          fixtures.artifactID,
+          fixtures.repositoryOwner,
+          fixtures.repositoryName,
+          fixtures.token
+        )
+      ).rejects.toBeInstanceOf(Error)
+
+      expect(downloadArtifactMock).toHaveBeenCalledWith({
+        owner: fixtures.repositoryOwner,
+        repo: fixtures.repositoryName,
+        artifact_id: fixtures.artifactID,
+        archive_format: 'zip',
+        request: {
+          redirect: 'manual'
+        }
+      })
+    })
+
+    it('should fail if blob storage storage chunk does not respond within 30s', async () => {
+      // mock http client to delay response data by 30s
+      const msg = new http.IncomingMessage(new net.Socket())
+      msg.statusCode = 200
+
+      const mockGet = jest.fn(async () => {
+        return new Promise((resolve, reject) => {
+          // Reject with an error after 31 seconds
+          setTimeout(() => {
+            reject(new Error('Request timeout'))
+          }, 31000) // Timeout after 31 seconds
+        })
+      })
+
+      const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
+        () => {
+          return {
+            get: mockGet
+          }
+        }
+      )
+
+      await expect(
+        streamExtractExternal(fixtures.blobStorageUrl, fixtures.workspaceDir)
+      ).rejects.toBeInstanceOf(Error)
+
+      expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
+    }, 35000) // add longer timeout to allow for timer to run out
+
+    it('should fail if blob storage response is non-200 after 5 retries', async () => {
+      const downloadArtifactMock = github.getOctokit(fixtures.token).rest
+        .actions.downloadArtifact as MockedDownloadArtifact
+      downloadArtifactMock.mockResolvedValueOnce({
+        headers: {
+          location: fixtures.blobStorageUrl
+        },
+        status: 302,
+        url: '',
+        data: Buffer.from('')
+      })
+
+      const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
+        () => {
+          return {
+            get: mockGetArtifactFailure
+          }
+        }
+      )
+
+      await expect(
+        downloadArtifactPublic(
+          fixtures.artifactID,
+          fixtures.repositoryOwner,
+          fixtures.repositoryName,
+          fixtures.token
+        )
+      ).rejects.toBeInstanceOf(Error)
+
+      expect(downloadArtifactMock).toHaveBeenCalledWith({
+        owner: fixtures.repositoryOwner,
+        repo: fixtures.repositoryName,
+        artifact_id: fixtures.artifactID,
+        archive_format: 'zip',
+        request: {
+          redirect: 'manual'
+        }
+      })
+      expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
+      expect(mockGetArtifactFailure).toHaveBeenCalledWith(
+        fixtures.blobStorageUrl
+      )
+      expect(mockGetArtifactFailure).toHaveBeenCalledTimes(5)
+    }, 38000)
+
+    it('should retry if blob storage response is non-200 and then succeed with a 200', async () => {
+      const downloadArtifactMock = github.getOctokit(fixtures.token).rest
+        .actions.downloadArtifact as MockedDownloadArtifact
+      downloadArtifactMock.mockResolvedValueOnce({
+        headers: {
+          location: fixtures.blobStorageUrl
+        },
+        status: 302,
+        url: '',
+        data: Buffer.from('')
+      })
+
+      const mockGetArtifact = jest
+        .fn(mockGetArtifactSuccess)
+        .mockImplementationOnce(mockGetArtifactFailure)
+
+      const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
+        () => {
+          return {
+            get: mockGetArtifact
+          }
+        }
+      )
+
+      const response = await downloadArtifactPublic(
+        fixtures.artifactID,
+        fixtures.repositoryOwner,
+        fixtures.repositoryName,
+        fixtures.token
+      )
+
+      expect(downloadArtifactMock).toHaveBeenCalledWith({
+        owner: fixtures.repositoryOwner,
+        repo: fixtures.repositoryName,
+        artifact_id: fixtures.artifactID,
+        archive_format: 'zip',
+        request: {
+          redirect: 'manual'
+        }
+      })
+      expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
+      expect(mockGetArtifactFailure).toHaveBeenCalledWith(
+        fixtures.blobStorageUrl
+      )
+      expect(mockGetArtifactFailure).toHaveBeenCalledTimes(1)
+      expect(mockGetArtifactSuccess).toHaveBeenCalledWith(
+        fixtures.blobStorageUrl
+      )
+      expect(mockGetArtifactSuccess).toHaveBeenCalledTimes(1)
+      expect(response.downloadPath).toBe(fixtures.workspaceDir)
+    }, 28000)
  })

-  afterEach(async () => {
-    jest.restoreAllMocks()
-    await fs.promises.rm(testDir, {recursive: true})
-    delete process.env['GITHUB_WORKSPACE']
-  })
+  describe('internal', () => {
+    beforeEach(async () => {
+      await setup()

-  it('should successfully download an artifact to $GITHUB_WORKSPACE', async () => {
-    const downloadArtifactMock = github.getOctokit(fixtures.token).rest.actions
-      .downloadArtifact as MockedDownloadArtifact
-    downloadArtifactMock.mockResolvedValueOnce({
-      headers: {
-        location: fixtures.blobStorageUrl
-      },
-      status: 302,
-      url: '',
-      data: Buffer.from('')
+      jest.spyOn(config, 'getRuntimeToken').mockReturnValue('test-token')
+
+      jest
+        .spyOn(util, 'getBackendIdsFromToken')
+        .mockReturnValue(fixtures.backendIds)
+
+      jest
+        .spyOn(config, 'getResultsServiceUrl')
+        .mockReturnValue('https://results.local')
+    })
+    afterEach(async () => {
+      await cleanup()
    })

-    const getMock = jest.fn(() => {
-      const message = new http.IncomingMessage(new net.Socket())
-      message.statusCode = 200
-      message.push(fs.readFileSync(fixtures.exampleArtifact.path))
-      return {
-        message
-      }
-    })
-    const httpClientMock = (HttpClient as jest.Mock).mockImplementation(() => {
-      return {
-        get: getMock
-      }
+    it('should successfully download an artifact to $GITHUB_WORKSPACE', async () => {
+      const mockListArtifacts = jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: [
+            {
+              ...fixtures.backendIds,
+              databaseId: fixtures.artifactID.toString(),
+              name: fixtures.artifactName,
+              size: fixtures.artifactSize.toString()
+            }
+          ]
+        })
+
+      const mockGetSignedArtifactURL = jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'GetSignedArtifactURL')
+        .mockReturnValue(
+          Promise.resolve({
+            signedUrl: fixtures.blobStorageUrl
+          })
+        )
+
+      const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
+        () => {
+          return {
+            get: mockGetArtifactSuccess
+          }
+        }
+      )
+
+      const response = await downloadArtifactInternal(fixtures.artifactID)
+
+      expectExtractedArchive(fixtures.workspaceDir)
+      expect(response.downloadPath).toBe(fixtures.workspaceDir)
+      expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
+      expect(mockListArtifacts).toHaveBeenCalledWith({
+        idFilter: {
+          value: fixtures.artifactID.toString()
+        },
+        ...fixtures.backendIds
+      })
+      expect(mockGetSignedArtifactURL).toHaveBeenCalledWith({
+        ...fixtures.backendIds,
+        name: fixtures.artifactName
+      })
    })

-    const response = await downloadArtifact(
-      fixtures.artifactID,
-      fixtures.repositoryOwner,
-      fixtures.repositoryName,
-      fixtures.token
-    )
+    it('should successfully download an artifact to user defined path', async () => {
+      const customPath = path.join(testDir, 'custom')

-    expect(downloadArtifactMock).toHaveBeenCalledWith({
-      owner: fixtures.repositoryOwner,
-      repo: fixtures.repositoryName,
-      artifact_id: fixtures.artifactID,
-      archive_format: 'zip',
-      request: {
-        redirect: 'manual'
-      }
-    })
-    expect(httpClientMock).toHaveBeenCalledWith(getUserAgentString())
-    expect(getMock).toHaveBeenCalledWith(fixtures.blobStorageUrl)
+      const mockListArtifacts = jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: [
+            {
+              ...fixtures.backendIds,
+              databaseId: fixtures.artifactID.toString(),
+              name: fixtures.artifactName,
+              size: fixtures.artifactSize.toString()
+            }
+          ]
+        })

-    expectExtractedArchive(fixtures.workspaceDir)
+      const mockGetSignedArtifactURL = jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'GetSignedArtifactURL')
+        .mockReturnValue(
+          Promise.resolve({
+            signedUrl: fixtures.blobStorageUrl
+          })
+        )

-    expect(response.success).toBe(true)
-    expect(response.downloadPath).toBe(fixtures.workspaceDir)
-  })
+      const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
+        () => {
+          return {
+            get: mockGetArtifactSuccess
+          }
+        }
+      )

-  it('should successfully download an artifact to user defined path', async () => {
-    const customPath = path.join(testDir, 'custom')
-
-    const downloadArtifactMock = github.getOctokit(fixtures.token).rest.actions
-      .downloadArtifact as MockedDownloadArtifact
-    downloadArtifactMock.mockResolvedValueOnce({
-      headers: {
-        location: fixtures.blobStorageUrl
-      },
-      status: 302,
-      url: '',
-      data: Buffer.from('')
-    })
-
-    const getMock = jest.fn(() => {
-      const message = new http.IncomingMessage(new net.Socket())
-      message.statusCode = 200
-      message.push(fs.readFileSync(fixtures.exampleArtifact.path))
-      return {
-        message
-      }
-    })
-    const httpClientMock = (HttpClient as jest.Mock).mockImplementation(() => {
-      return {
-        get: getMock
-      }
-    })
-
-    const response = await downloadArtifact(
-      fixtures.artifactID,
-      fixtures.repositoryOwner,
-      fixtures.repositoryName,
-      fixtures.token,
-      {
+      const response = await downloadArtifactInternal(fixtures.artifactID, {
        path: customPath
-      }
-    )
+      })

-    expect(downloadArtifactMock).toHaveBeenCalledWith({
-      owner: fixtures.repositoryOwner,
-      repo: fixtures.repositoryName,
-      artifact_id: fixtures.artifactID,
-      archive_format: 'zip',
-      request: {
-        redirect: 'manual'
-      }
-    })
-    expect(httpClientMock).toHaveBeenCalledWith(getUserAgentString())
-    expect(getMock).toHaveBeenCalledWith(fixtures.blobStorageUrl)
-
-    expectExtractedArchive(customPath)
-
-    expect(response.success).toBe(true)
-    expect(response.downloadPath).toBe(customPath)
-  })
-
-  it('should fail if download artifact API does not respond with location', async () => {
-    const downloadArtifactMock = github.getOctokit(fixtures.token).rest.actions
-      .downloadArtifact as MockedDownloadArtifact
-    downloadArtifactMock.mockResolvedValueOnce({
-      headers: {},
-      status: 302,
-      url: '',
-      data: Buffer.from('')
+      expectExtractedArchive(customPath)
+      expect(response.downloadPath).toBe(customPath)
+      expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
+      expect(mockListArtifacts).toHaveBeenCalledWith({
+        idFilter: {
+          value: fixtures.artifactID.toString()
+        },
+        ...fixtures.backendIds
+      })
+      expect(mockGetSignedArtifactURL).toHaveBeenCalledWith({
+        ...fixtures.backendIds,
+        name: fixtures.artifactName
+      })
    })

-    await expect(
-      downloadArtifact(
-        fixtures.artifactID,
-        fixtures.repositoryOwner,
-        fixtures.repositoryName,
-        fixtures.token
+    it('should fail if download artifact API does not respond with location', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockRejectedValue(new Error('boom'))
+
+      await expect(
+        downloadArtifactInternal(fixtures.artifactID)
+      ).rejects.toBeInstanceOf(Error)
+    })
+
+    it('should fail if blob storage response is non-200', async () => {
+      const mockListArtifacts = jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: [
+            {
+              ...fixtures.backendIds,
+              databaseId: fixtures.artifactID.toString(),
+              name: fixtures.artifactName,
+              size: fixtures.artifactSize.toString()
+            }
+          ]
+        })
+
+      const mockGetSignedArtifactURL = jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'GetSignedArtifactURL')
+        .mockReturnValue(
+          Promise.resolve({
+            signedUrl: fixtures.blobStorageUrl
+          })
+        )
+
+      const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
+        () => {
+          return {
+            get: mockGetArtifactFailure
+          }
+        }
      )
-    ).rejects.toBeInstanceOf(Error)

-    expect(downloadArtifactMock).toHaveBeenCalledWith({
-      owner: fixtures.repositoryOwner,
-      repo: fixtures.repositoryName,
-      artifact_id: fixtures.artifactID,
-      archive_format: 'zip',
-      request: {
-        redirect: 'manual'
-      }
+      await expect(
+        downloadArtifactInternal(fixtures.artifactID)
+      ).rejects.toBeInstanceOf(Error)
+      expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
+      expect(mockListArtifacts).toHaveBeenCalledWith({
+        idFilter: {
+          value: fixtures.artifactID.toString()
+        },
+        ...fixtures.backendIds
+      })
+      expect(mockGetSignedArtifactURL).toHaveBeenCalledWith({
+        ...fixtures.backendIds,
+        name: fixtures.artifactName
+      })
    })
  })

-  it('should fail if blob storage response is non-200', async () => {
-    const downloadArtifactMock = github.getOctokit(fixtures.token).rest.actions
-      .downloadArtifact as MockedDownloadArtifact
-    downloadArtifactMock.mockResolvedValueOnce({
-      headers: {
-        location: fixtures.blobStorageUrl
-      },
-      status: 302,
-      url: '',
-      data: Buffer.from('')
-    })
+  describe('streamExtractExternal', () => {
+    it('should fail if the timeout is exceeded', async () => {
+      const mockSlowGetArtifact = jest.fn(mockGetArtifactHung)

-    const getMock = jest.fn(() => {
-      const message = new http.IncomingMessage(new net.Socket())
-      message.statusCode = 500
-      message.push('Internal Server Error')
-      return {
-        message
-      }
-    })
-    const httpClientMock = (HttpClient as jest.Mock).mockImplementation(() => {
-      return {
-        get: getMock
-      }
-    })
-
-    await expect(
-      downloadArtifact(
-        fixtures.artifactID,
-        fixtures.repositoryOwner,
-        fixtures.repositoryName,
-        fixtures.token
+      const mockHttpClient = (HttpClient as jest.Mock).mockImplementation(
+        () => {
+          return {
+            get: mockSlowGetArtifact
+          }
+        }
      )
-    ).rejects.toBeInstanceOf(Error)

-    expect(downloadArtifactMock).toHaveBeenCalledWith({
-      owner: fixtures.repositoryOwner,
-      repo: fixtures.repositoryName,
-      artifact_id: fixtures.artifactID,
-      archive_format: 'zip',
-      request: {
-        redirect: 'manual'
+      try {
+        await streamExtractExternal(
+          fixtures.blobStorageUrl,
+          fixtures.workspaceDir,
+          {timeout: 2}
+        )
+        expect(true).toBe(false) // should not be called
+      } catch (e) {
+        expect(e).toBeInstanceOf(Error)
+        expect(e.message).toContain('did not respond in 2ms')
+        expect(mockHttpClient).toHaveBeenCalledWith(getUserAgentString())
+        expect(mockSlowGetArtifact).toHaveBeenCalledTimes(1)
      }
    })
-    expect(httpClientMock).toHaveBeenCalledWith(getUserAgentString())
-    expect(getMock).toHaveBeenCalledWith(fixtures.blobStorageUrl)
  })
 })
--- a/packages/artifact/tests/fixtures/evil.zip
+++ b/packages/artifact/tests/fixtures/evil.zip
--- a/packages/artifact/tests/get-artifact.test.ts
+++ b/packages/artifact/tests/get-artifact.test.ts
@ -0,0 +1,239 @@
+import * as github from '@actions/github'
+import type {RequestInterface} from '@octokit/types'
+import {
+  getArtifactInternal,
+  getArtifactPublic
+} from '../src/internal/find/get-artifact'
+import * as config from '../src/internal/shared/config'
+import {ArtifactServiceClientJSON, Timestamp} from '../src/generated'
+import * as util from '../src/internal/shared/util'
+import {noopLogs} from './common'
+import {
+  ArtifactNotFoundError,
+  InvalidResponseError
+} from '../src/internal/shared/errors'
+
+type MockedRequest = jest.MockedFunction<RequestInterface<object>>
+
+jest.mock('@actions/github', () => ({
+  getOctokit: jest.fn().mockReturnValue({
+    request: jest.fn()
+  })
+}))
+
+const fixtures = {
+  repo: 'toolkit',
+  owner: 'actions',
+  token: 'ghp_1234567890',
+  runId: 123,
+  backendIds: {
+    workflowRunBackendId: 'c4d7c21f-ba3f-4ddc-a8c8-6f2f626f8422',
+    workflowJobRunBackendId: '760803a1-f890-4d25-9a6e-a3fc01a0c7cf'
+  },
+  artifacts: [
+    {
+      id: 1,
+      name: 'my-artifact',
+      size: 456,
+      createdAt: new Date('2023-12-01')
+    },
+    {
+      id: 2,
+      name: 'my-artifact',
+      size: 456,
+      createdAt: new Date('2023-12-02')
+    }
+  ]
+}
+
+describe('get-artifact', () => {
+  beforeAll(() => {
+    noopLogs()
+  })
+
+  describe('public', () => {
+    it('should return the artifact if it is found', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+      mockRequest.mockResolvedValueOnce({
+        status: 200,
+        headers: {},
+        url: '',
+        data: {
+          artifacts: [
+            {
+              name: fixtures.artifacts[0].name,
+              id: fixtures.artifacts[0].id,
+              size_in_bytes: fixtures.artifacts[0].size,
+              created_at: fixtures.artifacts[0].createdAt.toISOString()
+            }
+          ]
+        }
+      })
+
+      const response = await getArtifactPublic(
+        fixtures.artifacts[0].name,
+        fixtures.runId,
+        fixtures.owner,
+        fixtures.repo,
+        fixtures.token
+      )
+
+      expect(response).toEqual({
+        artifact: fixtures.artifacts[0]
+      })
+    })
+
+    it('should return the latest artifact if multiple are found', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+      mockRequest.mockResolvedValueOnce({
+        status: 200,
+        headers: {},
+        url: '',
+        data: {
+          artifacts: fixtures.artifacts.map(artifact => ({
+            name: artifact.name,
+            id: artifact.id,
+            size_in_bytes: artifact.size,
+            created_at: artifact.createdAt.toISOString()
+          }))
+        }
+      })
+
+      const response = await getArtifactPublic(
+        fixtures.artifacts[0].name,
+        fixtures.runId,
+        fixtures.owner,
+        fixtures.repo,
+        fixtures.token
+      )
+
+      expect(response).toEqual({
+        artifact: fixtures.artifacts[1]
+      })
+    })
+
+    it('should fail if no artifacts are found', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+      mockRequest.mockResolvedValueOnce({
+        status: 200,
+        headers: {},
+        url: '',
+        data: {
+          artifacts: []
+        }
+      })
+
+      const response = getArtifactPublic(
+        fixtures.artifacts[0].name,
+        fixtures.runId,
+        fixtures.owner,
+        fixtures.repo,
+        fixtures.token
+      )
+
+      expect(response).rejects.toThrowError(ArtifactNotFoundError)
+    })
+
+    it('should fail if non-200 response', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+      mockRequest.mockResolvedValueOnce({
+        status: 404,
+        headers: {},
+        url: '',
+        data: {}
+      })
+
+      const response = getArtifactPublic(
+        fixtures.artifacts[0].name,
+        fixtures.runId,
+        fixtures.owner,
+        fixtures.repo,
+        fixtures.token
+      )
+
+      expect(response).rejects.toThrowError(InvalidResponseError)
+    })
+  })
+
+  describe('internal', () => {
+    beforeEach(() => {
+      jest.spyOn(config, 'getRuntimeToken').mockReturnValue('test-token')
+
+      jest
+        .spyOn(util, 'getBackendIdsFromToken')
+        .mockReturnValue(fixtures.backendIds)
+
+      jest
+        .spyOn(config, 'getResultsServiceUrl')
+        .mockReturnValue('https://results.local')
+    })
+
+    it('should return the artifact if it is found', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: [
+            {
+              ...fixtures.backendIds,
+              databaseId: fixtures.artifacts[0].id.toString(),
+              name: fixtures.artifacts[0].name,
+              size: fixtures.artifacts[0].size.toString(),
+              createdAt: Timestamp.fromDate(fixtures.artifacts[0].createdAt)
+            }
+          ]
+        })
+
+      const response = await getArtifactInternal(fixtures.artifacts[0].name)
+
+      expect(response).toEqual({
+        artifact: fixtures.artifacts[0]
+      })
+    })
+
+    it('should return the latest artifact if multiple are found', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: fixtures.artifacts.map(artifact => ({
+            ...fixtures.backendIds,
+            databaseId: artifact.id.toString(),
+            name: artifact.name,
+            size: artifact.size.toString(),
+            createdAt: Timestamp.fromDate(artifact.createdAt)
+          }))
+        })
+
+      const response = await getArtifactInternal(fixtures.artifacts[0].name)
+
+      expect(response).toEqual({
+        artifact: fixtures.artifacts[1]
+      })
+    })
+
+    it('should fail if no artifacts are found', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: []
+        })
+
+      const response = getArtifactInternal(fixtures.artifacts[0].name)
+
+      expect(response).rejects.toThrowError(ArtifactNotFoundError)
+    })
+
+    it('should fail if non-200 response', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockRejectedValue(new Error('boom'))
+
+      const response = getArtifactInternal(fixtures.artifacts[0].name)
+
+      expect(response).rejects.toThrow()
+    })
+  })
+})
--- a/packages/artifact/tests/list-artifacts.test.ts
+++ b/packages/artifact/tests/list-artifacts.test.ts
@ -0,0 +1,361 @@
+import * as github from '@actions/github'
+import type {RestEndpointMethodTypes} from '@octokit/plugin-rest-endpoint-methods/dist-types/generated/parameters-and-response-types'
+import {
+  listArtifactsInternal,
+  listArtifactsPublic
+} from '../src/internal/find/list-artifacts'
+import * as config from '../src/internal/shared/config'
+import {ArtifactServiceClientJSON, Timestamp} from '../src/generated'
+import * as util from '../src/internal/shared/util'
+import {noopLogs} from './common'
+import {Artifact} from '../src/internal/shared/interfaces'
+import {RequestInterface} from '@octokit/types'
+
+type MockedRequest = jest.MockedFunction<RequestInterface<object>>
+
+jest.mock('@actions/github', () => ({
+  getOctokit: jest.fn().mockReturnValue({
+    request: jest.fn(),
+    rest: {
+      actions: {
+        listWorkflowRunArtifacts: jest.fn()
+      }
+    }
+  })
+}))
+
+const artifactsToListResponse = (
+  artifacts: Artifact[]
+): RestEndpointMethodTypes['actions']['listWorkflowRunArtifacts']['response']['data'] => {
+  return {
+    total_count: artifacts.length,
+    artifacts: artifacts.map(artifact => ({
+      name: artifact.name,
+      id: artifact.id,
+      size_in_bytes: artifact.size,
+      created_at: artifact.createdAt?.toISOString() || '',
+      run_id: fixtures.runId,
+      // unused fields for tests
+      url: '',
+      archive_download_url: '',
+      expired: false,
+      expires_at: '',
+      node_id: '',
+      run_url: '',
+      type: '',
+      updated_at: ''
+    }))
+  }
+}
+
+const fixtures = {
+  repo: 'toolkit',
+  owner: 'actions',
+  token: 'ghp_1234567890',
+  runId: 123,
+  backendIds: {
+    workflowRunBackendId: 'c4d7c21f-ba3f-4ddc-a8c8-6f2f626f8422',
+    workflowJobRunBackendId: '760803a1-f890-4d25-9a6e-a3fc01a0c7cf'
+  },
+  artifacts: [
+    {
+      id: 1,
+      name: 'my-artifact',
+      size: 456,
+      createdAt: new Date('2023-12-01')
+    },
+    {
+      id: 2,
+      name: 'my-artifact',
+      size: 456,
+      createdAt: new Date('2023-12-02')
+    }
+  ]
+}
+
+describe('list-artifact', () => {
+  beforeAll(() => {
+    noopLogs()
+  })
+
+  describe('public', () => {
+    it('should return a list of artifacts', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+
+      mockRequest.mockResolvedValueOnce({
+        status: 200,
+        headers: {},
+        url: '',
+        data: artifactsToListResponse(fixtures.artifacts)
+      })
+
+      const response = await listArtifactsPublic(
+        fixtures.runId,
+        fixtures.owner,
+        fixtures.repo,
+        fixtures.token,
+        false
+      )
+
+      expect(response).toEqual({
+        artifacts: fixtures.artifacts
+      })
+    })
+
+    it('should return the latest artifact when latest is specified', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+
+      mockRequest.mockResolvedValueOnce({
+        status: 200,
+        headers: {},
+        url: '',
+        data: artifactsToListResponse(fixtures.artifacts)
+      })
+
+      const response = await listArtifactsPublic(
+        fixtures.runId,
+        fixtures.owner,
+        fixtures.repo,
+        fixtures.token,
+        true
+      )
+
+      expect(response).toEqual({
+        artifacts: [fixtures.artifacts[1]]
+      })
+    })
+
+    it('can return empty artifacts', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+
+      mockRequest.mockResolvedValueOnce({
+        status: 200,
+        headers: {},
+        url: '',
+        data: {
+          total_count: 0,
+          artifacts: []
+        }
+      })
+
+      const response = await listArtifactsPublic(
+        fixtures.runId,
+        fixtures.owner,
+        fixtures.repo,
+        fixtures.token,
+        true
+      )
+
+      expect(response).toEqual({
+        artifacts: []
+      })
+    })
+
+    it('should fail if non-200 response', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+
+      mockRequest.mockRejectedValueOnce(new Error('boom'))
+
+      await expect(
+        listArtifactsPublic(
+          fixtures.runId,
+          fixtures.owner,
+          fixtures.repo,
+          fixtures.token,
+          false
+        )
+      ).rejects.toThrow('boom')
+    })
+
+    it('should handle pagination correctly when fetching multiple pages', async () => {
+      const mockRequest = github.getOctokit(fixtures.token)
+        .request as MockedRequest
+
+      const manyArtifacts = Array.from({length: 150}, (_, i) => ({
+        id: i + 1,
+        name: `artifact-${i + 1}`,
+        size: 100,
+        createdAt: new Date('2023-12-01')
+      }))
+
+      mockRequest
+        .mockResolvedValueOnce({
+          status: 200,
+          headers: {},
+          url: '',
+          data: {
+            ...artifactsToListResponse(manyArtifacts.slice(0, 100)),
+            total_count: 150
+          }
+        })
+        .mockResolvedValueOnce({
+          status: 200,
+          headers: {},
+          url: '',
+          data: {
+            ...artifactsToListResponse(manyArtifacts.slice(100, 150)),
+            total_count: 150
+          }
+        })
+
+      const response = await listArtifactsPublic(
+        fixtures.runId,
+        fixtures.owner,
+        fixtures.repo,
+        fixtures.token,
+        false
+      )
+
+      // Verify that both API calls were made
+      expect(mockRequest).toHaveBeenCalledTimes(2)
+
+      // Should return all 150 artifacts across both pages
+      expect(response.artifacts).toHaveLength(150)
+
+      // Verify we got artifacts from both pages
+      expect(response.artifacts[0].name).toBe('artifact-1')
+      expect(response.artifacts[99].name).toBe('artifact-100')
+      expect(response.artifacts[100].name).toBe('artifact-101')
+      expect(response.artifacts[149].name).toBe('artifact-150')
+    })
+
+    it('should respect ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT environment variable', async () => {
+      const originalEnv = process.env.ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT
+      process.env.ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT = '150'
+
+      jest.resetModules()
+
+      try {
+        const {listArtifactsPublic: listArtifactsPublicReloaded} = await import(
+          '../src/internal/find/list-artifacts'
+        )
+        const githubReloaded = await import('@actions/github')
+
+        const mockRequest = (githubReloaded.getOctokit as jest.Mock)(
+          fixtures.token
+        ).request as MockedRequest
+
+        const manyArtifacts = Array.from({length: 200}, (_, i) => ({
+          id: i + 1,
+          name: `artifact-${i + 1}`,
+          size: 100,
+          createdAt: new Date('2023-12-01')
+        }))
+
+        mockRequest
+          .mockResolvedValueOnce({
+            status: 200,
+            headers: {},
+            url: '',
+            data: {
+              ...artifactsToListResponse(manyArtifacts.slice(0, 100)),
+              total_count: 200
+            }
+          })
+          .mockResolvedValueOnce({
+            status: 200,
+            headers: {},
+            url: '',
+            data: {
+              ...artifactsToListResponse(manyArtifacts.slice(100, 150)),
+              total_count: 200
+            }
+          })
+
+        const response = await listArtifactsPublicReloaded(
+          fixtures.runId,
+          fixtures.owner,
+          fixtures.repo,
+          fixtures.token,
+          false
+        )
+
+        // Should only return 150 artifacts due to the limit
+        expect(response.artifacts).toHaveLength(150)
+        expect(response.artifacts[0].name).toBe('artifact-1')
+        expect(response.artifacts[149].name).toBe('artifact-150')
+      } finally {
+        // Restore original environment variable
+        if (originalEnv !== undefined) {
+          process.env.ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT = originalEnv
+        } else {
+          delete process.env.ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT
+        }
+
+        // Reset modules again to restore original state
+        jest.resetModules()
+      }
+    })
+  })
+
+  describe('internal', () => {
+    beforeEach(() => {
+      jest.spyOn(config, 'getRuntimeToken').mockReturnValue('test-token')
+      jest
+        .spyOn(util, 'getBackendIdsFromToken')
+        .mockReturnValue(fixtures.backendIds)
+      jest
+        .spyOn(config, 'getResultsServiceUrl')
+        .mockReturnValue('https://results.local')
+    })
+
+    it('should return a list of artifacts', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: fixtures.artifacts.map(artifact => ({
+            ...fixtures.backendIds,
+            databaseId: artifact.id.toString(),
+            name: artifact.name,
+            size: artifact.size.toString(),
+            createdAt: Timestamp.fromDate(artifact.createdAt)
+          }))
+        })
+      const response = await listArtifactsInternal(false)
+      expect(response).toEqual({
+        artifacts: fixtures.artifacts
+      })
+    })
+
+    it('should return the latest artifact when latest is specified', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: fixtures.artifacts.map(artifact => ({
+            ...fixtures.backendIds,
+            databaseId: artifact.id.toString(),
+            name: artifact.name,
+            size: artifact.size.toString(),
+            createdAt: Timestamp.fromDate(artifact.createdAt)
+          }))
+        })
+      const response = await listArtifactsInternal(true)
+      expect(response).toEqual({
+        artifacts: [fixtures.artifacts[1]]
+      })
+    })
+
+    it('can return empty artifacts', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockResolvedValue({
+          artifacts: []
+        })
+      const response = await listArtifactsInternal(false)
+      expect(response).toEqual({
+        artifacts: []
+      })
+    })
+
+    it('should fail if non-200 response', async () => {
+      jest
+        .spyOn(ArtifactServiceClientJSON.prototype, 'ListArtifacts')
+        .mockRejectedValue(new Error('boom'))
+      await expect(listArtifactsInternal(false)).rejects.toThrow('boom')
+    })
+  })
+})
--- a/packages/artifact/tests/path-and-artifact-name-validation.test.ts
+++ b/packages/artifact/tests/path-and-artifact-name-validation.test.ts
@ -3,15 +3,11 @@ import {
  validateFilePath
 } from '../src/internal/upload/path-and-artifact-name-validation'

-import * as core from '@actions/core'
+import {noopLogs} from './common'

 describe('Path and artifact name validation', () => {
  beforeAll(() => {
-    // mock all output so that there is less noise when running tests
-    jest.spyOn(console, 'log').mockImplementation(() => {})
-    jest.spyOn(core, 'debug').mockImplementation(() => {})
-    jest.spyOn(core, 'info').mockImplementation(() => {})
-    jest.spyOn(core, 'warning').mockImplementation(() => {})
+    noopLogs()
  })

  it('Check Artifact Name for any invalid characters', () => {
--- a/packages/artifact/tests/upload-artifact.test.ts
+++ b/packages/artifact/tests/upload-artifact.test.ts
@ -1,264 +1,173 @@
-import * as core from '@actions/core'
 import * as uploadZipSpecification from '../src/internal/upload/upload-zip-specification'
 import * as zip from '../src/internal/upload/zip'
 import * as util from '../src/internal/shared/util'
-import * as retention from '../src/internal/upload/retention'
 import * as config from '../src/internal/shared/config'
-import {Timestamp, ArtifactServiceClientJSON} from '../src/generated'
+import {ArtifactServiceClientJSON} from '../src/generated'
 import * as blobUpload from '../src/internal/upload/blob-upload'
 import {uploadArtifact} from '../src/internal/upload/upload-artifact'
+import {noopLogs} from './common'
+import {FilesNotFoundError} from '../src/internal/shared/errors'
+import {BlockBlobUploadStreamOptions} from '@azure/storage-blob'
+import * as fs from 'fs'
+import * as path from 'path'
+import unzip from 'unzip-stream'
+
+const uploadStreamMock = jest.fn()
+const blockBlobClientMock = jest.fn().mockImplementation(() => ({
+  uploadStream: uploadStreamMock
+}))
+
+jest.mock('@azure/storage-blob', () => ({
+  BlobClient: jest.fn().mockImplementation(() => {
+    return {
+      getBlockBlobClient: blockBlobClientMock
+    }
+  })
+}))
+
+const fixtures = {
+  uploadDirectory: path.join(__dirname, '_temp', 'plz-upload'),
+  files: [
+    {name: 'file1.txt', content: 'test 1 file content'},
+    {name: 'file2.txt', content: 'test 2 file content'},
+    {name: 'file3.txt', content: 'test 3 file content'},
+    {
+      name: 'real.txt',
+      content: 'from a symlink'
+    },
+    {
+      name: 'relative.txt',
+      content: 'from a symlink',
+      symlink: 'real.txt',
+      relative: true
+    },
+    {
+      name: 'absolute.txt',
+      content: 'from a symlink',
+      symlink: 'real.txt',
+      relative: false
+    }
+  ],
+  backendIDs: {
+    workflowRunBackendId: '67dbcc20-e851-4452-a7c3-2cc0d2e0ec67',
+    workflowJobRunBackendId: '5f49179d-3386-4c38-85f7-00f8138facd0'
+  },
+  runtimeToken: 'test-token',
+  resultsServiceURL: 'http://results.local',
+  inputs: {
+    artifactName: 'test-artifact',
+    files: [
+      '/home/user/files/plz-upload/file1.txt',
+      '/home/user/files/plz-upload/file2.txt',
+      '/home/user/files/plz-upload/dir/file3.txt'
+    ],
+    rootDirectory: '/home/user/files/plz-upload'
+  }
+}

 describe('upload-artifact', () => {
+  beforeAll(() => {
+    fs.mkdirSync(fixtures.uploadDirectory, {
+      recursive: true
+    })
+
+    for (const file of fixtures.files) {
+      if (file.symlink) {
+        let symlinkPath = file.symlink
+        if (!file.relative) {
+          symlinkPath = path.join(fixtures.uploadDirectory, file.symlink)
+        }
+
+        if (!fs.existsSync(path.join(fixtures.uploadDirectory, file.name))) {
+          fs.symlinkSync(
+            symlinkPath,
+            path.join(fixtures.uploadDirectory, file.name),
+            'file'
+          )
+        }
+      } else {
+        fs.writeFileSync(
+          path.join(fixtures.uploadDirectory, file.name),
+          file.content
+        )
+      }
+    }
+  })
+
  beforeEach(() => {
-    // mock all output so that there is less noise when running tests
-    jest.spyOn(console, 'log').mockImplementation(() => {})
-    jest.spyOn(core, 'debug').mockImplementation(() => {})
-    jest.spyOn(core, 'info').mockImplementation(() => {})
-    jest.spyOn(core, 'warning').mockImplementation(() => {})
+    noopLogs()
+    jest
+      .spyOn(uploadZipSpecification, 'validateRootDirectory')
+      .mockReturnValue()
+    jest
+      .spyOn(util, 'getBackendIdsFromToken')
+      .mockReturnValue(fixtures.backendIDs)
+    jest
+      .spyOn(uploadZipSpecification, 'getUploadZipSpecification')
+      .mockReturnValue(
+        fixtures.files.map(file => ({
+          sourcePath: path.join(fixtures.uploadDirectory, file.name),
+          destinationPath: file.name,
+          stats: fs.statSync(path.join(fixtures.uploadDirectory, file.name))
+        }))
+      )
+    jest.spyOn(config, 'getRuntimeToken').mockReturnValue(fixtures.runtimeToken)
+    jest
+      .spyOn(config, 'getResultsServiceUrl')
+      .mockReturnValue(fixtures.resultsServiceURL)
  })

  afterEach(() => {
    jest.restoreAllMocks()
  })

-  it('should successfully upload an artifact', () => {
-    const mockDate = new Date('2020-01-01')
-    jest
-      .spyOn(uploadZipSpecification, 'validateRootDirectory')
-      .mockReturnValue()
-    jest
-      .spyOn(uploadZipSpecification, 'getUploadZipSpecification')
-      .mockReturnValue([
-        {
-          sourcePath: '/home/user/files/plz-upload/file1.txt',
-          destinationPath: 'file1.txt'
-        },
-        {
-          sourcePath: '/home/user/files/plz-upload/file2.txt',
-          destinationPath: 'file2.txt'
-        },
-        {
-          sourcePath: '/home/user/files/plz-upload/dir/file3.txt',
-          destinationPath: 'dir/file3.txt'
-        }
-      ])
-
-    jest
-      .spyOn(zip, 'createZipUploadStream')
-      .mockReturnValue(Promise.resolve(new zip.ZipUploadStream(1)))
-    jest.spyOn(util, 'getBackendIdsFromToken').mockReturnValue({
-      workflowRunBackendId: '1234',
-      workflowJobRunBackendId: '5678'
-    })
-    jest
-      .spyOn(retention, 'getExpiration')
-      .mockReturnValue(Timestamp.fromDate(mockDate))
-    jest
-      .spyOn(ArtifactServiceClientJSON.prototype, 'CreateArtifact')
-      .mockReturnValue(
-        Promise.resolve({
-          ok: true,
-          signedUploadUrl: 'https://signed-upload-url.com'
-        })
-      )
-    jest.spyOn(blobUpload, 'uploadZipToBlobStorage').mockReturnValue(
-      Promise.resolve({
-        isSuccess: true,
-        uploadSize: 1234,
-        md5Hash: 'test-md5-hash'
-      })
-    )
-    jest
-      .spyOn(ArtifactServiceClientJSON.prototype, 'FinalizeArtifact')
-      .mockReturnValue(Promise.resolve({ok: true, artifactId: '1'}))
-
-    // ArtifactHttpClient mocks
-    jest.spyOn(config, 'getRuntimeToken').mockReturnValue('test-token')
-    jest
-      .spyOn(config, 'getResultsServiceUrl')
-      .mockReturnValue('https://test-url.com')
-
-    const uploadResp = uploadArtifact(
-      'test-artifact',
-      [
-        '/home/user/files/plz-upload/file1.txt',
-        '/home/user/files/plz-upload/file2.txt',
-        '/home/user/files/plz-upload/dir/file3.txt'
-      ],
-      '/home/user/files/plz-upload'
-    )
-
-    expect(uploadResp).resolves.toEqual({success: true, size: 1234, id: 1})
-  })
-
-  it('should throw an error if the root directory is invalid', () => {
-    jest
-      .spyOn(uploadZipSpecification, 'validateRootDirectory')
-      .mockImplementation(() => {
-        throw new Error('Invalid root directory')
-      })
-
-    const uploadResp = uploadArtifact(
-      'test-artifact',
-      [
-        '/home/user/files/plz-upload/file1.txt',
-        '/home/user/files/plz-upload/file2.txt',
-        '/home/user/files/plz-upload/dir/file3.txt'
-      ],
-      '/home/user/files/plz-upload'
-    )
-
-    expect(uploadResp).rejects.toThrow('Invalid root directory')
-  })
-
-  it('should return false if there are no files to upload', () => {
-    jest
-      .spyOn(uploadZipSpecification, 'validateRootDirectory')
-      .mockReturnValue()
+  it('should reject if there are no files to upload', async () => {
    jest
      .spyOn(uploadZipSpecification, 'getUploadZipSpecification')
+      .mockClear()
      .mockReturnValue([])

    const uploadResp = uploadArtifact(
-      'test-artifact',
-      [
-        '/home/user/files/plz-upload/file1.txt',
-        '/home/user/files/plz-upload/file2.txt',
-        '/home/user/files/plz-upload/dir/file3.txt'
-      ],
-      '/home/user/files/plz-upload'
+      fixtures.inputs.artifactName,
+      fixtures.inputs.files,
+      fixtures.inputs.rootDirectory
    )
-    expect(uploadResp).resolves.toEqual({success: false})
+    await expect(uploadResp).rejects.toThrowError(FilesNotFoundError)
  })

-  it('should return false if no backend IDs are found', () => {
-    jest
-      .spyOn(uploadZipSpecification, 'validateRootDirectory')
-      .mockReturnValue()
-    jest
-      .spyOn(uploadZipSpecification, 'getUploadZipSpecification')
-      .mockReturnValue([
-        {
-          sourcePath: '/home/user/files/plz-upload/file1.txt',
-          destinationPath: 'file1.txt'
-        },
-        {
-          sourcePath: '/home/user/files/plz-upload/file2.txt',
-          destinationPath: 'file2.txt'
-        },
-        {
-          sourcePath: '/home/user/files/plz-upload/dir/file3.txt',
-          destinationPath: 'dir/file3.txt'
-        }
-      ])
-
-    jest
-      .spyOn(zip, 'createZipUploadStream')
-      .mockReturnValue(Promise.resolve(new zip.ZipUploadStream(1)))
-    jest
-      .spyOn(util, 'getBackendIdsFromToken')
-      .mockReturnValue({workflowRunBackendId: '', workflowJobRunBackendId: ''})
+  it('should reject if no backend IDs are found', async () => {
+    jest.spyOn(util, 'getBackendIdsFromToken').mockRestore()

    const uploadResp = uploadArtifact(
-      'test-artifact',
-      [
-        '/home/user/files/plz-upload/file1.txt',
-        '/home/user/files/plz-upload/file2.txt',
-        '/home/user/files/plz-upload/dir/file3.txt'
-      ],
-      '/home/user/files/plz-upload'
+      fixtures.inputs.artifactName,
+      fixtures.inputs.files,
+      fixtures.inputs.rootDirectory
    )

-    expect(uploadResp).resolves.toEqual({success: false})
+    await expect(uploadResp).rejects.toThrow()
  })

-  it('should return false if the creation request fails', () => {
-    const mockDate = new Date('2020-01-01')
-    jest
-      .spyOn(uploadZipSpecification, 'validateRootDirectory')
-      .mockReturnValue()
-    jest
-      .spyOn(uploadZipSpecification, 'getUploadZipSpecification')
-      .mockReturnValue([
-        {
-          sourcePath: '/home/user/files/plz-upload/file1.txt',
-          destinationPath: 'file1.txt'
-        },
-        {
-          sourcePath: '/home/user/files/plz-upload/file2.txt',
-          destinationPath: 'file2.txt'
-        },
-        {
-          sourcePath: '/home/user/files/plz-upload/dir/file3.txt',
-          destinationPath: 'dir/file3.txt'
-        }
-      ])
-
+  it('should return false if the creation request fails', async () => {
    jest
      .spyOn(zip, 'createZipUploadStream')
      .mockReturnValue(Promise.resolve(new zip.ZipUploadStream(1)))
-    jest.spyOn(util, 'getBackendIdsFromToken').mockReturnValue({
-      workflowRunBackendId: '1234',
-      workflowJobRunBackendId: '5678'
-    })
-    jest
-      .spyOn(retention, 'getExpiration')
-      .mockReturnValue(Timestamp.fromDate(mockDate))
    jest
      .spyOn(ArtifactServiceClientJSON.prototype, 'CreateArtifact')
      .mockReturnValue(Promise.resolve({ok: false, signedUploadUrl: ''}))

-    // ArtifactHttpClient mocks
-    jest.spyOn(config, 'getRuntimeToken').mockReturnValue('test-token')
-    jest
-      .spyOn(config, 'getResultsServiceUrl')
-      .mockReturnValue('https://test-url.com')
-
    const uploadResp = uploadArtifact(
-      'test-artifact',
-      [
-        '/home/user/files/plz-upload/file1.txt',
-        '/home/user/files/plz-upload/file2.txt',
-        '/home/user/files/plz-upload/dir/file3.txt'
-      ],
-      '/home/user/files/plz-upload'
+      fixtures.inputs.artifactName,
+      fixtures.inputs.files,
+      fixtures.inputs.rootDirectory
    )

-    expect(uploadResp).resolves.toEqual({success: false})
+    await expect(uploadResp).rejects.toThrow()
  })

-  it('should return false if blob storage upload is unsuccessful', () => {
-    const mockDate = new Date('2020-01-01')
-    jest
-      .spyOn(uploadZipSpecification, 'validateRootDirectory')
-      .mockReturnValue()
-    jest
-      .spyOn(uploadZipSpecification, 'getUploadZipSpecification')
-      .mockReturnValue([
-        {
-          sourcePath: '/home/user/files/plz-upload/file1.txt',
-          destinationPath: 'file1.txt'
-        },
-        {
-          sourcePath: '/home/user/files/plz-upload/file2.txt',
-          destinationPath: 'file2.txt'
-        },
-        {
-          sourcePath: '/home/user/files/plz-upload/dir/file3.txt',
-          destinationPath: 'dir/file3.txt'
-        }
-      ])
-
+  it('should return false if blob storage upload is unsuccessful', async () => {
    jest
      .spyOn(zip, 'createZipUploadStream')
      .mockReturnValue(Promise.resolve(new zip.ZipUploadStream(1)))
-    jest.spyOn(util, 'getBackendIdsFromToken').mockReturnValue({
-      workflowRunBackendId: '1234',
-      workflowJobRunBackendId: '5678'
-    })
-    jest
-      .spyOn(retention, 'getExpiration')
-      .mockReturnValue(Timestamp.fromDate(mockDate))
    jest
      .spyOn(ArtifactServiceClientJSON.prototype, 'CreateArtifact')
      .mockReturnValue(
@ -269,59 +178,21 @@ describe('upload-artifact', () => {
      )
    jest
      .spyOn(blobUpload, 'uploadZipToBlobStorage')
-      .mockReturnValue(Promise.resolve({isSuccess: false}))
-
-    // ArtifactHttpClient mocks
-    jest.spyOn(config, 'getRuntimeToken').mockReturnValue('test-token')
-    jest
-      .spyOn(config, 'getResultsServiceUrl')
-      .mockReturnValue('https://test-url.com')
+      .mockReturnValue(Promise.reject(new Error('boom')))

    const uploadResp = uploadArtifact(
-      'test-artifact',
-      [
-        '/home/user/files/plz-upload/file1.txt',
-        '/home/user/files/plz-upload/file2.txt',
-        '/home/user/files/plz-upload/dir/file3.txt'
-      ],
-      '/home/user/files/plz-upload'
+      fixtures.inputs.artifactName,
+      fixtures.inputs.files,
+      fixtures.inputs.rootDirectory
    )

-    expect(uploadResp).resolves.toEqual({success: false})
+    await expect(uploadResp).rejects.toThrow()
  })

-  it('should return false if finalize artifact fails', () => {
-    const mockDate = new Date('2020-01-01')
-    jest
-      .spyOn(uploadZipSpecification, 'validateRootDirectory')
-      .mockReturnValue()
-    jest
-      .spyOn(uploadZipSpecification, 'getUploadZipSpecification')
-      .mockReturnValue([
-        {
-          sourcePath: '/home/user/files/plz-upload/file1.txt',
-          destinationPath: 'file1.txt'
-        },
-        {
-          sourcePath: '/home/user/files/plz-upload/file2.txt',
-          destinationPath: 'file2.txt'
-        },
-        {
-          sourcePath: '/home/user/files/plz-upload/dir/file3.txt',
-          destinationPath: 'dir/file3.txt'
-        }
-      ])
-
+  it('should reject if finalize artifact fails', async () => {
    jest
      .spyOn(zip, 'createZipUploadStream')
      .mockReturnValue(Promise.resolve(new zip.ZipUploadStream(1)))
-    jest.spyOn(util, 'getBackendIdsFromToken').mockReturnValue({
-      workflowRunBackendId: '1234',
-      workflowJobRunBackendId: '5678'
-    })
-    jest
-      .spyOn(retention, 'getExpiration')
-      .mockReturnValue(Timestamp.fromDate(mockDate))
    jest
      .spyOn(ArtifactServiceClientJSON.prototype, 'CreateArtifact')
      .mockReturnValue(
@ -332,31 +203,171 @@ describe('upload-artifact', () => {
      )
    jest.spyOn(blobUpload, 'uploadZipToBlobStorage').mockReturnValue(
      Promise.resolve({
-        isSuccess: true,
        uploadSize: 1234,
-        md5Hash: 'test-md5-hash'
+        sha256Hash: 'test-sha256-hash'
      })
    )
    jest
      .spyOn(ArtifactServiceClientJSON.prototype, 'FinalizeArtifact')
      .mockReturnValue(Promise.resolve({ok: false, artifactId: ''}))

-    // ArtifactHttpClient mocks
-    jest.spyOn(config, 'getRuntimeToken').mockReturnValue('test-token')
-    jest
-      .spyOn(config, 'getResultsServiceUrl')
-      .mockReturnValue('https://test-url.com')
-
    const uploadResp = uploadArtifact(
-      'test-artifact',
-      [
-        '/home/user/files/plz-upload/file1.txt',
-        '/home/user/files/plz-upload/file2.txt',
-        '/home/user/files/plz-upload/dir/file3.txt'
-      ],
-      '/home/user/files/plz-upload'
+      fixtures.inputs.artifactName,
+      fixtures.inputs.files,
+      fixtures.inputs.rootDirectory
    )

-    expect(uploadResp).resolves.toEqual({success: false})
+    await expect(uploadResp).rejects.toThrow()
+  })
+
+  it('should successfully upload an artifact', async () => {
+    jest
+      .spyOn(uploadZipSpecification, 'getUploadZipSpecification')
+      .mockRestore()
+
+    jest
+      .spyOn(ArtifactServiceClientJSON.prototype, 'CreateArtifact')
+      .mockReturnValue(
+        Promise.resolve({
+          ok: true,
+          signedUploadUrl: 'https://signed-upload-url.local'
+        })
+      )
+    jest
+      .spyOn(ArtifactServiceClientJSON.prototype, 'FinalizeArtifact')
+      .mockReturnValue(
+        Promise.resolve({
+          ok: true,
+          artifactId: '1'
+        })
+      )
+
+    let loadedBytes = 0
+    const uploadedZip = path.join(
+      fixtures.uploadDirectory,
+      '..',
+      'uploaded.zip'
+    )
+    uploadStreamMock.mockImplementation(
+      async (
+        stream: NodeJS.ReadableStream,
+        bufferSize?: number,
+        maxConcurrency?: number,
+        options?: BlockBlobUploadStreamOptions
+      ) => {
+        const {onProgress} = options || {}
+
+        if (fs.existsSync(uploadedZip)) {
+          fs.unlinkSync(uploadedZip)
+        }
+        const uploadedZipStream = fs.createWriteStream(uploadedZip)
+
+        onProgress?.({loadedBytes: 0})
+        return new Promise((resolve, reject) => {
+          stream.on('data', chunk => {
+            loadedBytes += chunk.length
+            uploadedZipStream.write(chunk)
+            onProgress?.({loadedBytes})
+          })
+          stream.on('end', () => {
+            onProgress?.({loadedBytes})
+            uploadedZipStream.end()
+            resolve({})
+          })
+          stream.on('error', err => {
+            reject(err)
+          })
+        })
+      }
+    )
+
+    const {id, size, digest} = await uploadArtifact(
+      fixtures.inputs.artifactName,
+      fixtures.files.map(file =>
+        path.join(fixtures.uploadDirectory, file.name)
+      ),
+      fixtures.uploadDirectory
+    )
+
+    expect(id).toBe(1)
+    expect(size).toBe(loadedBytes)
+    expect(digest).toBeDefined()
+    expect(digest).toHaveLength(64)
+
+    const extractedDirectory = path.join(
+      fixtures.uploadDirectory,
+      '..',
+      'extracted'
+    )
+    if (fs.existsSync(extractedDirectory)) {
+      fs.rmdirSync(extractedDirectory, {recursive: true})
+    }
+
+    const extract = new Promise((resolve, reject) => {
+      fs.createReadStream(uploadedZip)
+        .pipe(unzip.Extract({path: extractedDirectory}))
+        .on('close', () => {
+          resolve(true)
+        })
+        .on('error', err => {
+          reject(err)
+        })
+    })
+
+    await expect(extract).resolves.toBe(true)
+    for (const file of fixtures.files) {
+      const filePath = path.join(extractedDirectory, file.name)
+      expect(fs.existsSync(filePath)).toBe(true)
+      expect(fs.readFileSync(filePath, 'utf8')).toBe(file.content)
+    }
+  })
+
+  it('should throw an error uploading blob chunks get delayed', async () => {
+    jest
+      .spyOn(ArtifactServiceClientJSON.prototype, 'CreateArtifact')
+      .mockReturnValue(
+        Promise.resolve({
+          ok: true,
+          signedUploadUrl: 'https://signed-upload-url.local'
+        })
+      )
+    jest
+      .spyOn(ArtifactServiceClientJSON.prototype, 'FinalizeArtifact')
+      .mockReturnValue(
+        Promise.resolve({
+          ok: true,
+          artifactId: '1'
+        })
+      )
+    jest
+      .spyOn(config, 'getResultsServiceUrl')
+      .mockReturnValue('https://results.local')
+
+    jest.spyOn(config, 'getUploadChunkTimeout').mockReturnValue(2_000)
+
+    uploadStreamMock.mockImplementation(
+      async (
+        stream: NodeJS.ReadableStream,
+        bufferSize?: number,
+        maxConcurrency?: number,
+        options?: BlockBlobUploadStreamOptions
+      ) => {
+        const {onProgress, abortSignal} = options || {}
+        onProgress?.({loadedBytes: 0})
+        return new Promise(resolve => {
+          abortSignal?.addEventListener('abort', () => {
+            resolve({})
+          })
+        })
+      }
+    )
+
+    const uploadResp = uploadArtifact(
+      fixtures.inputs.artifactName,
+      fixtures.inputs.files,
+      fixtures.inputs.rootDirectory
+    )
+
+    await expect(uploadResp).rejects.toThrow('Upload progress stalled.')
  })
 })
--- a/packages/artifact/tests/upload-zip-specification.test.ts
+++ b/packages/artifact/tests/upload-zip-specification.test.ts
@ -1,11 +1,11 @@
 import * as io from '../../io/src/io'
 import * as path from 'path'
 import {promises as fs} from 'fs'
-import * as core from '@actions/core'
 import {
  getUploadZipSpecification,
  validateRootDirectory
 } from '../src/internal/upload/upload-zip-specification'
+import {noopLogs} from './common'

 const root = path.join(__dirname, '_temp', 'upload-specification')
 const goodItem1Path = path.join(
@ -51,11 +51,7 @@ const artifactFilesToUpload = [

 describe('Search', () => {
  beforeAll(async () => {
-    // mock all output so that there is less noise when running tests
-    jest.spyOn(console, 'log').mockImplementation(() => {})
-    jest.spyOn(core, 'debug').mockImplementation(() => {})
-    jest.spyOn(core, 'info').mockImplementation(() => {})
-    jest.spyOn(core, 'warning').mockImplementation(() => {})
+    noopLogs()

    // clear temp directory
    await io.rmRF(root)
@ -309,4 +305,22 @@ describe('Search', () => {
      }
    }
  })
+
+  it('Upload Specification - Includes symlinks', async () => {
+    const targetPath = path.join(root, 'link-dir', 'symlink-me.txt')
+    await fs.mkdir(path.dirname(targetPath), {recursive: true})
+    await fs.writeFile(targetPath, 'symlink file content')
+
+    const uploadPath = path.join(root, 'upload-dir', 'symlink.txt')
+    await fs.mkdir(path.dirname(uploadPath), {recursive: true})
+    await fs.symlink(targetPath, uploadPath, 'file')
+
+    const specifications = getUploadZipSpecification([uploadPath], root)
+    expect(specifications.length).toEqual(1)
+    expect(specifications[0].sourcePath).toEqual(uploadPath)
+    expect(specifications[0].destinationPath).toEqual(
+      path.join('/upload-dir', 'symlink.txt')
+    )
+    expect(specifications[0].stats.isSymbolicLink()).toBe(true)
+  })
 })
--- a/packages/artifact/tests/util.test.ts
+++ b/packages/artifact/tests/util.test.ts
@ -1,13 +1,14 @@
 import * as config from '../src/internal/shared/config'
 import * as util from '../src/internal/shared/util'
+import {maskSigUrl, maskSecretUrls} from '../src/internal/shared/util'
+import {setSecret, debug} from '@actions/core'
+
+export const testRuntimeToken =
+  'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwic2NwIjoiQWN0aW9ucy5FeGFtcGxlIEFjdGlvbnMuQW5vdGhlckV4YW1wbGU6dGVzdCBBY3Rpb25zLlJlc3VsdHM6Y2U3ZjU0YzctNjFjNy00YWFlLTg4N2YtMzBkYTQ3NWY1ZjFhOmNhMzk1MDg1LTA0MGEtNTI2Yi0yY2U4LWJkYzg1ZjY5Mjc3NCIsImlhdCI6MTUxNjIzOTAyMn0.XYnI_wHPBlUi1mqYveJnnkJhp4dlFjqxzRmISPsqfw8'

 describe('get-backend-ids-from-token', () => {
  it('should return backend ids when the token is valid', () => {
-    jest
-      .spyOn(config, 'getRuntimeToken')
-      .mockReturnValue(
-        'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwic2NwIjoiQWN0aW9ucy5FeGFtcGxlIEFjdGlvbnMuQW5vdGhlckV4YW1wbGU6dGVzdCBBY3Rpb25zLlJlc3VsdHM6Y2U3ZjU0YzctNjFjNy00YWFlLTg4N2YtMzBkYTQ3NWY1ZjFhOmNhMzk1MDg1LTA0MGEtNTI2Yi0yY2U4LWJkYzg1ZjY5Mjc3NCIsImlhdCI6MTUxNjIzOTAyMn0.XYnI_wHPBlUi1mqYveJnnkJhp4dlFjqxzRmISPsqfw8'
-      )
+    jest.spyOn(config, 'getRuntimeToken').mockReturnValue(testRuntimeToken)

    const backendIds = util.getBackendIdsFromToken()
    expect(backendIds.workflowRunBackendId).toBe(
@ -60,3 +61,159 @@ describe('get-backend-ids-from-token', () => {
    )
  })
 })
+
+jest.mock('@actions/core')
+
+describe('maskSigUrl', () => {
+  beforeEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('does nothing if no sig parameter is present', () => {
+    const url = 'https://example.com'
+    maskSigUrl(url)
+    expect(setSecret).not.toHaveBeenCalled()
+  })
+
+  it('masks the sig parameter in the middle of the URL and sets it as a secret', () => {
+    const url = 'https://example.com/?param1=value1&sig=12345&param2=value2'
+    maskSigUrl(url)
+    expect(setSecret).toHaveBeenCalledWith('12345')
+    expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
+  })
+
+  it('does nothing if the URL is empty', () => {
+    const url = ''
+    maskSigUrl(url)
+    expect(setSecret).not.toHaveBeenCalled()
+  })
+
+  it('handles URLs with fragments', () => {
+    const url = 'https://example.com?sig=12345#fragment'
+    maskSigUrl(url)
+    expect(setSecret).toHaveBeenCalledWith('12345')
+    expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
+  })
+})
+
+describe('maskSigUrl handles special characters in signatures', () => {
+  beforeEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('handles signatures with slashes', () => {
+    const url = 'https://example.com/?sig=abc/123'
+    maskSigUrl(url)
+    expect(setSecret).toHaveBeenCalledWith('abc/123')
+    expect(setSecret).toHaveBeenCalledWith('abc%2F123')
+  })
+
+  it('handles signatures with plus signs', () => {
+    const url = 'https://example.com/?sig=abc+123'
+    maskSigUrl(url)
+    expect(setSecret).toHaveBeenCalledWith('abc 123')
+    expect(setSecret).toHaveBeenCalledWith('abc%20123')
+  })
+
+  it('handles signatures with equals signs', () => {
+    const url = 'https://example.com/?sig=abc=123'
+    maskSigUrl(url)
+    expect(setSecret).toHaveBeenCalledWith('abc=123')
+    expect(setSecret).toHaveBeenCalledWith('abc%3D123')
+  })
+
+  it('handles already percent-encoded signatures', () => {
+    const url = 'https://example.com/?sig=abc%2F123%3D'
+    maskSigUrl(url)
+    expect(setSecret).toHaveBeenCalledWith('abc/123=')
+    expect(setSecret).toHaveBeenCalledWith('abc%2F123%3D')
+  })
+
+  it('handles complex Azure SAS signatures', () => {
+    const url =
+      'https://example.com/container/file.txt?sig=nXyQIUj%2F%2F06Cxt80pBRYiiJlYqtPYg5sz%2FvEh5iHAhw%3D&se=2023-12-31'
+    maskSigUrl(url)
+    expect(setSecret).toHaveBeenCalledWith(
+      'nXyQIUj//06Cxt80pBRYiiJlYqtPYg5sz/vEh5iHAhw='
+    )
+    expect(setSecret).toHaveBeenCalledWith(
+      'nXyQIUj%2F%2F06Cxt80pBRYiiJlYqtPYg5sz%2FvEh5iHAhw%3D'
+    )
+  })
+
+  it('handles signatures with multiple special characters', () => {
+    const url = 'https://example.com/?sig=a/b+c=d&e=f'
+    maskSigUrl(url)
+    expect(setSecret).toHaveBeenCalledWith('a/b c=d')
+    expect(setSecret).toHaveBeenCalledWith('a%2Fb%20c%3Dd')
+  })
+})
+
+describe('maskSecretUrls', () => {
+  beforeEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('masks sig parameters in signed_upload_url and signed_url', () => {
+    const body = {
+      signed_upload_url: 'https://upload.com?sig=upload123',
+      signed_url: 'https://download.com?sig=download123'
+    }
+    maskSecretUrls(body)
+    expect(setSecret).toHaveBeenCalledWith('upload123')
+    expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('upload123'))
+    expect(setSecret).toHaveBeenCalledWith('download123')
+    expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('download123'))
+  })
+
+  it('handles case where only upload_url is present', () => {
+    const body = {
+      signed_upload_url: 'https://upload.com?sig=upload123'
+    }
+    maskSecretUrls(body)
+    expect(setSecret).toHaveBeenCalledWith('upload123')
+    expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('upload123'))
+  })
+
+  it('handles case where only download_url is present', () => {
+    const body = {
+      signed_url: 'https://download.com?sig=download123'
+    }
+    maskSecretUrls(body)
+    expect(setSecret).toHaveBeenCalledWith('download123')
+    expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('download123'))
+  })
+
+  it('handles case where URLs do not contain sig parameters', () => {
+    const body = {
+      signed_upload_url: 'https://upload.com?token=abc',
+      signed_url: 'https://download.com?token=xyz'
+    }
+    maskSecretUrls(body)
+    expect(setSecret).not.toHaveBeenCalled()
+  })
+
+  it('handles empty string URLs', () => {
+    const body = {
+      signed_upload_url: '',
+      signed_url: ''
+    }
+    maskSecretUrls(body)
+    expect(setSecret).not.toHaveBeenCalled()
+  })
+
+  it('does nothing if body is not an object or is null', () => {
+    maskSecretUrls(null)
+    expect(debug).toHaveBeenCalledWith('body is not an object or is null')
+    expect(setSecret).not.toHaveBeenCalled()
+  })
+
+  it('does nothing if signed_upload_url and signed_url are not strings', () => {
+    const body = {
+      signed_upload_url: 123,
+      signed_url: 456
+    }
+    maskSecretUrls(body)
+    expect(setSecret).not.toHaveBeenCalled()
+  })
+})
--- a/packages/artifact/docs/docs.md
+++ b/packages/artifact/docs/docs.md
@ -1 +0,0 @@
-Docs will be added here once development of version `2.0.0` has finished
--- a/packages/artifact/docs/faq.md
+++ b/packages/artifact/docs/faq.md
@ -0,0 +1,62 @@
+# Frequently Asked Questions
+
+- [Frequently Asked Questions](#frequently-asked-questions)
+  - [Supported Characters](#supported-characters)
+  - [Compression? ZIP? How is my artifact stored?](#compression-zip-how-is-my-artifact-stored)
+  - [Which versions of the artifacts packages are compatible?](#which-versions-of-the-artifacts-packages-are-compatible)
+  - [How long will my artifact be available?](#how-long-will-my-artifact-be-available)
+
+## Supported Characters
+
+When uploading an artifact, the inputted `name` parameter along with the files specified in `files` cannot contain any of the following characters. If they are present in `name` or `files`,  the Artifact will be rejected by the server and the upload will fail. These characters are not allowed due to limitations and restrictions with certain file systems such as NTFS. To maintain platform-agnostic behavior, characters that are not supported by an individual filesystem/platform will not be supported on all filesystems/platforms.
+
+- "
+- :
+- <
+- \>
+- |
+- \*
+- ?
+
+In addition to the aforementioned characters, the inputted `name` also cannot include the following
+- \
+- /
+
+## Compression? ZIP? How is my artifact stored?
+
+When creating an Artifact, the files are dynamically compressed and streamed into a ZIP archive. Since they are stored in a ZIP, they can be compressed by Zlib in varying levels.
+
+The value can range from 0 to 9:
+
+- 0: No compression
+- 1: Best speed
+- 6: Default compression (same as GNU Gzip)
+- 9: Best compression
+
+Higher levels will result in better compression, but will take longer to complete.
+For large files that are not easily compressed, a value of 0 is recommended for significantly faster uploads.
+
+## Which versions of the artifacts packages are compatible?
+[actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact), leverage [GitHub Actions toolkit](https://github.com/actions/toolkit) and are typically used together to upload and download artifacts in your workflows.
+
+| upload-artifact | download-artifact | toolkit |
+|---|---|---|
+| v4 | v4 | v2 |
+| < v3 | < v3 | < v1 |
+
+Use matching versions of `actions/upload-artifact` and `actions/download-artifact` to ensure compatibility.
+
+In your GitHub Actions workflow YAML file, you specify the version of the actions you want to use. For example:
+
+```yaml
+  uses: actions/upload-artifact@v4
+  # ...
+  uses: actions/download-artifact@v4
+  # ...
+```
+
+**Release Notes:**
+Check the release notes for each repository to see if there are any specific notes about compatibility or changes in behavior.
+
+## How long will my artifact be available?
+The default retention period is **90 days**. For more information, visit: https://github.com/actions/upload-artifact?tab=readme-ov-file#retention-period 
--- a/packages/artifact/docs/generated/README.md
+++ b/packages/artifact/docs/generated/README.md
@ -0,0 +1,43 @@
+@actions/artifact
+
+# @actions/artifact
+
+## Table of contents
+
+### Classes
+
+- [ArtifactNotFoundError](classes/ArtifactNotFoundError.md)
+- [DefaultArtifactClient](classes/DefaultArtifactClient.md)
+- [FilesNotFoundError](classes/FilesNotFoundError.md)
+- [GHESNotSupportedError](classes/GHESNotSupportedError.md)
+- [InvalidResponseError](classes/InvalidResponseError.md)
+- [NetworkError](classes/NetworkError.md)
+- [UsageError](classes/UsageError.md)
+
+### Interfaces
+
+- [Artifact](interfaces/Artifact.md)
+- [ArtifactClient](interfaces/ArtifactClient.md)
+- [DeleteArtifactResponse](interfaces/DeleteArtifactResponse.md)
+- [DownloadArtifactOptions](interfaces/DownloadArtifactOptions.md)
+- [DownloadArtifactResponse](interfaces/DownloadArtifactResponse.md)
+- [FindOptions](interfaces/FindOptions.md)
+- [GetArtifactResponse](interfaces/GetArtifactResponse.md)
+- [ListArtifactsOptions](interfaces/ListArtifactsOptions.md)
+- [ListArtifactsResponse](interfaces/ListArtifactsResponse.md)
+- [UploadArtifactOptions](interfaces/UploadArtifactOptions.md)
+- [UploadArtifactResponse](interfaces/UploadArtifactResponse.md)
+
+### Variables
+
+- [default](README.md#default)
+
+## Variables
+
+### default
+
+• `Const` **default**: [`ArtifactClient`](interfaces/ArtifactClient.md)
+
+#### Defined in
+
+[src/artifact.ts:7](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/artifact.ts#L7)
--- a/packages/artifact/docs/generated/classes/ArtifactNotFoundError.md
+++ b/packages/artifact/docs/generated/classes/ArtifactNotFoundError.md
@ -0,0 +1,169 @@
+[@actions/artifact](../README.md) / ArtifactNotFoundError
+
+# Class: ArtifactNotFoundError
+
+## Hierarchy
+
+- `Error`
+
+  ↳ **`ArtifactNotFoundError`**
+
+## Table of contents
+
+### Constructors
+
+- [constructor](ArtifactNotFoundError.md#constructor)
+
+### Properties
+
+- [message](ArtifactNotFoundError.md#message)
+- [name](ArtifactNotFoundError.md#name)
+- [stack](ArtifactNotFoundError.md#stack)
+- [prepareStackTrace](ArtifactNotFoundError.md#preparestacktrace)
+- [stackTraceLimit](ArtifactNotFoundError.md#stacktracelimit)
+
+### Methods
+
+- [captureStackTrace](ArtifactNotFoundError.md#capturestacktrace)
+
+## Constructors
+
+### constructor
+
+• **new ArtifactNotFoundError**(`message?`): [`ArtifactNotFoundError`](ArtifactNotFoundError.md)
+
+#### Parameters
+
+| Name | Type | Default value |
+| :------ | :------ | :------ |
+| `message` | `string` | `'Artifact not found'` |
+
+#### Returns
+
+[`ArtifactNotFoundError`](ArtifactNotFoundError.md)
+
+#### Overrides
+
+Error.constructor
+
+#### Defined in
+
+[src/internal/shared/errors.ts:24](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/errors.ts#L24)
+
+## Properties
+
+### message
+
+• **message**: `string`
+
+#### Inherited from
+
+Error.message
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1068
+
+___
+
+### name
+
+• **name**: `string`
+
+#### Inherited from
+
+Error.name
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1067
+
+___
+
+### stack
+
+• `Optional` **stack**: `string`
+
+#### Inherited from
+
+Error.stack
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1069
+
+___
+
+### prepareStackTrace
+
+▪ `Static` `Optional` **prepareStackTrace**: (`err`: `Error`, `stackTraces`: `CallSite`[]) => `any`
+
+#### Type declaration
+
+▸ (`err`, `stackTraces`): `any`
+
+Optional override for formatting stack traces
+
+##### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `err` | `Error` |
+| `stackTraces` | `CallSite`[] |
+
+##### Returns
+
+`any`
+
+**`See`**
+
+https://v8.dev/docs/stack-trace-api#customizing-stack-traces
+
+#### Inherited from
+
+Error.prepareStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:11
+
+___
+
+### stackTraceLimit
+
+▪ `Static` **stackTraceLimit**: `number`
+
+#### Inherited from
+
+Error.stackTraceLimit
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:13
+
+## Methods
+
+### captureStackTrace
+
+▸ **captureStackTrace**(`targetObject`, `constructorOpt?`): `void`
+
+Create .stack property on a target object
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `targetObject` | `object` |
+| `constructorOpt?` | `Function` |
+
+#### Returns
+
+`void`
+
+#### Inherited from
+
+Error.captureStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:4
--- a/packages/artifact/docs/generated/classes/DefaultArtifactClient.md
+++ b/packages/artifact/docs/generated/classes/DefaultArtifactClient.md
@ -0,0 +1,193 @@
+[@actions/artifact](../README.md) / DefaultArtifactClient
+
+# Class: DefaultArtifactClient
+
+The default artifact client that is used by the artifact action(s).
+
+## Implements
+
+- [`ArtifactClient`](../interfaces/ArtifactClient.md)
+
+## Table of contents
+
+### Constructors
+
+- [constructor](DefaultArtifactClient.md#constructor)
+
+### Methods
+
+- [deleteArtifact](DefaultArtifactClient.md#deleteartifact)
+- [downloadArtifact](DefaultArtifactClient.md#downloadartifact)
+- [getArtifact](DefaultArtifactClient.md#getartifact)
+- [listArtifacts](DefaultArtifactClient.md#listartifacts)
+- [uploadArtifact](DefaultArtifactClient.md#uploadartifact)
+
+## Constructors
+
+### constructor
+
+• **new DefaultArtifactClient**(): [`DefaultArtifactClient`](DefaultArtifactClient.md)
+
+#### Returns
+
+[`DefaultArtifactClient`](DefaultArtifactClient.md)
+
+## Methods
+
+### deleteArtifact
+
+▸ **deleteArtifact**(`artifactName`, `options?`): `Promise`\<[`DeleteArtifactResponse`](../interfaces/DeleteArtifactResponse.md)\>
+
+Delete an Artifact
+
+If `options.findBy` is specified, this will use the public Delete Artifact API https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#delete-an-artifact
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `artifactName` | `string` | The name of the artifact to delete |
+| `options?` | [`FindOptions`](../interfaces/FindOptions.md) | Extra options that allow for the customization of the delete behavior |
+
+#### Returns
+
+`Promise`\<[`DeleteArtifactResponse`](../interfaces/DeleteArtifactResponse.md)\>
+
+single DeleteArtifactResponse object
+
+#### Implementation of
+
+[ArtifactClient](../interfaces/ArtifactClient.md).[deleteArtifact](../interfaces/ArtifactClient.md#deleteartifact)
+
+#### Defined in
+
+[src/internal/client.ts:248](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/client.ts#L248)
+
+___
+
+### downloadArtifact
+
+▸ **downloadArtifact**(`artifactId`, `options?`): `Promise`\<[`DownloadArtifactResponse`](../interfaces/DownloadArtifactResponse.md)\>
+
+Downloads an artifact and unzips the content.
+
+If `options.findBy` is specified, this will use the public Download Artifact API https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#download-an-artifact
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `artifactId` | `number` | The id of the artifact to download |
+| `options?` | [`DownloadArtifactOptions`](../interfaces/DownloadArtifactOptions.md) & [`FindOptions`](../interfaces/FindOptions.md) | Extra options that allow for the customization of the download behavior |
+
+#### Returns
+
+`Promise`\<[`DownloadArtifactResponse`](../interfaces/DownloadArtifactResponse.md)\>
+
+single DownloadArtifactResponse object
+
+#### Implementation of
+
+[ArtifactClient](../interfaces/ArtifactClient.md).[downloadArtifact](../interfaces/ArtifactClient.md#downloadartifact)
+
+#### Defined in
+
+[src/internal/client.ts:138](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/client.ts#L138)
+
+___
+
+### getArtifact
+
+▸ **getArtifact**(`artifactName`, `options?`): `Promise`\<[`GetArtifactResponse`](../interfaces/GetArtifactResponse.md)\>
+
+Finds an artifact by name.
+If there are multiple artifacts with the same name in the same workflow run, this will return the latest.
+If the artifact is not found, it will throw.
+
+If `options.findBy` is specified, this will use the public List Artifacts API with a name filter which can get artifacts from other runs.
+https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
+`@actions/artifact` v2+ does not allow for creating multiple artifacts with the same name in the same workflow run.
+It is possible to have multiple artifacts with the same name in the same workflow run by using old versions of upload-artifact (v1,v2 and v3), @actions/artifact < v2 or it is a rerun.
+If there are multiple artifacts with the same name in the same workflow run this function will return the first artifact that matches the name.
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `artifactName` | `string` | The name of the artifact to find |
+| `options?` | [`FindOptions`](../interfaces/FindOptions.md) | Extra options that allow for the customization of the get behavior |
+
+#### Returns
+
+`Promise`\<[`GetArtifactResponse`](../interfaces/GetArtifactResponse.md)\>
+
+#### Implementation of
+
+[ArtifactClient](../interfaces/ArtifactClient.md).[getArtifact](../interfaces/ArtifactClient.md#getartifact)
+
+#### Defined in
+
+[src/internal/client.ts:212](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/client.ts#L212)
+
+___
+
+### listArtifacts
+
+▸ **listArtifacts**(`options?`): `Promise`\<[`ListArtifactsResponse`](../interfaces/ListArtifactsResponse.md)\>
+
+Lists all artifacts that are part of the current workflow run.
+This function will return at most 1000 artifacts per workflow run.
+
+If `options.findBy` is specified, this will call the public List-Artifacts API which can list from other runs.
+https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `options?` | [`ListArtifactsOptions`](../interfaces/ListArtifactsOptions.md) & [`FindOptions`](../interfaces/FindOptions.md) | Extra options that allow for the customization of the list behavior |
+
+#### Returns
+
+`Promise`\<[`ListArtifactsResponse`](../interfaces/ListArtifactsResponse.md)\>
+
+ListArtifactResponse object
+
+#### Implementation of
+
+[ArtifactClient](../interfaces/ArtifactClient.md).[listArtifacts](../interfaces/ArtifactClient.md#listartifacts)
+
+#### Defined in
+
+[src/internal/client.ts:176](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/client.ts#L176)
+
+___
+
+### uploadArtifact
+
+▸ **uploadArtifact**(`name`, `files`, `rootDirectory`, `options?`): `Promise`\<[`UploadArtifactResponse`](../interfaces/UploadArtifactResponse.md)\>
+
+Uploads an artifact.
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `name` | `string` | The name of the artifact, required |
+| `files` | `string`[] | A list of absolute or relative paths that denote what files should be uploaded |
+| `rootDirectory` | `string` | An absolute or relative file path that denotes the root parent directory of the files being uploaded |
+| `options?` | [`UploadArtifactOptions`](../interfaces/UploadArtifactOptions.md) | Extra options for customizing the upload behavior |
+
+#### Returns
+
+`Promise`\<[`UploadArtifactResponse`](../interfaces/UploadArtifactResponse.md)\>
+
+single UploadArtifactResponse object
+
+#### Implementation of
+
+[ArtifactClient](../interfaces/ArtifactClient.md).[uploadArtifact](../interfaces/ArtifactClient.md#uploadartifact)
+
+#### Defined in
+
+[src/internal/client.ts:113](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/client.ts#L113)
--- a/packages/artifact/docs/generated/classes/FilesNotFoundError.md
+++ b/packages/artifact/docs/generated/classes/FilesNotFoundError.md
@ -0,0 +1,180 @@
+[@actions/artifact](../README.md) / FilesNotFoundError
+
+# Class: FilesNotFoundError
+
+## Hierarchy
+
+- `Error`
+
+  ↳ **`FilesNotFoundError`**
+
+## Table of contents
+
+### Constructors
+
+- [constructor](FilesNotFoundError.md#constructor)
+
+### Properties
+
+- [files](FilesNotFoundError.md#files)
+- [message](FilesNotFoundError.md#message)
+- [name](FilesNotFoundError.md#name)
+- [stack](FilesNotFoundError.md#stack)
+- [prepareStackTrace](FilesNotFoundError.md#preparestacktrace)
+- [stackTraceLimit](FilesNotFoundError.md#stacktracelimit)
+
+### Methods
+
+- [captureStackTrace](FilesNotFoundError.md#capturestacktrace)
+
+## Constructors
+
+### constructor
+
+• **new FilesNotFoundError**(`files?`): [`FilesNotFoundError`](FilesNotFoundError.md)
+
+#### Parameters
+
+| Name | Type | Default value |
+| :------ | :------ | :------ |
+| `files` | `string`[] | `[]` |
+
+#### Returns
+
+[`FilesNotFoundError`](FilesNotFoundError.md)
+
+#### Overrides
+
+Error.constructor
+
+#### Defined in
+
+[src/internal/shared/errors.ts:4](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/errors.ts#L4)
+
+## Properties
+
+### files
+
+• **files**: `string`[]
+
+#### Defined in
+
+[src/internal/shared/errors.ts:2](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/errors.ts#L2)
+
+___
+
+### message
+
+• **message**: `string`
+
+#### Inherited from
+
+Error.message
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1068
+
+___
+
+### name
+
+• **name**: `string`
+
+#### Inherited from
+
+Error.name
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1067
+
+___
+
+### stack
+
+• `Optional` **stack**: `string`
+
+#### Inherited from
+
+Error.stack
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1069
+
+___
+
+### prepareStackTrace
+
+▪ `Static` `Optional` **prepareStackTrace**: (`err`: `Error`, `stackTraces`: `CallSite`[]) => `any`
+
+#### Type declaration
+
+▸ (`err`, `stackTraces`): `any`
+
+Optional override for formatting stack traces
+
+##### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `err` | `Error` |
+| `stackTraces` | `CallSite`[] |
+
+##### Returns
+
+`any`
+
+**`See`**
+
+https://v8.dev/docs/stack-trace-api#customizing-stack-traces
+
+#### Inherited from
+
+Error.prepareStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:11
+
+___
+
+### stackTraceLimit
+
+▪ `Static` **stackTraceLimit**: `number`
+
+#### Inherited from
+
+Error.stackTraceLimit
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:13
+
+## Methods
+
+### captureStackTrace
+
+▸ **captureStackTrace**(`targetObject`, `constructorOpt?`): `void`
+
+Create .stack property on a target object
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `targetObject` | `object` |
+| `constructorOpt?` | `Function` |
+
+#### Returns
+
+`void`
+
+#### Inherited from
+
+Error.captureStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:4
--- a/packages/artifact/docs/generated/classes/GHESNotSupportedError.md
+++ b/packages/artifact/docs/generated/classes/GHESNotSupportedError.md
@ -0,0 +1,169 @@
+[@actions/artifact](../README.md) / GHESNotSupportedError
+
+# Class: GHESNotSupportedError
+
+## Hierarchy
+
+- `Error`
+
+  ↳ **`GHESNotSupportedError`**
+
+## Table of contents
+
+### Constructors
+
+- [constructor](GHESNotSupportedError.md#constructor)
+
+### Properties
+
+- [message](GHESNotSupportedError.md#message)
+- [name](GHESNotSupportedError.md#name)
+- [stack](GHESNotSupportedError.md#stack)
+- [prepareStackTrace](GHESNotSupportedError.md#preparestacktrace)
+- [stackTraceLimit](GHESNotSupportedError.md#stacktracelimit)
+
+### Methods
+
+- [captureStackTrace](GHESNotSupportedError.md#capturestacktrace)
+
+## Constructors
+
+### constructor
+
+• **new GHESNotSupportedError**(`message?`): [`GHESNotSupportedError`](GHESNotSupportedError.md)
+
+#### Parameters
+
+| Name | Type | Default value |
+| :------ | :------ | :------ |
+| `message` | `string` | `'@actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not currently supported on GHES.'` |
+
+#### Returns
+
+[`GHESNotSupportedError`](GHESNotSupportedError.md)
+
+#### Overrides
+
+Error.constructor
+
+#### Defined in
+
+[src/internal/shared/errors.ts:31](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/errors.ts#L31)
+
+## Properties
+
+### message
+
+• **message**: `string`
+
+#### Inherited from
+
+Error.message
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1068
+
+___
+
+### name
+
+• **name**: `string`
+
+#### Inherited from
+
+Error.name
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1067
+
+___
+
+### stack
+
+• `Optional` **stack**: `string`
+
+#### Inherited from
+
+Error.stack
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1069
+
+___
+
+### prepareStackTrace
+
+▪ `Static` `Optional` **prepareStackTrace**: (`err`: `Error`, `stackTraces`: `CallSite`[]) => `any`
+
+#### Type declaration
+
+▸ (`err`, `stackTraces`): `any`
+
+Optional override for formatting stack traces
+
+##### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `err` | `Error` |
+| `stackTraces` | `CallSite`[] |
+
+##### Returns
+
+`any`
+
+**`See`**
+
+https://v8.dev/docs/stack-trace-api#customizing-stack-traces
+
+#### Inherited from
+
+Error.prepareStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:11
+
+___
+
+### stackTraceLimit
+
+▪ `Static` **stackTraceLimit**: `number`
+
+#### Inherited from
+
+Error.stackTraceLimit
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:13
+
+## Methods
+
+### captureStackTrace
+
+▸ **captureStackTrace**(`targetObject`, `constructorOpt?`): `void`
+
+Create .stack property on a target object
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `targetObject` | `object` |
+| `constructorOpt?` | `Function` |
+
+#### Returns
+
+`void`
+
+#### Inherited from
+
+Error.captureStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:4
--- a/packages/artifact/docs/generated/classes/InvalidResponseError.md
+++ b/packages/artifact/docs/generated/classes/InvalidResponseError.md
@ -0,0 +1,169 @@
+[@actions/artifact](../README.md) / InvalidResponseError
+
+# Class: InvalidResponseError
+
+## Hierarchy
+
+- `Error`
+
+  ↳ **`InvalidResponseError`**
+
+## Table of contents
+
+### Constructors
+
+- [constructor](InvalidResponseError.md#constructor)
+
+### Properties
+
+- [message](InvalidResponseError.md#message)
+- [name](InvalidResponseError.md#name)
+- [stack](InvalidResponseError.md#stack)
+- [prepareStackTrace](InvalidResponseError.md#preparestacktrace)
+- [stackTraceLimit](InvalidResponseError.md#stacktracelimit)
+
+### Methods
+
+- [captureStackTrace](InvalidResponseError.md#capturestacktrace)
+
+## Constructors
+
+### constructor
+
+• **new InvalidResponseError**(`message`): [`InvalidResponseError`](InvalidResponseError.md)
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `message` | `string` |
+
+#### Returns
+
+[`InvalidResponseError`](InvalidResponseError.md)
+
+#### Overrides
+
+Error.constructor
+
+#### Defined in
+
+[src/internal/shared/errors.ts:17](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/errors.ts#L17)
+
+## Properties
+
+### message
+
+• **message**: `string`
+
+#### Inherited from
+
+Error.message
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1068
+
+___
+
+### name
+
+• **name**: `string`
+
+#### Inherited from
+
+Error.name
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1067
+
+___
+
+### stack
+
+• `Optional` **stack**: `string`
+
+#### Inherited from
+
+Error.stack
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1069
+
+___
+
+### prepareStackTrace
+
+▪ `Static` `Optional` **prepareStackTrace**: (`err`: `Error`, `stackTraces`: `CallSite`[]) => `any`
+
+#### Type declaration
+
+▸ (`err`, `stackTraces`): `any`
+
+Optional override for formatting stack traces
+
+##### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `err` | `Error` |
+| `stackTraces` | `CallSite`[] |
+
+##### Returns
+
+`any`
+
+**`See`**
+
+https://v8.dev/docs/stack-trace-api#customizing-stack-traces
+
+#### Inherited from
+
+Error.prepareStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:11
+
+___
+
+### stackTraceLimit
+
+▪ `Static` **stackTraceLimit**: `number`
+
+#### Inherited from
+
+Error.stackTraceLimit
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:13
+
+## Methods
+
+### captureStackTrace
+
+▸ **captureStackTrace**(`targetObject`, `constructorOpt?`): `void`
+
+Create .stack property on a target object
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `targetObject` | `object` |
+| `constructorOpt?` | `Function` |
+
+#### Returns
+
+`void`
+
+#### Inherited from
+
+Error.captureStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:4
--- a/packages/artifact/docs/generated/classes/NetworkError.md
+++ b/packages/artifact/docs/generated/classes/NetworkError.md
@ -0,0 +1,201 @@
+[@actions/artifact](../README.md) / NetworkError
+
+# Class: NetworkError
+
+## Hierarchy
+
+- `Error`
+
+  ↳ **`NetworkError`**
+
+## Table of contents
+
+### Constructors
+
+- [constructor](NetworkError.md#constructor)
+
+### Properties
+
+- [code](NetworkError.md#code)
+- [message](NetworkError.md#message)
+- [name](NetworkError.md#name)
+- [stack](NetworkError.md#stack)
+- [prepareStackTrace](NetworkError.md#preparestacktrace)
+- [stackTraceLimit](NetworkError.md#stacktracelimit)
+
+### Methods
+
+- [captureStackTrace](NetworkError.md#capturestacktrace)
+- [isNetworkErrorCode](NetworkError.md#isnetworkerrorcode)
+
+## Constructors
+
+### constructor
+
+• **new NetworkError**(`code`): [`NetworkError`](NetworkError.md)
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `code` | `string` |
+
+#### Returns
+
+[`NetworkError`](NetworkError.md)
+
+#### Overrides
+
+Error.constructor
+
+#### Defined in
+
+[src/internal/shared/errors.ts:42](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/errors.ts#L42)
+
+## Properties
+
+### code
+
+• **code**: `string`
+
+#### Defined in
+
+[src/internal/shared/errors.ts:40](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/errors.ts#L40)
+
+___
+
+### message
+
+• **message**: `string`
+
+#### Inherited from
+
+Error.message
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1068
+
+___
+
+### name
+
+• **name**: `string`
+
+#### Inherited from
+
+Error.name
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1067
+
+___
+
+### stack
+
+• `Optional` **stack**: `string`
+
+#### Inherited from
+
+Error.stack
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1069
+
+___
+
+### prepareStackTrace
+
+▪ `Static` `Optional` **prepareStackTrace**: (`err`: `Error`, `stackTraces`: `CallSite`[]) => `any`
+
+#### Type declaration
+
+▸ (`err`, `stackTraces`): `any`
+
+Optional override for formatting stack traces
+
+##### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `err` | `Error` |
+| `stackTraces` | `CallSite`[] |
+
+##### Returns
+
+`any`
+
+**`See`**
+
+https://v8.dev/docs/stack-trace-api#customizing-stack-traces
+
+#### Inherited from
+
+Error.prepareStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:11
+
+___
+
+### stackTraceLimit
+
+▪ `Static` **stackTraceLimit**: `number`
+
+#### Inherited from
+
+Error.stackTraceLimit
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:13
+
+## Methods
+
+### captureStackTrace
+
+▸ **captureStackTrace**(`targetObject`, `constructorOpt?`): `void`
+
+Create .stack property on a target object
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `targetObject` | `object` |
+| `constructorOpt?` | `Function` |
+
+#### Returns
+
+`void`
+
+#### Inherited from
+
+Error.captureStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:4
+
+___
+
+### isNetworkErrorCode
+
+▸ **isNetworkErrorCode**(`code?`): `boolean`
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `code?` | `string` |
+
+#### Returns
+
+`boolean`
+
+#### Defined in
+
+[src/internal/shared/errors.ts:49](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/errors.ts#L49)
--- a/packages/artifact/docs/generated/classes/UsageError.md
+++ b/packages/artifact/docs/generated/classes/UsageError.md
@ -0,0 +1,184 @@
+[@actions/artifact](../README.md) / UsageError
+
+# Class: UsageError
+
+## Hierarchy
+
+- `Error`
+
+  ↳ **`UsageError`**
+
+## Table of contents
+
+### Constructors
+
+- [constructor](UsageError.md#constructor)
+
+### Properties
+
+- [message](UsageError.md#message)
+- [name](UsageError.md#name)
+- [stack](UsageError.md#stack)
+- [prepareStackTrace](UsageError.md#preparestacktrace)
+- [stackTraceLimit](UsageError.md#stacktracelimit)
+
+### Methods
+
+- [captureStackTrace](UsageError.md#capturestacktrace)
+- [isUsageErrorMessage](UsageError.md#isusageerrormessage)
+
+## Constructors
+
+### constructor
+
+• **new UsageError**(): [`UsageError`](UsageError.md)
+
+#### Returns
+
+[`UsageError`](UsageError.md)
+
+#### Overrides
+
+Error.constructor
+
+#### Defined in
+
+[src/internal/shared/errors.ts:62](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/errors.ts#L62)
+
+## Properties
+
+### message
+
+• **message**: `string`
+
+#### Inherited from
+
+Error.message
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1068
+
+___
+
+### name
+
+• **name**: `string`
+
+#### Inherited from
+
+Error.name
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1067
+
+___
+
+### stack
+
+• `Optional` **stack**: `string`
+
+#### Inherited from
+
+Error.stack
+
+#### Defined in
+
+node_modules/typescript/lib/lib.es5.d.ts:1069
+
+___
+
+### prepareStackTrace
+
+▪ `Static` `Optional` **prepareStackTrace**: (`err`: `Error`, `stackTraces`: `CallSite`[]) => `any`
+
+#### Type declaration
+
+▸ (`err`, `stackTraces`): `any`
+
+Optional override for formatting stack traces
+
+##### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `err` | `Error` |
+| `stackTraces` | `CallSite`[] |
+
+##### Returns
+
+`any`
+
+**`See`**
+
+https://v8.dev/docs/stack-trace-api#customizing-stack-traces
+
+#### Inherited from
+
+Error.prepareStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:11
+
+___
+
+### stackTraceLimit
+
+▪ `Static` **stackTraceLimit**: `number`
+
+#### Inherited from
+
+Error.stackTraceLimit
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:13
+
+## Methods
+
+### captureStackTrace
+
+▸ **captureStackTrace**(`targetObject`, `constructorOpt?`): `void`
+
+Create .stack property on a target object
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `targetObject` | `object` |
+| `constructorOpt?` | `Function` |
+
+#### Returns
+
+`void`
+
+#### Inherited from
+
+Error.captureStackTrace
+
+#### Defined in
+
+node_modules/@types/node/globals.d.ts:4
+
+___
+
+### isUsageErrorMessage
+
+▸ **isUsageErrorMessage**(`msg?`): `boolean`
+
+#### Parameters
+
+| Name | Type |
+| :------ | :------ |
+| `msg?` | `string` |
+
+#### Returns
+
+`boolean`
+
+#### Defined in
+
+[src/internal/shared/errors.ts:68](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/errors.ts#L68)
--- a/packages/artifact/docs/generated/interfaces/Artifact.md
+++ b/packages/artifact/docs/generated/interfaces/Artifact.md
@ -0,0 +1,62 @@
+[@actions/artifact](../README.md) / Artifact
+
+# Interface: Artifact
+
+An Actions Artifact
+
+## Table of contents
+
+### Properties
+
+- [createdAt](Artifact.md#createdat)
+- [id](Artifact.md#id)
+- [name](Artifact.md#name)
+- [size](Artifact.md#size)
+
+## Properties
+
+### createdAt
+
+• `Optional` **createdAt**: `Date`
+
+The time when the artifact was created
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:128](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L128)
+
+___
+
+### id
+
+• **id**: `number`
+
+The ID of the artifact
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:118](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L118)
+
+___
+
+### name
+
+• **name**: `string`
+
+The name of the artifact
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:113](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L113)
+
+___
+
+### size
+
+• **size**: `number`
+
+The size of the artifact in bytes
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:123](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L123)
--- a/packages/artifact/docs/generated/interfaces/ArtifactClient.md
+++ b/packages/artifact/docs/generated/interfaces/ArtifactClient.md
@ -0,0 +1,159 @@
+[@actions/artifact](../README.md) / ArtifactClient
+
+# Interface: ArtifactClient
+
+Generic interface for the artifact client.
+
+## Implemented by
+
+- [`DefaultArtifactClient`](../classes/DefaultArtifactClient.md)
+
+## Table of contents
+
+### Methods
+
+- [deleteArtifact](ArtifactClient.md#deleteartifact)
+- [downloadArtifact](ArtifactClient.md#downloadartifact)
+- [getArtifact](ArtifactClient.md#getartifact)
+- [listArtifacts](ArtifactClient.md#listartifacts)
+- [uploadArtifact](ArtifactClient.md#uploadartifact)
+
+## Methods
+
+### deleteArtifact
+
+▸ **deleteArtifact**(`artifactName`, `options?`): `Promise`\<[`DeleteArtifactResponse`](DeleteArtifactResponse.md)\>
+
+Delete an Artifact
+
+If `options.findBy` is specified, this will use the public Delete Artifact API https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#delete-an-artifact
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `artifactName` | `string` | The name of the artifact to delete |
+| `options?` | [`FindOptions`](FindOptions.md) | Extra options that allow for the customization of the delete behavior |
+
+#### Returns
+
+`Promise`\<[`DeleteArtifactResponse`](DeleteArtifactResponse.md)\>
+
+single DeleteArtifactResponse object
+
+#### Defined in
+
+[src/internal/client.ts:103](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/client.ts#L103)
+
+___
+
+### downloadArtifact
+
+▸ **downloadArtifact**(`artifactId`, `options?`): `Promise`\<[`DownloadArtifactResponse`](DownloadArtifactResponse.md)\>
+
+Downloads an artifact and unzips the content.
+
+If `options.findBy` is specified, this will use the public Download Artifact API https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#download-an-artifact
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `artifactId` | `number` | The id of the artifact to download |
+| `options?` | [`DownloadArtifactOptions`](DownloadArtifactOptions.md) & [`FindOptions`](FindOptions.md) | Extra options that allow for the customization of the download behavior |
+
+#### Returns
+
+`Promise`\<[`DownloadArtifactResponse`](DownloadArtifactResponse.md)\>
+
+single DownloadArtifactResponse object
+
+#### Defined in
+
+[src/internal/client.ts:89](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/client.ts#L89)
+
+___
+
+### getArtifact
+
+▸ **getArtifact**(`artifactName`, `options?`): `Promise`\<[`GetArtifactResponse`](GetArtifactResponse.md)\>
+
+Finds an artifact by name.
+If there are multiple artifacts with the same name in the same workflow run, this will return the latest.
+If the artifact is not found, it will throw.
+
+If `options.findBy` is specified, this will use the public List Artifacts API with a name filter which can get artifacts from other runs.
+https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
+`@actions/artifact` v2+ does not allow for creating multiple artifacts with the same name in the same workflow run.
+It is possible to have multiple artifacts with the same name in the same workflow run by using old versions of upload-artifact (v1,v2 and v3), @actions/artifact < v2 or it is a rerun.
+If there are multiple artifacts with the same name in the same workflow run this function will return the first artifact that matches the name.
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `artifactName` | `string` | The name of the artifact to find |
+| `options?` | [`FindOptions`](FindOptions.md) | Extra options that allow for the customization of the get behavior |
+
+#### Returns
+
+`Promise`\<[`GetArtifactResponse`](GetArtifactResponse.md)\>
+
+#### Defined in
+
+[src/internal/client.ts:75](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/client.ts#L75)
+
+___
+
+### listArtifacts
+
+▸ **listArtifacts**(`options?`): `Promise`\<[`ListArtifactsResponse`](ListArtifactsResponse.md)\>
+
+Lists all artifacts that are part of the current workflow run.
+This function will return at most 1000 artifacts per workflow run.
+
+If `options.findBy` is specified, this will call the public List-Artifacts API which can list from other runs.
+https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `options?` | [`ListArtifactsOptions`](ListArtifactsOptions.md) & [`FindOptions`](FindOptions.md) | Extra options that allow for the customization of the list behavior |
+
+#### Returns
+
+`Promise`\<[`ListArtifactsResponse`](ListArtifactsResponse.md)\>
+
+ListArtifactResponse object
+
+#### Defined in
+
+[src/internal/client.ts:57](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/client.ts#L57)
+
+___
+
+### uploadArtifact
+
+▸ **uploadArtifact**(`name`, `files`, `rootDirectory`, `options?`): `Promise`\<[`UploadArtifactResponse`](UploadArtifactResponse.md)\>
+
+Uploads an artifact.
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `name` | `string` | The name of the artifact, required |
+| `files` | `string`[] | A list of absolute or relative paths that denote what files should be uploaded |
+| `rootDirectory` | `string` | An absolute or relative file path that denotes the root parent directory of the files being uploaded |
+| `options?` | [`UploadArtifactOptions`](UploadArtifactOptions.md) | Extra options for customizing the upload behavior |
+
+#### Returns
+
+`Promise`\<[`UploadArtifactResponse`](UploadArtifactResponse.md)\>
+
+single UploadArtifactResponse object
+
+#### Defined in
+
+[src/internal/client.ts:40](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/client.ts#L40)
--- a/packages/artifact/docs/generated/interfaces/DeleteArtifactResponse.md
+++ b/packages/artifact/docs/generated/interfaces/DeleteArtifactResponse.md
@ -0,0 +1,23 @@
+[@actions/artifact](../README.md) / DeleteArtifactResponse
+
+# Interface: DeleteArtifactResponse
+
+Response from the server when deleting an artifact
+
+## Table of contents
+
+### Properties
+
+- [id](DeleteArtifactResponse.md#id)
+
+## Properties
+
+### id
+
+• **id**: `number`
+
+The id of the artifact that was deleted
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:163](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L163)
--- a/packages/artifact/docs/generated/interfaces/DownloadArtifactOptions.md
+++ b/packages/artifact/docs/generated/interfaces/DownloadArtifactOptions.md
@ -0,0 +1,23 @@
+[@actions/artifact](../README.md) / DownloadArtifactOptions
+
+# Interface: DownloadArtifactOptions
+
+Options for downloading an artifact
+
+## Table of contents
+
+### Properties
+
+- [path](DownloadArtifactOptions.md#path)
+
+## Properties
+
+### path
+
+• `Optional` **path**: `string`
+
+Denotes where the artifact will be downloaded to. If not specified then the artifact is download to GITHUB_WORKSPACE
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:103](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L103)
--- a/packages/artifact/docs/generated/interfaces/DownloadArtifactResponse.md
+++ b/packages/artifact/docs/generated/interfaces/DownloadArtifactResponse.md
@ -0,0 +1,23 @@
+[@actions/artifact](../README.md) / DownloadArtifactResponse
+
+# Interface: DownloadArtifactResponse
+
+Response from the server when downloading an artifact
+
+## Table of contents
+
+### Properties
+
+- [downloadPath](DownloadArtifactResponse.md#downloadpath)
+
+## Properties
+
+### downloadPath
+
+• `Optional` **downloadPath**: `string`
+
+The path where the artifact was downloaded to
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:93](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L93)
--- a/packages/artifact/docs/generated/interfaces/FindOptions.md
+++ b/packages/artifact/docs/generated/interfaces/FindOptions.md
@ -0,0 +1,30 @@
+[@actions/artifact](../README.md) / FindOptions
+
+# Interface: FindOptions
+
+## Table of contents
+
+### Properties
+
+- [findBy](FindOptions.md#findby)
+
+## Properties
+
+### findBy
+
+• `Optional` **findBy**: `Object`
+
+The criteria for finding Artifact(s) out of the scope of the current run.
+
+#### Type declaration
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `repositoryName` | `string` | Repository owner (eg. 'toolkit') |
+| `repositoryOwner` | `string` | Repository owner (eg. 'actions') |
+| `token` | `string` | Token with actions:read permissions |
+| `workflowRunId` | `number` | WorkflowRun of the artifact(s) to lookup |
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:136](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L136)
--- a/packages/artifact/docs/generated/interfaces/GetArtifactResponse.md
+++ b/packages/artifact/docs/generated/interfaces/GetArtifactResponse.md
@ -0,0 +1,23 @@
+[@actions/artifact](../README.md) / GetArtifactResponse
+
+# Interface: GetArtifactResponse
+
+Response from the server when getting an artifact
+
+## Table of contents
+
+### Properties
+
+- [artifact](GetArtifactResponse.md#artifact)
+
+## Properties
+
+### artifact
+
+• **artifact**: [`Artifact`](Artifact.md)
+
+Metadata about the artifact that was found
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:62](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L62)
--- a/packages/artifact/docs/generated/interfaces/ListArtifactsOptions.md
+++ b/packages/artifact/docs/generated/interfaces/ListArtifactsOptions.md
@ -0,0 +1,24 @@
+[@actions/artifact](../README.md) / ListArtifactsOptions
+
+# Interface: ListArtifactsOptions
+
+Options for listing artifacts
+
+## Table of contents
+
+### Properties
+
+- [latest](ListArtifactsOptions.md#latest)
+
+## Properties
+
+### latest
+
+• `Optional` **latest**: `boolean`
+
+Filter the workflow run's artifacts to the latest by name
+In the case of reruns, this can be useful to avoid duplicates
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:73](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L73)
--- a/packages/artifact/docs/generated/interfaces/ListArtifactsResponse.md
+++ b/packages/artifact/docs/generated/interfaces/ListArtifactsResponse.md
@ -0,0 +1,23 @@
+[@actions/artifact](../README.md) / ListArtifactsResponse
+
+# Interface: ListArtifactsResponse
+
+Response from the server when listing artifacts
+
+## Table of contents
+
+### Properties
+
+- [artifacts](ListArtifactsResponse.md#artifacts)
+
+## Properties
+
+### artifacts
+
+• **artifacts**: [`Artifact`](Artifact.md)[]
+
+A list of artifacts that were found
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:83](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L83)
--- a/packages/artifact/docs/generated/interfaces/UploadArtifactOptions.md
+++ b/packages/artifact/docs/generated/interfaces/UploadArtifactOptions.md
@ -0,0 +1,55 @@
+[@actions/artifact](../README.md) / UploadArtifactOptions
+
+# Interface: UploadArtifactOptions
+
+Options for uploading an artifact
+
+## Table of contents
+
+### Properties
+
+- [compressionLevel](UploadArtifactOptions.md#compressionlevel)
+- [retentionDays](UploadArtifactOptions.md#retentiondays)
+
+## Properties
+
+### compressionLevel
+
+• `Optional` **compressionLevel**: `number`
+
+The level of compression for Zlib to be applied to the artifact archive.
+The value can range from 0 to 9:
+- 0: No compression
+- 1: Best speed
+- 6: Default compression (same as GNU Gzip)
+- 9: Best compression
+Higher levels will result in better compression, but will take longer to complete.
+For large files that are not easily compressed, a value of 0 is recommended for significantly faster uploads.
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:52](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L52)
+
+___
+
+### retentionDays
+
+• `Optional` **retentionDays**: `number`
+
+Duration after which artifact will expire in days.
+
+By default artifact expires after 90 days:
+https://docs.github.com/en/actions/configuring-and-managing-workflows/persisting-workflow-data-using-artifacts#downloading-and-deleting-artifacts-after-a-workflow-run-is-complete
+
+Use this option to override the default expiry.
+
+Min value: 1
+Max value: 90 unless changed by repository setting
+
+If this is set to a greater value than the retention settings allowed, the retention on artifacts
+will be reduced to match the max value allowed on server, and the upload process will continue. An
+input of 0 assumes default retention setting.
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:41](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L41)
--- a/packages/artifact/docs/generated/interfaces/UploadArtifactResponse.md
+++ b/packages/artifact/docs/generated/interfaces/UploadArtifactResponse.md
@ -0,0 +1,50 @@
+[@actions/artifact](../README.md) / UploadArtifactResponse
+
+# Interface: UploadArtifactResponse
+
+Response from the server when an artifact is uploaded
+
+## Table of contents
+
+### Properties
+
+- [digest](UploadArtifactResponse.md#digest)
+- [id](UploadArtifactResponse.md#id)
+- [size](UploadArtifactResponse.md#size)
+
+## Properties
+
+### digest
+
+• `Optional` **digest**: `string`
+
+The SHA256 digest of the artifact that was created. Not provided if no artifact was uploaded
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:19](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L19)
+
+___
+
+### id
+
+• `Optional` **id**: `number`
+
+The id of the artifact that was created. Not provided if no artifact was uploaded
+This ID can be used as input to other APIs to download, delete or get more information about an artifact: https://docs.github.com/en/rest/actions/artifacts
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:14](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L14)
+
+___
+
+### size
+
+• `Optional` **size**: `number`
+
+Total size of the artifact in bytes. Not provided if no artifact was uploaded
+
+#### Defined in
+
+[src/internal/shared/interfaces.ts:8](https://github.com/actions/toolkit/blob/f522fdf/packages/artifact/src/internal/shared/interfaces.ts#L8)
--- a/packages/artifact/package-lock.json
+++ b/packages/artifact/package-lock.json
--- a/packages/artifact/package.json
+++ b/packages/artifact/package.json
@ -1,6 +1,6 @@
 {
  "name": "@actions/artifact",
-  "version": "2.0.0",
+  "version": "4.0.0",
  "preview": true,
  "description": "Actions artifact lib",
  "keywords": [
@ -30,33 +30,40 @@
  },
  "scripts": {
    "audit-moderate": "npm install && npm audit --json --audit-level=moderate > audit.json",
-    "test": "echo \"Error: run tests from root\" && exit 1",
+    "test": "cd ../../ && npm run test ./packages/artifact",
    "bootstrap": "cd ../../ && npm run bootstrap",
    "tsc-run": "tsc",
-    "tsc": "npm run bootstrap && npm run tsc-run"
+    "tsc": "npm run bootstrap && npm run tsc-run",
+    "gen:docs": "typedoc --plugin typedoc-plugin-markdown --out docs/generated src/artifact.ts --githubPages false --readme none"
  },
  "bugs": {
    "url": "https://github.com/actions/toolkit/issues"
  },
  "dependencies": {
    "@actions/core": "^1.10.0",
-    "@actions/github": "^5.1.1",
+    "@actions/github": "^6.0.1",
    "@actions/http-client": "^2.1.0",
+    "@azure/core-http": "^3.0.5",
    "@azure/storage-blob": "^12.15.0",
-    "@octokit/core": "^3.5.1",
+    "@octokit/core": "^5.2.1",
    "@octokit/plugin-request-log": "^1.0.4",
    "@octokit/plugin-retry": "^3.0.9",
-    "@octokit/request-error": "^5.0.0",
+    "@octokit/request": "^8.4.1",
+    "@octokit/request-error": "^5.1.1",
    "@protobuf-ts/plugin": "^2.2.3-alpha.1",
-    "@types/unzipper": "^0.10.6",
-    "archiver": "^5.3.1",
-    "crypto": "^1.0.1",
+    "archiver": "^7.0.1",
    "jwt-decode": "^3.1.2",
-    "twirp-ts": "^2.5.0",
-    "unzipper": "^0.10.14"
+    "unzip-stream": "^0.3.1"
  },
  "devDependencies": {
    "@types/archiver": "^5.3.2",
-    "typescript": "^4.3.0"
+    "@types/unzip-stream": "^0.3.4",
+    "typedoc": "^0.28.13",
+    "typedoc-plugin-markdown": "^3.17.1",
+    "typescript": "^5.2.2"
+  },
+  "overrides": {
+    "uri-js": "npm:uri-js-replace@^1.0.1",
+    "node-fetch": "^3.3.2"
  }
 }
--- a/packages/artifact/src/artifact.ts
+++ b/packages/artifact/src/artifact.ts
@ -1,11 +1,8 @@
-import {ArtifactClient, Client} from './internal/client'
+import {ArtifactClient, DefaultArtifactClient} from './internal/client'

-/**
- * Exported functionality that we want to expose for any users of @actions/artifact
- */
 export * from './internal/shared/interfaces'
-export {ArtifactClient}
+export * from './internal/shared/errors'
+export * from './internal/client'

-export function create(): ArtifactClient {
-  return Client.create()
-}
+const client: ArtifactClient = new DefaultArtifactClient()
+export default client
--- a/packages/artifact/src/generated/index.ts
+++ b/packages/artifact/src/generated/index.ts
@ -1,4 +1,4 @@
 export * from './google/protobuf/timestamp'
 export * from './google/protobuf/wrappers'
 export * from './results/api/v1/artifact'
-export * from './results/api/v1/artifact.twirp'
+export * from './results/api/v1/artifact.twirp-client'
--- a/packages/artifact/src/generated/results/api/v1/artifact.ts
+++ b/packages/artifact/src/generated/results/api/v1/artifact.ts
@ -12,8 +12,69 @@ import type { PartialMessage } from "@protobuf-ts/runtime";
 import { reflectionMergePartial } from "@protobuf-ts/runtime";
 import { MESSAGE_TYPE } from "@protobuf-ts/runtime";
 import { MessageType } from "@protobuf-ts/runtime";
+import { Int64Value } from "../../../google/protobuf/wrappers";
 import { StringValue } from "../../../google/protobuf/wrappers";
 import { Timestamp } from "../../../google/protobuf/timestamp";
+/**
+ * @generated from protobuf message github.actions.results.api.v1.MigrateArtifactRequest
+ */
+export interface MigrateArtifactRequest {
+    /**
+     * @generated from protobuf field: string workflow_run_backend_id = 1;
+     */
+    workflowRunBackendId: string;
+    /**
+     * @generated from protobuf field: string name = 2;
+     */
+    name: string;
+    /**
+     * @generated from protobuf field: google.protobuf.Timestamp expires_at = 3;
+     */
+    expiresAt?: Timestamp;
+}
+/**
+ * @generated from protobuf message github.actions.results.api.v1.MigrateArtifactResponse
+ */
+export interface MigrateArtifactResponse {
+    /**
+     * @generated from protobuf field: bool ok = 1;
+     */
+    ok: boolean;
+    /**
+     * @generated from protobuf field: string signed_upload_url = 2;
+     */
+    signedUploadUrl: string;
+}
+/**
+ * @generated from protobuf message github.actions.results.api.v1.FinalizeMigratedArtifactRequest
+ */
+export interface FinalizeMigratedArtifactRequest {
+    /**
+     * @generated from protobuf field: string workflow_run_backend_id = 1;
+     */
+    workflowRunBackendId: string;
+    /**
+     * @generated from protobuf field: string name = 2;
+     */
+    name: string;
+    /**
+     * @generated from protobuf field: int64 size = 3;
+     */
+    size: string;
+}
+/**
+ * @generated from protobuf message github.actions.results.api.v1.FinalizeMigratedArtifactResponse
+ */
+export interface FinalizeMigratedArtifactResponse {
+    /**
+     * @generated from protobuf field: bool ok = 1;
+     */
+    ok: boolean;
+    /**
+     * @generated from protobuf field: int64 artifact_id = 2;
+     */
+    artifactId: string;
+}
 /**
 * @generated from protobuf message github.actions.results.api.v1.CreateArtifactRequest
 */
@ -90,6 +151,377 @@ export interface FinalizeArtifactResponse {
     */
    artifactId: string;
 }
+/**
+ * @generated from protobuf message github.actions.results.api.v1.ListArtifactsRequest
+ */
+export interface ListArtifactsRequest {
+    /**
+     * The backend plan ID
+     *
+     * @generated from protobuf field: string workflow_run_backend_id = 1;
+     */
+    workflowRunBackendId: string;
+    /**
+     * The backend job ID
+     *
+     * @generated from protobuf field: string workflow_job_run_backend_id = 2;
+     */
+    workflowJobRunBackendId: string;
+    /**
+     * Name of the artifact to filter on
+     *
+     * @generated from protobuf field: google.protobuf.StringValue name_filter = 3;
+     */
+    nameFilter?: StringValue; // optional
+    /**
+     * Monolith Database ID of the artifact to filter on
+     *
+     * @generated from protobuf field: google.protobuf.Int64Value id_filter = 4;
+     */
+    idFilter?: Int64Value; // optional
+}
+/**
+ * @generated from protobuf message github.actions.results.api.v1.ListArtifactsResponse
+ */
+export interface ListArtifactsResponse {
+    /**
+     * @generated from protobuf field: repeated github.actions.results.api.v1.ListArtifactsResponse.MonolithArtifact artifacts = 1;
+     */
+    artifacts: ListArtifactsResponse_MonolithArtifact[];
+}
+/**
+ * @generated from protobuf message github.actions.results.api.v1.ListArtifactsResponse.MonolithArtifact
+ */
+export interface ListArtifactsResponse_MonolithArtifact {
+    /**
+     * The backend plan ID
+     *
+     * @generated from protobuf field: string workflow_run_backend_id = 1;
+     */
+    workflowRunBackendId: string;
+    /**
+     * The backend job ID
+     *
+     * @generated from protobuf field: string workflow_job_run_backend_id = 2;
+     */
+    workflowJobRunBackendId: string;
+    /**
+     * Monolith database ID of the artifact
+     *
+     * @generated from protobuf field: int64 database_id = 3;
+     */
+    databaseId: string;
+    /**
+     * Name of the artifact
+     *
+     * @generated from protobuf field: string name = 4;
+     */
+    name: string;
+    /**
+     * Size of the artifact in bytes
+     *
+     * @generated from protobuf field: int64 size = 5;
+     */
+    size: string;
+    /**
+     * When the artifact was created in the monolith
+     *
+     * @generated from protobuf field: google.protobuf.Timestamp created_at = 6;
+     */
+    createdAt?: Timestamp;
+    /**
+     * The SHA-256 digest of the artifact, calculated on upload for upload-artifact v4 & newer
+     *
+     * @generated from protobuf field: google.protobuf.StringValue digest = 7;
+     */
+    digest?: StringValue;
+}
+/**
+ * @generated from protobuf message github.actions.results.api.v1.GetSignedArtifactURLRequest
+ */
+export interface GetSignedArtifactURLRequest {
+    /**
+     * @generated from protobuf field: string workflow_run_backend_id = 1;
+     */
+    workflowRunBackendId: string;
+    /**
+     * @generated from protobuf field: string workflow_job_run_backend_id = 2;
+     */
+    workflowJobRunBackendId: string;
+    /**
+     * @generated from protobuf field: string name = 3;
+     */
+    name: string;
+}
+/**
+ * @generated from protobuf message github.actions.results.api.v1.GetSignedArtifactURLResponse
+ */
+export interface GetSignedArtifactURLResponse {
+    /**
+     * @generated from protobuf field: string signed_url = 1;
+     */
+    signedUrl: string;
+}
+/**
+ * @generated from protobuf message github.actions.results.api.v1.DeleteArtifactRequest
+ */
+export interface DeleteArtifactRequest {
+    /**
+     * @generated from protobuf field: string workflow_run_backend_id = 1;
+     */
+    workflowRunBackendId: string;
+    /**
+     * @generated from protobuf field: string workflow_job_run_backend_id = 2;
+     */
+    workflowJobRunBackendId: string;
+    /**
+     * @generated from protobuf field: string name = 3;
+     */
+    name: string;
+}
+/**
+ * @generated from protobuf message github.actions.results.api.v1.DeleteArtifactResponse
+ */
+export interface DeleteArtifactResponse {
+    /**
+     * @generated from protobuf field: bool ok = 1;
+     */
+    ok: boolean;
+    /**
+     * @generated from protobuf field: int64 artifact_id = 2;
+     */
+    artifactId: string;
+}
+// @generated message type with reflection information, may provide speed optimized methods
+class MigrateArtifactRequest$Type extends MessageType<MigrateArtifactRequest> {
+    constructor() {
+        super("github.actions.results.api.v1.MigrateArtifactRequest", [
+            { no: 1, name: "workflow_run_backend_id", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 2, name: "name", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 3, name: "expires_at", kind: "message", T: () => Timestamp }
+        ]);
+    }
+    create(value?: PartialMessage<MigrateArtifactRequest>): MigrateArtifactRequest {
+        const message = { workflowRunBackendId: "", name: "" };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<MigrateArtifactRequest>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: MigrateArtifactRequest): MigrateArtifactRequest {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* string workflow_run_backend_id */ 1:
+                    message.workflowRunBackendId = reader.string();
+                    break;
+                case /* string name */ 2:
+                    message.name = reader.string();
+                    break;
+                case /* google.protobuf.Timestamp expires_at */ 3:
+                    message.expiresAt = Timestamp.internalBinaryRead(reader, reader.uint32(), options, message.expiresAt);
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: MigrateArtifactRequest, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* string workflow_run_backend_id = 1; */
+        if (message.workflowRunBackendId !== "")
+            writer.tag(1, WireType.LengthDelimited).string(message.workflowRunBackendId);
+        /* string name = 2; */
+        if (message.name !== "")
+            writer.tag(2, WireType.LengthDelimited).string(message.name);
+        /* google.protobuf.Timestamp expires_at = 3; */
+        if (message.expiresAt)
+            Timestamp.internalBinaryWrite(message.expiresAt, writer.tag(3, WireType.LengthDelimited).fork(), options).join();
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.MigrateArtifactRequest
+ */
+export const MigrateArtifactRequest = new MigrateArtifactRequest$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class MigrateArtifactResponse$Type extends MessageType<MigrateArtifactResponse> {
+    constructor() {
+        super("github.actions.results.api.v1.MigrateArtifactResponse", [
+            { no: 1, name: "ok", kind: "scalar", T: 8 /*ScalarType.BOOL*/ },
+            { no: 2, name: "signed_upload_url", kind: "scalar", T: 9 /*ScalarType.STRING*/ }
+        ]);
+    }
+    create(value?: PartialMessage<MigrateArtifactResponse>): MigrateArtifactResponse {
+        const message = { ok: false, signedUploadUrl: "" };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<MigrateArtifactResponse>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: MigrateArtifactResponse): MigrateArtifactResponse {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* bool ok */ 1:
+                    message.ok = reader.bool();
+                    break;
+                case /* string signed_upload_url */ 2:
+                    message.signedUploadUrl = reader.string();
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: MigrateArtifactResponse, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* bool ok = 1; */
+        if (message.ok !== false)
+            writer.tag(1, WireType.Varint).bool(message.ok);
+        /* string signed_upload_url = 2; */
+        if (message.signedUploadUrl !== "")
+            writer.tag(2, WireType.LengthDelimited).string(message.signedUploadUrl);
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.MigrateArtifactResponse
+ */
+export const MigrateArtifactResponse = new MigrateArtifactResponse$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class FinalizeMigratedArtifactRequest$Type extends MessageType<FinalizeMigratedArtifactRequest> {
+    constructor() {
+        super("github.actions.results.api.v1.FinalizeMigratedArtifactRequest", [
+            { no: 1, name: "workflow_run_backend_id", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 2, name: "name", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 3, name: "size", kind: "scalar", T: 3 /*ScalarType.INT64*/ }
+        ]);
+    }
+    create(value?: PartialMessage<FinalizeMigratedArtifactRequest>): FinalizeMigratedArtifactRequest {
+        const message = { workflowRunBackendId: "", name: "", size: "0" };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<FinalizeMigratedArtifactRequest>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: FinalizeMigratedArtifactRequest): FinalizeMigratedArtifactRequest {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* string workflow_run_backend_id */ 1:
+                    message.workflowRunBackendId = reader.string();
+                    break;
+                case /* string name */ 2:
+                    message.name = reader.string();
+                    break;
+                case /* int64 size */ 3:
+                    message.size = reader.int64().toString();
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: FinalizeMigratedArtifactRequest, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* string workflow_run_backend_id = 1; */
+        if (message.workflowRunBackendId !== "")
+            writer.tag(1, WireType.LengthDelimited).string(message.workflowRunBackendId);
+        /* string name = 2; */
+        if (message.name !== "")
+            writer.tag(2, WireType.LengthDelimited).string(message.name);
+        /* int64 size = 3; */
+        if (message.size !== "0")
+            writer.tag(3, WireType.Varint).int64(message.size);
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.FinalizeMigratedArtifactRequest
+ */
+export const FinalizeMigratedArtifactRequest = new FinalizeMigratedArtifactRequest$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class FinalizeMigratedArtifactResponse$Type extends MessageType<FinalizeMigratedArtifactResponse> {
+    constructor() {
+        super("github.actions.results.api.v1.FinalizeMigratedArtifactResponse", [
+            { no: 1, name: "ok", kind: "scalar", T: 8 /*ScalarType.BOOL*/ },
+            { no: 2, name: "artifact_id", kind: "scalar", T: 3 /*ScalarType.INT64*/ }
+        ]);
+    }
+    create(value?: PartialMessage<FinalizeMigratedArtifactResponse>): FinalizeMigratedArtifactResponse {
+        const message = { ok: false, artifactId: "0" };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<FinalizeMigratedArtifactResponse>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: FinalizeMigratedArtifactResponse): FinalizeMigratedArtifactResponse {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* bool ok */ 1:
+                    message.ok = reader.bool();
+                    break;
+                case /* int64 artifact_id */ 2:
+                    message.artifactId = reader.int64().toString();
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: FinalizeMigratedArtifactResponse, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* bool ok = 1; */
+        if (message.ok !== false)
+            writer.tag(1, WireType.Varint).bool(message.ok);
+        /* int64 artifact_id = 2; */
+        if (message.artifactId !== "0")
+            writer.tag(2, WireType.Varint).int64(message.artifactId);
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.FinalizeMigratedArtifactResponse
+ */
+export const FinalizeMigratedArtifactResponse = new FinalizeMigratedArtifactResponse$Type();
 // @generated message type with reflection information, may provide speed optimized methods
 class CreateArtifactRequest$Type extends MessageType<CreateArtifactRequest> {
    constructor() {
@ -348,10 +780,442 @@ class FinalizeArtifactResponse$Type extends MessageType<FinalizeArtifactResponse
 * @generated MessageType for protobuf message github.actions.results.api.v1.FinalizeArtifactResponse
 */
 export const FinalizeArtifactResponse = new FinalizeArtifactResponse$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class ListArtifactsRequest$Type extends MessageType<ListArtifactsRequest> {
+    constructor() {
+        super("github.actions.results.api.v1.ListArtifactsRequest", [
+            { no: 1, name: "workflow_run_backend_id", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 2, name: "workflow_job_run_backend_id", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 3, name: "name_filter", kind: "message", T: () => StringValue },
+            { no: 4, name: "id_filter", kind: "message", T: () => Int64Value }
+        ]);
+    }
+    create(value?: PartialMessage<ListArtifactsRequest>): ListArtifactsRequest {
+        const message = { workflowRunBackendId: "", workflowJobRunBackendId: "" };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<ListArtifactsRequest>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: ListArtifactsRequest): ListArtifactsRequest {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* string workflow_run_backend_id */ 1:
+                    message.workflowRunBackendId = reader.string();
+                    break;
+                case /* string workflow_job_run_backend_id */ 2:
+                    message.workflowJobRunBackendId = reader.string();
+                    break;
+                case /* google.protobuf.StringValue name_filter */ 3:
+                    message.nameFilter = StringValue.internalBinaryRead(reader, reader.uint32(), options, message.nameFilter);
+                    break;
+                case /* google.protobuf.Int64Value id_filter */ 4:
+                    message.idFilter = Int64Value.internalBinaryRead(reader, reader.uint32(), options, message.idFilter);
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: ListArtifactsRequest, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* string workflow_run_backend_id = 1; */
+        if (message.workflowRunBackendId !== "")
+            writer.tag(1, WireType.LengthDelimited).string(message.workflowRunBackendId);
+        /* string workflow_job_run_backend_id = 2; */
+        if (message.workflowJobRunBackendId !== "")
+            writer.tag(2, WireType.LengthDelimited).string(message.workflowJobRunBackendId);
+        /* google.protobuf.StringValue name_filter = 3; */
+        if (message.nameFilter)
+            StringValue.internalBinaryWrite(message.nameFilter, writer.tag(3, WireType.LengthDelimited).fork(), options).join();
+        /* google.protobuf.Int64Value id_filter = 4; */
+        if (message.idFilter)
+            Int64Value.internalBinaryWrite(message.idFilter, writer.tag(4, WireType.LengthDelimited).fork(), options).join();
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.ListArtifactsRequest
+ */
+export const ListArtifactsRequest = new ListArtifactsRequest$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class ListArtifactsResponse$Type extends MessageType<ListArtifactsResponse> {
+    constructor() {
+        super("github.actions.results.api.v1.ListArtifactsResponse", [
+            { no: 1, name: "artifacts", kind: "message", repeat: 1 /*RepeatType.PACKED*/, T: () => ListArtifactsResponse_MonolithArtifact }
+        ]);
+    }
+    create(value?: PartialMessage<ListArtifactsResponse>): ListArtifactsResponse {
+        const message = { artifacts: [] };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<ListArtifactsResponse>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: ListArtifactsResponse): ListArtifactsResponse {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* repeated github.actions.results.api.v1.ListArtifactsResponse.MonolithArtifact artifacts */ 1:
+                    message.artifacts.push(ListArtifactsResponse_MonolithArtifact.internalBinaryRead(reader, reader.uint32(), options));
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: ListArtifactsResponse, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* repeated github.actions.results.api.v1.ListArtifactsResponse.MonolithArtifact artifacts = 1; */
+        for (let i = 0; i < message.artifacts.length; i++)
+            ListArtifactsResponse_MonolithArtifact.internalBinaryWrite(message.artifacts[i], writer.tag(1, WireType.LengthDelimited).fork(), options).join();
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.ListArtifactsResponse
+ */
+export const ListArtifactsResponse = new ListArtifactsResponse$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class ListArtifactsResponse_MonolithArtifact$Type extends MessageType<ListArtifactsResponse_MonolithArtifact> {
+    constructor() {
+        super("github.actions.results.api.v1.ListArtifactsResponse.MonolithArtifact", [
+            { no: 1, name: "workflow_run_backend_id", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 2, name: "workflow_job_run_backend_id", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 3, name: "database_id", kind: "scalar", T: 3 /*ScalarType.INT64*/ },
+            { no: 4, name: "name", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 5, name: "size", kind: "scalar", T: 3 /*ScalarType.INT64*/ },
+            { no: 6, name: "created_at", kind: "message", T: () => Timestamp },
+            { no: 7, name: "digest", kind: "message", T: () => StringValue }
+        ]);
+    }
+    create(value?: PartialMessage<ListArtifactsResponse_MonolithArtifact>): ListArtifactsResponse_MonolithArtifact {
+        const message = { workflowRunBackendId: "", workflowJobRunBackendId: "", databaseId: "0", name: "", size: "0" };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<ListArtifactsResponse_MonolithArtifact>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: ListArtifactsResponse_MonolithArtifact): ListArtifactsResponse_MonolithArtifact {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* string workflow_run_backend_id */ 1:
+                    message.workflowRunBackendId = reader.string();
+                    break;
+                case /* string workflow_job_run_backend_id */ 2:
+                    message.workflowJobRunBackendId = reader.string();
+                    break;
+                case /* int64 database_id */ 3:
+                    message.databaseId = reader.int64().toString();
+                    break;
+                case /* string name */ 4:
+                    message.name = reader.string();
+                    break;
+                case /* int64 size */ 5:
+                    message.size = reader.int64().toString();
+                    break;
+                case /* google.protobuf.Timestamp created_at */ 6:
+                    message.createdAt = Timestamp.internalBinaryRead(reader, reader.uint32(), options, message.createdAt);
+                    break;
+                case /* google.protobuf.StringValue digest */ 7:
+                    message.digest = StringValue.internalBinaryRead(reader, reader.uint32(), options, message.digest);
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: ListArtifactsResponse_MonolithArtifact, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* string workflow_run_backend_id = 1; */
+        if (message.workflowRunBackendId !== "")
+            writer.tag(1, WireType.LengthDelimited).string(message.workflowRunBackendId);
+        /* string workflow_job_run_backend_id = 2; */
+        if (message.workflowJobRunBackendId !== "")
+            writer.tag(2, WireType.LengthDelimited).string(message.workflowJobRunBackendId);
+        /* int64 database_id = 3; */
+        if (message.databaseId !== "0")
+            writer.tag(3, WireType.Varint).int64(message.databaseId);
+        /* string name = 4; */
+        if (message.name !== "")
+            writer.tag(4, WireType.LengthDelimited).string(message.name);
+        /* int64 size = 5; */
+        if (message.size !== "0")
+            writer.tag(5, WireType.Varint).int64(message.size);
+        /* google.protobuf.Timestamp created_at = 6; */
+        if (message.createdAt)
+            Timestamp.internalBinaryWrite(message.createdAt, writer.tag(6, WireType.LengthDelimited).fork(), options).join();
+        /* google.protobuf.StringValue digest = 7; */
+        if (message.digest)
+            StringValue.internalBinaryWrite(message.digest, writer.tag(7, WireType.LengthDelimited).fork(), options).join();
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.ListArtifactsResponse.MonolithArtifact
+ */
+export const ListArtifactsResponse_MonolithArtifact = new ListArtifactsResponse_MonolithArtifact$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class GetSignedArtifactURLRequest$Type extends MessageType<GetSignedArtifactURLRequest> {
+    constructor() {
+        super("github.actions.results.api.v1.GetSignedArtifactURLRequest", [
+            { no: 1, name: "workflow_run_backend_id", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 2, name: "workflow_job_run_backend_id", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 3, name: "name", kind: "scalar", T: 9 /*ScalarType.STRING*/ }
+        ]);
+    }
+    create(value?: PartialMessage<GetSignedArtifactURLRequest>): GetSignedArtifactURLRequest {
+        const message = { workflowRunBackendId: "", workflowJobRunBackendId: "", name: "" };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<GetSignedArtifactURLRequest>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: GetSignedArtifactURLRequest): GetSignedArtifactURLRequest {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* string workflow_run_backend_id */ 1:
+                    message.workflowRunBackendId = reader.string();
+                    break;
+                case /* string workflow_job_run_backend_id */ 2:
+                    message.workflowJobRunBackendId = reader.string();
+                    break;
+                case /* string name */ 3:
+                    message.name = reader.string();
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: GetSignedArtifactURLRequest, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* string workflow_run_backend_id = 1; */
+        if (message.workflowRunBackendId !== "")
+            writer.tag(1, WireType.LengthDelimited).string(message.workflowRunBackendId);
+        /* string workflow_job_run_backend_id = 2; */
+        if (message.workflowJobRunBackendId !== "")
+            writer.tag(2, WireType.LengthDelimited).string(message.workflowJobRunBackendId);
+        /* string name = 3; */
+        if (message.name !== "")
+            writer.tag(3, WireType.LengthDelimited).string(message.name);
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.GetSignedArtifactURLRequest
+ */
+export const GetSignedArtifactURLRequest = new GetSignedArtifactURLRequest$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class GetSignedArtifactURLResponse$Type extends MessageType<GetSignedArtifactURLResponse> {
+    constructor() {
+        super("github.actions.results.api.v1.GetSignedArtifactURLResponse", [
+            { no: 1, name: "signed_url", kind: "scalar", T: 9 /*ScalarType.STRING*/ }
+        ]);
+    }
+    create(value?: PartialMessage<GetSignedArtifactURLResponse>): GetSignedArtifactURLResponse {
+        const message = { signedUrl: "" };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<GetSignedArtifactURLResponse>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: GetSignedArtifactURLResponse): GetSignedArtifactURLResponse {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* string signed_url */ 1:
+                    message.signedUrl = reader.string();
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: GetSignedArtifactURLResponse, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* string signed_url = 1; */
+        if (message.signedUrl !== "")
+            writer.tag(1, WireType.LengthDelimited).string(message.signedUrl);
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.GetSignedArtifactURLResponse
+ */
+export const GetSignedArtifactURLResponse = new GetSignedArtifactURLResponse$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class DeleteArtifactRequest$Type extends MessageType<DeleteArtifactRequest> {
+    constructor() {
+        super("github.actions.results.api.v1.DeleteArtifactRequest", [
+            { no: 1, name: "workflow_run_backend_id", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 2, name: "workflow_job_run_backend_id", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 3, name: "name", kind: "scalar", T: 9 /*ScalarType.STRING*/ }
+        ]);
+    }
+    create(value?: PartialMessage<DeleteArtifactRequest>): DeleteArtifactRequest {
+        const message = { workflowRunBackendId: "", workflowJobRunBackendId: "", name: "" };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<DeleteArtifactRequest>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: DeleteArtifactRequest): DeleteArtifactRequest {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* string workflow_run_backend_id */ 1:
+                    message.workflowRunBackendId = reader.string();
+                    break;
+                case /* string workflow_job_run_backend_id */ 2:
+                    message.workflowJobRunBackendId = reader.string();
+                    break;
+                case /* string name */ 3:
+                    message.name = reader.string();
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: DeleteArtifactRequest, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* string workflow_run_backend_id = 1; */
+        if (message.workflowRunBackendId !== "")
+            writer.tag(1, WireType.LengthDelimited).string(message.workflowRunBackendId);
+        /* string workflow_job_run_backend_id = 2; */
+        if (message.workflowJobRunBackendId !== "")
+            writer.tag(2, WireType.LengthDelimited).string(message.workflowJobRunBackendId);
+        /* string name = 3; */
+        if (message.name !== "")
+            writer.tag(3, WireType.LengthDelimited).string(message.name);
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.DeleteArtifactRequest
+ */
+export const DeleteArtifactRequest = new DeleteArtifactRequest$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class DeleteArtifactResponse$Type extends MessageType<DeleteArtifactResponse> {
+    constructor() {
+        super("github.actions.results.api.v1.DeleteArtifactResponse", [
+            { no: 1, name: "ok", kind: "scalar", T: 8 /*ScalarType.BOOL*/ },
+            { no: 2, name: "artifact_id", kind: "scalar", T: 3 /*ScalarType.INT64*/ }
+        ]);
+    }
+    create(value?: PartialMessage<DeleteArtifactResponse>): DeleteArtifactResponse {
+        const message = { ok: false, artifactId: "0" };
+        globalThis.Object.defineProperty(message, MESSAGE_TYPE, { enumerable: false, value: this });
+        if (value !== undefined)
+            reflectionMergePartial<DeleteArtifactResponse>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: DeleteArtifactResponse): DeleteArtifactResponse {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* bool ok */ 1:
+                    message.ok = reader.bool();
+                    break;
+                case /* int64 artifact_id */ 2:
+                    message.artifactId = reader.int64().toString();
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: DeleteArtifactResponse, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* bool ok = 1; */
+        if (message.ok !== false)
+            writer.tag(1, WireType.Varint).bool(message.ok);
+        /* int64 artifact_id = 2; */
+        if (message.artifactId !== "0")
+            writer.tag(2, WireType.Varint).int64(message.artifactId);
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message github.actions.results.api.v1.DeleteArtifactResponse
+ */
+export const DeleteArtifactResponse = new DeleteArtifactResponse$Type();
 /**
 * @generated ServiceType for protobuf service github.actions.results.api.v1.ArtifactService
 */
 export const ArtifactService = new ServiceType("github.actions.results.api.v1.ArtifactService", [
    { name: "CreateArtifact", options: {}, I: CreateArtifactRequest, O: CreateArtifactResponse },
-    { name: "FinalizeArtifact", options: {}, I: FinalizeArtifactRequest, O: FinalizeArtifactResponse }
-]);
+    { name: "FinalizeArtifact", options: {}, I: FinalizeArtifactRequest, O: FinalizeArtifactResponse },
+    { name: "ListArtifacts", options: {}, I: ListArtifactsRequest, O: ListArtifactsResponse },
+    { name: "GetSignedArtifactURL", options: {}, I: GetSignedArtifactURLRequest, O: GetSignedArtifactURLResponse },
+    { name: "DeleteArtifact", options: {}, I: DeleteArtifactRequest, O: DeleteArtifactResponse },
+    { name: "MigrateArtifact", options: {}, I: MigrateArtifactRequest, O: MigrateArtifactResponse },
+    { name: "FinalizeMigratedArtifact", options: {}, I: FinalizeMigratedArtifactRequest, O: FinalizeMigratedArtifactResponse }
+]);
--- a/packages/artifact/src/generated/results/api/v1/artifact.twirp-client.ts
+++ b/packages/artifact/src/generated/results/api/v1/artifact.twirp-client.ts
@ -0,0 +1,232 @@
+import {
+  CreateArtifactRequest,
+  CreateArtifactResponse,
+  FinalizeArtifactRequest,
+  FinalizeArtifactResponse,
+  ListArtifactsRequest,
+  ListArtifactsResponse,
+  GetSignedArtifactURLRequest,
+  GetSignedArtifactURLResponse,
+  DeleteArtifactRequest,
+  DeleteArtifactResponse,
+} from "./artifact";
+
+//==================================//
+//          Client Code             //
+//==================================//
+
+interface Rpc {
+  request(
+    service: string,
+    method: string,
+    contentType: "application/json" | "application/protobuf",
+    data: object | Uint8Array
+  ): Promise<object | Uint8Array>;
+}
+
+export interface ArtifactServiceClient {
+  CreateArtifact(
+    request: CreateArtifactRequest
+  ): Promise<CreateArtifactResponse>;
+  FinalizeArtifact(
+    request: FinalizeArtifactRequest
+  ): Promise<FinalizeArtifactResponse>;
+  ListArtifacts(request: ListArtifactsRequest): Promise<ListArtifactsResponse>;
+  GetSignedArtifactURL(
+    request: GetSignedArtifactURLRequest
+  ): Promise<GetSignedArtifactURLResponse>;
+  DeleteArtifact(
+    request: DeleteArtifactRequest
+  ): Promise<DeleteArtifactResponse>;
+}
+
+export class ArtifactServiceClientJSON implements ArtifactServiceClient {
+  private readonly rpc: Rpc;
+  constructor(rpc: Rpc) {
+    this.rpc = rpc;
+    this.CreateArtifact.bind(this);
+    this.FinalizeArtifact.bind(this);
+    this.ListArtifacts.bind(this);
+    this.GetSignedArtifactURL.bind(this);
+    this.DeleteArtifact.bind(this);
+  }
+  CreateArtifact(
+    request: CreateArtifactRequest
+  ): Promise<CreateArtifactResponse> {
+    const data = CreateArtifactRequest.toJson(request, {
+      useProtoFieldName: true,
+      emitDefaultValues: false,
+    });
+    const promise = this.rpc.request(
+      "github.actions.results.api.v1.ArtifactService",
+      "CreateArtifact",
+      "application/json",
+      data as object
+    );
+    return promise.then((data) =>
+      CreateArtifactResponse.fromJson(data as any, {
+        ignoreUnknownFields: true,
+      })
+    );
+  }
+
+  FinalizeArtifact(
+    request: FinalizeArtifactRequest
+  ): Promise<FinalizeArtifactResponse> {
+    const data = FinalizeArtifactRequest.toJson(request, {
+      useProtoFieldName: true,
+      emitDefaultValues: false,
+    });
+    const promise = this.rpc.request(
+      "github.actions.results.api.v1.ArtifactService",
+      "FinalizeArtifact",
+      "application/json",
+      data as object
+    );
+    return promise.then((data) =>
+      FinalizeArtifactResponse.fromJson(data as any, {
+        ignoreUnknownFields: true,
+      })
+    );
+  }
+
+  ListArtifacts(request: ListArtifactsRequest): Promise<ListArtifactsResponse> {
+    const data = ListArtifactsRequest.toJson(request, {
+      useProtoFieldName: true,
+      emitDefaultValues: false,
+    });
+    const promise = this.rpc.request(
+      "github.actions.results.api.v1.ArtifactService",
+      "ListArtifacts",
+      "application/json",
+      data as object
+    );
+    return promise.then((data) =>
+      ListArtifactsResponse.fromJson(data as any, { ignoreUnknownFields: true })
+    );
+  }
+
+  GetSignedArtifactURL(
+    request: GetSignedArtifactURLRequest
+  ): Promise<GetSignedArtifactURLResponse> {
+    const data = GetSignedArtifactURLRequest.toJson(request, {
+      useProtoFieldName: true,
+      emitDefaultValues: false,
+    });
+    const promise = this.rpc.request(
+      "github.actions.results.api.v1.ArtifactService",
+      "GetSignedArtifactURL",
+      "application/json",
+      data as object
+    );
+    return promise.then((data) =>
+      GetSignedArtifactURLResponse.fromJson(data as any, {
+        ignoreUnknownFields: true,
+      })
+    );
+  }
+
+  DeleteArtifact(
+    request: DeleteArtifactRequest
+  ): Promise<DeleteArtifactResponse> {
+    const data = DeleteArtifactRequest.toJson(request, {
+      useProtoFieldName: true,
+      emitDefaultValues: false,
+    });
+    const promise = this.rpc.request(
+      "github.actions.results.api.v1.ArtifactService",
+      "DeleteArtifact",
+      "application/json",
+      data as object
+    );
+    return promise.then((data) =>
+      DeleteArtifactResponse.fromJson(data as any, {
+        ignoreUnknownFields: true,
+      })
+    );
+  }
+}
+
+export class ArtifactServiceClientProtobuf implements ArtifactServiceClient {
+  private readonly rpc: Rpc;
+  constructor(rpc: Rpc) {
+    this.rpc = rpc;
+    this.CreateArtifact.bind(this);
+    this.FinalizeArtifact.bind(this);
+    this.ListArtifacts.bind(this);
+    this.GetSignedArtifactURL.bind(this);
+    this.DeleteArtifact.bind(this);
+  }
+  CreateArtifact(
+    request: CreateArtifactRequest
+  ): Promise<CreateArtifactResponse> {
+    const data = CreateArtifactRequest.toBinary(request);
+    const promise = this.rpc.request(
+      "github.actions.results.api.v1.ArtifactService",
+      "CreateArtifact",
+      "application/protobuf",
+      data
+    );
+    return promise.then((data) =>
+      CreateArtifactResponse.fromBinary(data as Uint8Array)
+    );
+  }
+
+  FinalizeArtifact(
+    request: FinalizeArtifactRequest
+  ): Promise<FinalizeArtifactResponse> {
+    const data = FinalizeArtifactRequest.toBinary(request);
+    const promise = this.rpc.request(
+      "github.actions.results.api.v1.ArtifactService",
+      "FinalizeArtifact",
+      "application/protobuf",
+      data
+    );
+    return promise.then((data) =>
+      FinalizeArtifactResponse.fromBinary(data as Uint8Array)
+    );
+  }
+
+  ListArtifacts(request: ListArtifactsRequest): Promise<ListArtifactsResponse> {
+    const data = ListArtifactsRequest.toBinary(request);
+    const promise = this.rpc.request(
+      "github.actions.results.api.v1.ArtifactService",
+      "ListArtifacts",
+      "application/protobuf",
+      data
+    );
+    return promise.then((data) =>
+      ListArtifactsResponse.fromBinary(data as Uint8Array)
+    );
+  }
+
+  GetSignedArtifactURL(
+    request: GetSignedArtifactURLRequest
+  ): Promise<GetSignedArtifactURLResponse> {
+    const data = GetSignedArtifactURLRequest.toBinary(request);
+    const promise = this.rpc.request(
+      "github.actions.results.api.v1.ArtifactService",
+      "GetSignedArtifactURL",
+      "application/protobuf",
+      data
+    );
+    return promise.then((data) =>
+      GetSignedArtifactURLResponse.fromBinary(data as Uint8Array)
+    );
+  }
+
+  DeleteArtifact(
+    request: DeleteArtifactRequest
+  ): Promise<DeleteArtifactResponse> {
+    const data = DeleteArtifactRequest.toBinary(request);
+    const promise = this.rpc.request(
+      "github.actions.results.api.v1.ArtifactService",
+      "DeleteArtifact",
+      "application/protobuf",
+      data
+    );
+    return promise.then((data) =>
+      DeleteArtifactResponse.fromBinary(data as Uint8Array)
+    );
+  }
+}
--- a/packages/artifact/src/generated/results/api/v1/artifact.twirp.ts
+++ b/packages/artifact/src/generated/results/api/v1/artifact.twirp.ts
@ -1,437 +0,0 @@
-import {
-  TwirpContext,
-  TwirpServer,
-  RouterEvents,
-  TwirpError,
-  TwirpErrorCode,
-  Interceptor,
-  TwirpContentType,
-  chainInterceptors
-} from 'twirp-ts'
-import {
-  CreateArtifactRequest,
-  CreateArtifactResponse,
-  FinalizeArtifactRequest,
-  FinalizeArtifactResponse
-} from './artifact'
-
-//==================================//
-//          Client Code             //
-//==================================//
-
-interface Rpc {
-  request(
-    service: string,
-    method: string,
-    contentType: 'application/json' | 'application/protobuf',
-    data: object | Uint8Array
-  ): Promise<object | Uint8Array>
-}
-
-export interface ArtifactServiceClient {
-  CreateArtifact(
-    request: CreateArtifactRequest
-  ): Promise<CreateArtifactResponse>
-  FinalizeArtifact(
-    request: FinalizeArtifactRequest
-  ): Promise<FinalizeArtifactResponse>
-}
-
-export class ArtifactServiceClientJSON implements ArtifactServiceClient {
-  private readonly rpc: Rpc
-  constructor(rpc: Rpc) {
-    this.rpc = rpc
-    this.CreateArtifact.bind(this)
-    this.FinalizeArtifact.bind(this)
-  }
-  CreateArtifact(
-    request: CreateArtifactRequest
-  ): Promise<CreateArtifactResponse> {
-    const data = CreateArtifactRequest.toJson(request, {
-      useProtoFieldName: true,
-      emitDefaultValues: false
-    })
-    const promise = this.rpc.request(
-      'github.actions.results.api.v1.ArtifactService',
-      'CreateArtifact',
-      'application/json',
-      data as object
-    )
-    return promise.then(data =>
-      CreateArtifactResponse.fromJson(data as any, {ignoreUnknownFields: true})
-    )
-  }
-
-  FinalizeArtifact(
-    request: FinalizeArtifactRequest
-  ): Promise<FinalizeArtifactResponse> {
-    const data = FinalizeArtifactRequest.toJson(request, {
-      useProtoFieldName: true,
-      emitDefaultValues: false
-    })
-    const promise = this.rpc.request(
-      'github.actions.results.api.v1.ArtifactService',
-      'FinalizeArtifact',
-      'application/json',
-      data as object
-    )
-    return promise.then(data =>
-      FinalizeArtifactResponse.fromJson(data as any, {
-        ignoreUnknownFields: true
-      })
-    )
-  }
-}
-
-export class ArtifactServiceClientProtobuf implements ArtifactServiceClient {
-  private readonly rpc: Rpc
-  constructor(rpc: Rpc) {
-    this.rpc = rpc
-    this.CreateArtifact.bind(this)
-    this.FinalizeArtifact.bind(this)
-  }
-  CreateArtifact(
-    request: CreateArtifactRequest
-  ): Promise<CreateArtifactResponse> {
-    const data = CreateArtifactRequest.toBinary(request)
-    const promise = this.rpc.request(
-      'github.actions.results.api.v1.ArtifactService',
-      'CreateArtifact',
-      'application/protobuf',
-      data
-    )
-    return promise.then(data =>
-      CreateArtifactResponse.fromBinary(data as Uint8Array)
-    )
-  }
-
-  FinalizeArtifact(
-    request: FinalizeArtifactRequest
-  ): Promise<FinalizeArtifactResponse> {
-    const data = FinalizeArtifactRequest.toBinary(request)
-    const promise = this.rpc.request(
-      'github.actions.results.api.v1.ArtifactService',
-      'FinalizeArtifact',
-      'application/protobuf',
-      data
-    )
-    return promise.then(data =>
-      FinalizeArtifactResponse.fromBinary(data as Uint8Array)
-    )
-  }
-}
-
-//==================================//
-//          Server Code             //
-//==================================//
-
-export interface ArtifactServiceTwirp<T extends TwirpContext = TwirpContext> {
-  CreateArtifact(
-    ctx: T,
-    request: CreateArtifactRequest
-  ): Promise<CreateArtifactResponse>
-  FinalizeArtifact(
-    ctx: T,
-    request: FinalizeArtifactRequest
-  ): Promise<FinalizeArtifactResponse>
-}
-
-export enum ArtifactServiceMethod {
-  CreateArtifact = 'CreateArtifact',
-  FinalizeArtifact = 'FinalizeArtifact'
-}
-
-export const ArtifactServiceMethodList = [
-  ArtifactServiceMethod.CreateArtifact,
-  ArtifactServiceMethod.FinalizeArtifact
-]
-
-export function createArtifactServiceServer<
-  T extends TwirpContext = TwirpContext
->(service: ArtifactServiceTwirp<T>) {
-  return new TwirpServer<ArtifactServiceTwirp, T>({
-    service,
-    packageName: 'github.actions.results.api.v1',
-    serviceName: 'ArtifactService',
-    methodList: ArtifactServiceMethodList,
-    matchRoute: matchArtifactServiceRoute
-  })
-}
-
-function matchArtifactServiceRoute<T extends TwirpContext = TwirpContext>(
-  method: string,
-  events: RouterEvents<T>
-) {
-  switch (method) {
-    case 'CreateArtifact':
-      return async (
-        ctx: T,
-        service: ArtifactServiceTwirp,
-        data: Buffer,
-        interceptors?: Interceptor<
-          T,
-          CreateArtifactRequest,
-          CreateArtifactResponse
-        >[]
-      ) => {
-        ctx = {...ctx, methodName: 'CreateArtifact'}
-        await events.onMatch(ctx)
-        return handleArtifactServiceCreateArtifactRequest(
-          ctx,
-          service,
-          data,
-          interceptors
-        )
-      }
-    case 'FinalizeArtifact':
-      return async (
-        ctx: T,
-        service: ArtifactServiceTwirp,
-        data: Buffer,
-        interceptors?: Interceptor<
-          T,
-          FinalizeArtifactRequest,
-          FinalizeArtifactResponse
-        >[]
-      ) => {
-        ctx = {...ctx, methodName: 'FinalizeArtifact'}
-        await events.onMatch(ctx)
-        return handleArtifactServiceFinalizeArtifactRequest(
-          ctx,
-          service,
-          data,
-          interceptors
-        )
-      }
-    default:
-      events.onNotFound()
-      const msg = `no handler found`
-      throw new TwirpError(TwirpErrorCode.BadRoute, msg)
-  }
-}
-
-function handleArtifactServiceCreateArtifactRequest<
-  T extends TwirpContext = TwirpContext
->(
-  ctx: T,
-  service: ArtifactServiceTwirp,
-  data: Buffer,
-  interceptors?: Interceptor<T, CreateArtifactRequest, CreateArtifactResponse>[]
-): Promise<string | Uint8Array> {
-  switch (ctx.contentType) {
-    case TwirpContentType.JSON:
-      return handleArtifactServiceCreateArtifactJSON<T>(
-        ctx,
-        service,
-        data,
-        interceptors
-      )
-    case TwirpContentType.Protobuf:
-      return handleArtifactServiceCreateArtifactProtobuf<T>(
-        ctx,
-        service,
-        data,
-        interceptors
-      )
-    default:
-      const msg = 'unexpected Content-Type'
-      throw new TwirpError(TwirpErrorCode.BadRoute, msg)
-  }
-}
-
-function handleArtifactServiceFinalizeArtifactRequest<
-  T extends TwirpContext = TwirpContext
->(
-  ctx: T,
-  service: ArtifactServiceTwirp,
-  data: Buffer,
-  interceptors?: Interceptor<
-    T,
-    FinalizeArtifactRequest,
-    FinalizeArtifactResponse
-  >[]
-): Promise<string | Uint8Array> {
-  switch (ctx.contentType) {
-    case TwirpContentType.JSON:
-      return handleArtifactServiceFinalizeArtifactJSON<T>(
-        ctx,
-        service,
-        data,
-        interceptors
-      )
-    case TwirpContentType.Protobuf:
-      return handleArtifactServiceFinalizeArtifactProtobuf<T>(
-        ctx,
-        service,
-        data,
-        interceptors
-      )
-    default:
-      const msg = 'unexpected Content-Type'
-      throw new TwirpError(TwirpErrorCode.BadRoute, msg)
-  }
-}
-async function handleArtifactServiceCreateArtifactJSON<
-  T extends TwirpContext = TwirpContext
->(
-  ctx: T,
-  service: ArtifactServiceTwirp,
-  data: Buffer,
-  interceptors?: Interceptor<T, CreateArtifactRequest, CreateArtifactResponse>[]
-) {
-  let request: CreateArtifactRequest
-  let response: CreateArtifactResponse
-
-  try {
-    const body = JSON.parse(data.toString() || '{}')
-    request = CreateArtifactRequest.fromJson(body, {ignoreUnknownFields: true})
-  } catch (e) {
-    if (e instanceof Error) {
-      const msg = 'the json request could not be decoded'
-      throw new TwirpError(TwirpErrorCode.Malformed, msg).withCause(e, true)
-    }
-  }
-
-  if (interceptors && interceptors.length > 0) {
-    const interceptor = chainInterceptors(...interceptors) as Interceptor<
-      T,
-      CreateArtifactRequest,
-      CreateArtifactResponse
-    >
-    response = await interceptor(ctx, request!, (ctx, inputReq) => {
-      return service.CreateArtifact(ctx, inputReq)
-    })
-  } else {
-    response = await service.CreateArtifact(ctx, request!)
-  }
-
-  return JSON.stringify(
-    CreateArtifactResponse.toJson(response, {
-      useProtoFieldName: true,
-      emitDefaultValues: false
-    }) as string
-  )
-}
-
-async function handleArtifactServiceFinalizeArtifactJSON<
-  T extends TwirpContext = TwirpContext
->(
-  ctx: T,
-  service: ArtifactServiceTwirp,
-  data: Buffer,
-  interceptors?: Interceptor<
-    T,
-    FinalizeArtifactRequest,
-    FinalizeArtifactResponse
-  >[]
-) {
-  let request: FinalizeArtifactRequest
-  let response: FinalizeArtifactResponse
-
-  try {
-    const body = JSON.parse(data.toString() || '{}')
-    request = FinalizeArtifactRequest.fromJson(body, {
-      ignoreUnknownFields: true
-    })
-  } catch (e) {
-    if (e instanceof Error) {
-      const msg = 'the json request could not be decoded'
-      throw new TwirpError(TwirpErrorCode.Malformed, msg).withCause(e, true)
-    }
-  }
-
-  if (interceptors && interceptors.length > 0) {
-    const interceptor = chainInterceptors(...interceptors) as Interceptor<
-      T,
-      FinalizeArtifactRequest,
-      FinalizeArtifactResponse
-    >
-    response = await interceptor(ctx, request!, (ctx, inputReq) => {
-      return service.FinalizeArtifact(ctx, inputReq)
-    })
-  } else {
-    response = await service.FinalizeArtifact(ctx, request!)
-  }
-
-  return JSON.stringify(
-    FinalizeArtifactResponse.toJson(response, {
-      useProtoFieldName: true,
-      emitDefaultValues: false
-    }) as string
-  )
-}
-async function handleArtifactServiceCreateArtifactProtobuf<
-  T extends TwirpContext = TwirpContext
->(
-  ctx: T,
-  service: ArtifactServiceTwirp,
-  data: Buffer,
-  interceptors?: Interceptor<T, CreateArtifactRequest, CreateArtifactResponse>[]
-) {
-  let request: CreateArtifactRequest
-  let response: CreateArtifactResponse
-
-  try {
-    request = CreateArtifactRequest.fromBinary(data)
-  } catch (e) {
-    if (e instanceof Error) {
-      const msg = 'the protobuf request could not be decoded'
-      throw new TwirpError(TwirpErrorCode.Malformed, msg).withCause(e, true)
-    }
-  }
-
-  if (interceptors && interceptors.length > 0) {
-    const interceptor = chainInterceptors(...interceptors) as Interceptor<
-      T,
-      CreateArtifactRequest,
-      CreateArtifactResponse
-    >
-    response = await interceptor(ctx, request!, (ctx, inputReq) => {
-      return service.CreateArtifact(ctx, inputReq)
-    })
-  } else {
-    response = await service.CreateArtifact(ctx, request!)
-  }
-
-  return Buffer.from(CreateArtifactResponse.toBinary(response))
-}
-
-async function handleArtifactServiceFinalizeArtifactProtobuf<
-  T extends TwirpContext = TwirpContext
->(
-  ctx: T,
-  service: ArtifactServiceTwirp,
-  data: Buffer,
-  interceptors?: Interceptor<
-    T,
-    FinalizeArtifactRequest,
-    FinalizeArtifactResponse
-  >[]
-) {
-  let request: FinalizeArtifactRequest
-  let response: FinalizeArtifactResponse
-
-  try {
-    request = FinalizeArtifactRequest.fromBinary(data)
-  } catch (e) {
-    if (e instanceof Error) {
-      const msg = 'the protobuf request could not be decoded'
-      throw new TwirpError(TwirpErrorCode.Malformed, msg).withCause(e, true)
-    }
-  }
-
-  if (interceptors && interceptors.length > 0) {
-    const interceptor = chainInterceptors(...interceptors) as Interceptor<
-      T,
-      FinalizeArtifactRequest,
-      FinalizeArtifactResponse
-    >
-    response = await interceptor(ctx, request!, (ctx, inputReq) => {
-      return service.FinalizeArtifact(ctx, inputReq)
-    })
-  } else {
-    response = await service.FinalizeArtifact(ctx, request!)
-  }
-
-  return Buffer.from(FinalizeArtifactResponse.toBinary(response))
-}
--- a/packages/artifact/src/internal/client.ts
+++ b/packages/artifact/src/internal/client.ts
@ -1,122 +1,126 @@
 import {warning} from '@actions/core'
 import {isGhes} from './shared/config'
 import {
-  UploadOptions,
-  UploadResponse,
+  UploadArtifactOptions,
+  UploadArtifactResponse,
  DownloadArtifactOptions,
  GetArtifactResponse,
+  ListArtifactsOptions,
  ListArtifactsResponse,
-  DownloadArtifactResponse
+  DownloadArtifactResponse,
+  FindOptions,
+  DeleteArtifactResponse
 } from './shared/interfaces'
 import {uploadArtifact} from './upload/upload-artifact'
-import {downloadArtifact} from './download/download-artifact'
-import {getArtifact} from './find/get-artifact'
-import {listArtifacts} from './find/list-artifacts'
+import {
+  downloadArtifactPublic,
+  downloadArtifactInternal
+} from './download/download-artifact'
+import {
+  deleteArtifactPublic,
+  deleteArtifactInternal
+} from './delete/delete-artifact'
+import {getArtifactPublic, getArtifactInternal} from './find/get-artifact'
+import {listArtifactsPublic, listArtifactsInternal} from './find/list-artifacts'
+import {GHESNotSupportedError} from './shared/errors'

+/**
+ * Generic interface for the artifact client.
+ */
 export interface ArtifactClient {
  /**
-   * Uploads an artifact
+   * Uploads an artifact.
   *
   * @param name The name of the artifact, required
   * @param files A list of absolute or relative paths that denote what files should be uploaded
   * @param rootDirectory An absolute or relative file path that denotes the root parent directory of the files being uploaded
   * @param options Extra options for customizing the upload behavior
-   * @returns single UploadResponse object
+   * @returns single UploadArtifactResponse object
   */
  uploadArtifact(
    name: string,
    files: string[],
    rootDirectory: string,
-    options?: UploadOptions
-  ): Promise<UploadResponse>
+    options?: UploadArtifactOptions
+  ): Promise<UploadArtifactResponse>

  /**
-   * Lists all artifacts that are part of a workflow run.
+   * Lists all artifacts that are part of the current workflow run.
+   * This function will return at most 1000 artifacts per workflow run.
   *
-   * This calls the public List-Artifacts API https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
-   * Due to paginated responses from the public API. This function will return at most 1000 artifacts per workflow run (100 per page * maximum 10 calls)
+   * If `options.findBy` is specified, this will call the public List-Artifacts API which can list from other runs.
+   * https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
   *
-   * @param workflowRunId The workflow run id that the artifact belongs to
-   * @param repositoryOwner The owner of the repository that the artifact belongs to
-   * @param repositoryName The name of the repository that the artifact belongs to
-   * @param token A token with the appropriate permission to the repository to list artifacts
+   * @param options Extra options that allow for the customization of the list behavior
   * @returns ListArtifactResponse object
   */
  listArtifacts(
-    workflowRunId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string
+    options?: ListArtifactsOptions & FindOptions
  ): Promise<ListArtifactsResponse>

  /**
-   * Finds an artifact by name given a repository and workflow run id.
+   * Finds an artifact by name.
+   * If there are multiple artifacts with the same name in the same workflow run, this will return the latest.
+   * If the artifact is not found, it will throw.
   *
-   * This calls the public List-Artifacts API with a name filter https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
-   * @actions/artifact > 2.0.0 does not allow for creating multiple artifacts with the same name in the same workflow run.
-   * It is possible to have multiple artifacts with the same name in the same workflow run by using old versions of upload-artifact (v1,v2 and v3) or @actions/artifact < v2.0.0
+   * If `options.findBy` is specified, this will use the public List Artifacts API with a name filter which can get artifacts from other runs.
+   * https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts
+   * `@actions/artifact` v2+ does not allow for creating multiple artifacts with the same name in the same workflow run.
+   * It is possible to have multiple artifacts with the same name in the same workflow run by using old versions of upload-artifact (v1,v2 and v3), @actions/artifact < v2 or it is a rerun.
   * If there are multiple artifacts with the same name in the same workflow run this function will return the first artifact that matches the name.
   *
   * @param artifactName The name of the artifact to find
-   * @param workflowRunId The workflow run id that the artifact belongs to
-   * @param repositoryOwner The owner of the repository that the artifact belongs to
-   * @param repositoryName The name of the repository that the artifact belongs to
-   * @param token A token with the appropriate permission to the repository to find the artifact
+   * @param options Extra options that allow for the customization of the get behavior
   */
  getArtifact(
    artifactName: string,
-    workflowRunId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string
+    options?: FindOptions
  ): Promise<GetArtifactResponse>

  /**
-   * Downloads an artifact and unzips the content
+   * Downloads an artifact and unzips the content.
   *
-   * @param artifactId The name of the artifact to download
-   * @param repositoryOwner The owner of the repository that the artifact belongs to
-   * @param repositoryName The name of the repository that the artifact belongs to
-   * @param token A token with the appropriate permission to the repository to download the artifact
+   * If `options.findBy` is specified, this will use the public Download Artifact API https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#download-an-artifact
+   *
+   * @param artifactId The id of the artifact to download
   * @param options Extra options that allow for the customization of the download behavior
   * @returns single DownloadArtifactResponse object
   */
  downloadArtifact(
    artifactId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string,
-    options?: DownloadArtifactOptions
+    options?: DownloadArtifactOptions & FindOptions
  ): Promise<DownloadArtifactResponse>
+
+  /**
+   * Delete an Artifact
+   *
+   * If `options.findBy` is specified, this will use the public Delete Artifact API https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#delete-an-artifact
+   *
+   * @param artifactName The name of the artifact to delete
+   * @param options Extra options that allow for the customization of the delete behavior
+   * @returns single DeleteArtifactResponse object
+   */
+  deleteArtifact(
+    artifactName: string,
+    options?: FindOptions
+  ): Promise<DeleteArtifactResponse>
 }

-export class Client implements ArtifactClient {
-  /**
-   * Constructs a Client
-   */
-  static create(): Client {
-    return new Client()
-  }
-
-  /**
-   * Upload Artifact
-   */
+/**
+ * The default artifact client that is used by the artifact action(s).
+ */
+export class DefaultArtifactClient implements ArtifactClient {
  async uploadArtifact(
    name: string,
    files: string[],
    rootDirectory: string,
-    options?: UploadOptions | undefined
-  ): Promise<UploadResponse> {
-    if (isGhes()) {
-      warning(
-        `@actions/artifact v2.0.0+ and upload-artifact@v4+ are not currently supported on GHES.`
-      )
-      return {
-        success: false
-      }
-    }
-
+    options?: UploadArtifactOptions
+  ): Promise<UploadArtifactResponse> {
    try {
+      if (isGhes()) {
+        throw new GHESNotSupportedError()
+      }
+
      return uploadArtifact(name, files, rootDirectory, options)
    } catch (error) {
      warning(
@ -126,79 +130,72 @@ Errors can be temporary, so please try again and optionally run the action with

 If the error persists, please check whether Actions is operating normally at [https://githubstatus.com](https://www.githubstatus.com).`
      )
-      return {
-        success: false
-      }
+
+      throw error
    }
  }

-  /**
-   * Download Artifact
-   */
  async downloadArtifact(
    artifactId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string,
-    options?: DownloadArtifactOptions
+    options?: DownloadArtifactOptions & FindOptions
  ): Promise<DownloadArtifactResponse> {
-    if (isGhes()) {
-      warning(
-        `@actions/artifact v2.0.0+ and download-artifact@v4+ are not currently supported on GHES.`
-      )
-      return {
-        success: false
-      }
-    }
-
    try {
-      return downloadArtifact(
-        artifactId,
-        repositoryOwner,
-        repositoryName,
-        token,
-        options
-      )
+      if (isGhes()) {
+        throw new GHESNotSupportedError()
+      }
+
+      if (options?.findBy) {
+        const {
+          findBy: {repositoryOwner, repositoryName, token},
+          ...downloadOptions
+        } = options
+
+        return downloadArtifactPublic(
+          artifactId,
+          repositoryOwner,
+          repositoryName,
+          token,
+          downloadOptions
+        )
+      }
+
+      return downloadArtifactInternal(artifactId, options)
    } catch (error) {
      warning(
-        `Artifact download failed with error: ${error}.
+        `Download Artifact failed with error: ${error}.

 Errors can be temporary, so please try again and optionally run the action with debug mode enabled for more information.

 If the error persists, please check whether Actions and API requests are operating normally at [https://githubstatus.com](https://www.githubstatus.com).`
      )

-      return {
-        success: false
-      }
+      throw error
    }
  }

-  /**
-   * List Artifacts
-   */
  async listArtifacts(
-    workflowRunId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string
+    options?: ListArtifactsOptions & FindOptions
  ): Promise<ListArtifactsResponse> {
-    if (isGhes()) {
-      warning(
-        `@actions/artifact v2.0.0+ and download-artifact@v4+ are not currently supported on GHES.`
-      )
-      return {
-        artifacts: []
-      }
-    }
-
    try {
-      return listArtifacts(
-        workflowRunId,
-        repositoryOwner,
-        repositoryName,
-        token
-      )
+      if (isGhes()) {
+        throw new GHESNotSupportedError()
+      }
+
+      if (options?.findBy) {
+        const {
+          findBy: {workflowRunId, repositoryOwner, repositoryName, token}
+        } = options
+
+        return listArtifactsPublic(
+          workflowRunId,
+          repositoryOwner,
+          repositoryName,
+          token,
+          options?.latest
+        )
+      }
+
+      return listArtifactsInternal(options?.latest)
    } catch (error: unknown) {
      warning(
        `Listing Artifacts failed with error: ${error}.
@ -208,50 +205,80 @@ Errors can be temporary, so please try again and optionally run the action with
 If the error persists, please check whether Actions and API requests are operating normally at [https://githubstatus.com](https://www.githubstatus.com).`
      )

-      return {
-        artifacts: []
-      }
+      throw error
    }
  }

-  /**
-   * Get Artifact
-   */
  async getArtifact(
    artifactName: string,
-    workflowRunId: number,
-    repositoryOwner: string,
-    repositoryName: string,
-    token: string
+    options?: FindOptions
  ): Promise<GetArtifactResponse> {
-    if (isGhes()) {
-      warning(
-        `@actions/artifact v2.0.0+ and download-artifact@v4+ are not currently supported on GHES.`
-      )
-      return {
-        success: false
-      }
-    }
-
    try {
-      return getArtifact(
-        artifactName,
-        workflowRunId,
-        repositoryOwner,
-        repositoryName,
-        token
-      )
+      if (isGhes()) {
+        throw new GHESNotSupportedError()
+      }
+
+      if (options?.findBy) {
+        const {
+          findBy: {workflowRunId, repositoryOwner, repositoryName, token}
+        } = options
+
+        return getArtifactPublic(
+          artifactName,
+          workflowRunId,
+          repositoryOwner,
+          repositoryName,
+          token
+        )
+      }
+
+      return getArtifactInternal(artifactName)
    } catch (error: unknown) {
      warning(
-        `Fetching Artifact failed with error: ${error}.
+        `Get Artifact failed with error: ${error}.

 Errors can be temporary, so please try again and optionally run the action with debug mode enabled for more information.

 If the error persists, please check whether Actions and API requests are operating normally at [https://githubstatus.com](https://www.githubstatus.com).`
      )
-      return {
-        success: false
+      throw error
+    }
+  }
+
+  async deleteArtifact(
+    artifactName: string,
+    options?: FindOptions
+  ): Promise<DeleteArtifactResponse> {
+    try {
+      if (isGhes()) {
+        throw new GHESNotSupportedError()
      }
+
+      if (options?.findBy) {
+        const {
+          findBy: {repositoryOwner, repositoryName, workflowRunId, token}
+        } = options
+
+        return deleteArtifactPublic(
+          artifactName,
+          workflowRunId,
+          repositoryOwner,
+          repositoryName,
+          token
+        )
+      }
+
+      return deleteArtifactInternal(artifactName)
+    } catch (error) {
+      warning(
+        `Delete Artifact failed with error: ${error}.
+
+Errors can be temporary, so please try again and optionally run the action with debug mode enabled for more information.
+
+If the error persists, please check whether Actions and API requests are operating normally at [https://githubstatus.com](https://www.githubstatus.com).`
+      )
+
+      throw error
    }
  }
 }
--- a/packages/artifact/src/internal/delete/delete-artifact.ts
+++ b/packages/artifact/src/internal/delete/delete-artifact.ts
@ -0,0 +1,109 @@
+import {info, debug} from '@actions/core'
+import {getOctokit} from '@actions/github'
+import {DeleteArtifactResponse} from '../shared/interfaces'
+import {getUserAgentString} from '../shared/user-agent'
+import {getRetryOptions} from '../find/retry-options'
+import {defaults as defaultGitHubOptions} from '@actions/github/lib/utils'
+import {requestLog} from '@octokit/plugin-request-log'
+import {retry} from '@octokit/plugin-retry'
+import {OctokitOptions} from '@octokit/core/dist-types/types'
+import {internalArtifactTwirpClient} from '../shared/artifact-twirp-client'
+import {getBackendIdsFromToken} from '../shared/util'
+import {
+  DeleteArtifactRequest,
+  ListArtifactsRequest,
+  StringValue
+} from '../../generated'
+import {getArtifactPublic} from '../find/get-artifact'
+import {ArtifactNotFoundError, InvalidResponseError} from '../shared/errors'
+
+export async function deleteArtifactPublic(
+  artifactName: string,
+  workflowRunId: number,
+  repositoryOwner: string,
+  repositoryName: string,
+  token: string
+): Promise<DeleteArtifactResponse> {
+  const [retryOpts, requestOpts] = getRetryOptions(defaultGitHubOptions)
+
+  const opts: OctokitOptions = {
+    log: undefined,
+    userAgent: getUserAgentString(),
+    previews: undefined,
+    retry: retryOpts,
+    request: requestOpts
+  }
+
+  const github = getOctokit(token, opts, retry, requestLog)
+
+  const getArtifactResp = await getArtifactPublic(
+    artifactName,
+    workflowRunId,
+    repositoryOwner,
+    repositoryName,
+    token
+  )
+
+  const deleteArtifactResp = await github.rest.actions.deleteArtifact({
+    owner: repositoryOwner,
+    repo: repositoryName,
+    artifact_id: getArtifactResp.artifact.id
+  })
+
+  if (deleteArtifactResp.status !== 204) {
+    throw new InvalidResponseError(
+      `Invalid response from GitHub API: ${deleteArtifactResp.status} (${deleteArtifactResp?.headers?.['x-github-request-id']})`
+    )
+  }
+
+  return {
+    id: getArtifactResp.artifact.id
+  }
+}
+
+export async function deleteArtifactInternal(
+  artifactName
+): Promise<DeleteArtifactResponse> {
+  const artifactClient = internalArtifactTwirpClient()
+
+  const {workflowRunBackendId, workflowJobRunBackendId} =
+    getBackendIdsFromToken()
+
+  const listReq: ListArtifactsRequest = {
+    workflowRunBackendId,
+    workflowJobRunBackendId,
+    nameFilter: StringValue.create({value: artifactName})
+  }
+
+  const listRes = await artifactClient.ListArtifacts(listReq)
+
+  if (listRes.artifacts.length === 0) {
+    throw new ArtifactNotFoundError(
+      `Artifact not found for name: ${artifactName}`
+    )
+  }
+
+  let artifact = listRes.artifacts[0]
+  if (listRes.artifacts.length > 1) {
+    artifact = listRes.artifacts.sort(
+      (a, b) => Number(b.databaseId) - Number(a.databaseId)
+    )[0]
+
+    debug(
+      `More than one artifact found for a single name, returning newest (id: ${artifact.databaseId})`
+    )
+  }
+
+  const req: DeleteArtifactRequest = {
+    workflowRunBackendId: artifact.workflowRunBackendId,
+    workflowJobRunBackendId: artifact.workflowJobRunBackendId,
+    name: artifact.name
+  }
+
+  const res = await artifactClient.DeleteArtifact(req)
+  info(`Artifact '${artifactName}' (ID: ${res.artifactId}) deleted`)
+
+  return {
+    id: Number(res.artifactId)
+  }
+}
--- a/packages/artifact/src/internal/download/download-artifact.ts
+++ b/packages/artifact/src/internal/download/download-artifact.ts
@ -1,14 +1,26 @@
 import fs from 'fs/promises'
+import * as crypto from 'crypto'
+import * as stream from 'stream'
+
 import * as github from '@actions/github'
 import * as core from '@actions/core'
 import * as httpClient from '@actions/http-client'
-import unzipper from 'unzipper'
+import unzip from 'unzip-stream'
 import {
  DownloadArtifactOptions,
-  DownloadArtifactResponse
+  DownloadArtifactResponse,
+  StreamExtractResponse
 } from '../shared/interfaces'
 import {getUserAgentString} from '../shared/user-agent'
 import {getGitHubWorkspaceDir} from '../shared/config'
+import {internalArtifactTwirpClient} from '../shared/artifact-twirp-client'
+import {
+  GetSignedArtifactURLRequest,
+  Int64Value,
+  ListArtifactsRequest
+} from '../../generated'
+import {getBackendIdsFromToken} from '../shared/util'
+import {ArtifactNotFoundError} from '../shared/errors'

 const scrubQueryParameters = (url: string): string => {
  const parsed = new URL(url)
@ -29,39 +41,99 @@ async function exists(path: string): Promise<boolean> {
  }
 }

-async function streamExtract(url: string, directory: string): Promise<void> {
+async function streamExtract(
+  url: string,
+  directory: string
+): Promise<StreamExtractResponse> {
+  let retryCount = 0
+  while (retryCount < 5) {
+    try {
+      return await streamExtractExternal(url, directory)
+    } catch (error) {
+      retryCount++
+      core.debug(
+        `Failed to download artifact after ${retryCount} retries due to ${error.message}. Retrying in 5 seconds...`
+      )
+      // wait 5 seconds before retrying
+      await new Promise(resolve => setTimeout(resolve, 5000))
+    }
+  }
+
+  throw new Error(`Artifact download failed after ${retryCount} retries.`)
+}
+
+export async function streamExtractExternal(
+  url: string,
+  directory: string,
+  opts: {timeout: number} = {timeout: 30 * 1000}
+): Promise<StreamExtractResponse> {
  const client = new httpClient.HttpClient(getUserAgentString())
  const response = await client.get(url)
-
  if (response.message.statusCode !== 200) {
    throw new Error(
      `Unexpected HTTP response from blob storage: ${response.message.statusCode} ${response.message.statusMessage}`
    )
  }

-  return response.message.pipe(unzipper.Extract({path: directory})).promise()
+  let sha256Digest: string | undefined = undefined
+
+  return new Promise((resolve, reject) => {
+    const timerFn = (): void => {
+      const timeoutError = new Error(
+        `Blob storage chunk did not respond in ${opts.timeout}ms`
+      )
+      response.message.destroy(timeoutError)
+      reject(timeoutError)
+    }
+    const timer = setTimeout(timerFn, opts.timeout)
+
+    const hashStream = crypto.createHash('sha256').setEncoding('hex')
+    const passThrough = new stream.PassThrough()
+
+    response.message.pipe(passThrough)
+    passThrough.pipe(hashStream)
+    const extractStream = passThrough
+
+    extractStream
+      .on('data', () => {
+        timer.refresh()
+      })
+      .on('error', (error: Error) => {
+        core.debug(
+          `response.message: Artifact download failed: ${error.message}`
+        )
+        clearTimeout(timer)
+        reject(error)
+      })
+      .pipe(unzip.Extract({path: directory}))
+      .on('close', () => {
+        clearTimeout(timer)
+        if (hashStream) {
+          hashStream.end()
+          sha256Digest = hashStream.read() as string
+          core.info(`SHA256 digest of downloaded artifact is ${sha256Digest}`)
+        }
+        resolve({sha256Digest: `sha256:${sha256Digest}`})
+      })
+      .on('error', (error: Error) => {
+        reject(error)
+      })
+  })
 }

-export async function downloadArtifact(
+export async function downloadArtifactPublic(
  artifactId: number,
  repositoryOwner: string,
  repositoryName: string,
  token: string,
  options?: DownloadArtifactOptions
 ): Promise<DownloadArtifactResponse> {
-  const downloadPath = options?.path || getGitHubWorkspaceDir()
-
-  if (!(await exists(downloadPath))) {
-    core.debug(
-      `Artifact destination folder does not exist, creating: ${downloadPath}`
-    )
-    await fs.mkdir(downloadPath, {recursive: true})
-  } else {
-    core.debug(`Artifact destination folder already exists: ${downloadPath}`)
-  }
+  const downloadPath = await resolveOrCreateDirectory(options?.path)

  const api = github.getOctokit(token)

+  let digestMismatch = false
+
  core.info(
    `Downloading artifact '${artifactId}' from '${repositoryOwner}/${repositoryName}'`
  )
@ -91,11 +163,94 @@ export async function downloadArtifact(

  try {
    core.info(`Starting download of artifact to: ${downloadPath}`)
-    await streamExtract(location, downloadPath)
+    const extractResponse = await streamExtract(location, downloadPath)
    core.info(`Artifact download completed successfully.`)
+    if (options?.expectedHash) {
+      if (options?.expectedHash !== extractResponse.sha256Digest) {
+        digestMismatch = true
+        core.debug(`Computed digest: ${extractResponse.sha256Digest}`)
+        core.debug(`Expected digest: ${options.expectedHash}`)
+      }
+    }
  } catch (error) {
    throw new Error(`Unable to download and extract artifact: ${error.message}`)
  }

-  return {success: true, downloadPath}
+  return {downloadPath, digestMismatch}
+}
+
+export async function downloadArtifactInternal(
+  artifactId: number,
+  options?: DownloadArtifactOptions
+): Promise<DownloadArtifactResponse> {
+  const downloadPath = await resolveOrCreateDirectory(options?.path)
+
+  const artifactClient = internalArtifactTwirpClient()
+
+  let digestMismatch = false
+
+  const {workflowRunBackendId, workflowJobRunBackendId} =
+    getBackendIdsFromToken()
+
+  const listReq: ListArtifactsRequest = {
+    workflowRunBackendId,
+    workflowJobRunBackendId,
+    idFilter: Int64Value.create({value: artifactId.toString()})
+  }
+
+  const {artifacts} = await artifactClient.ListArtifacts(listReq)
+
+  if (artifacts.length === 0) {
+    throw new ArtifactNotFoundError(
+      `No artifacts found for ID: ${artifactId}\nAre you trying to download from a different run? Try specifying a github-token with \`actions:read\` scope.`
+    )
+  }
+
+  if (artifacts.length > 1) {
+    core.warning('Multiple artifacts found, defaulting to first.')
+  }
+
+  const signedReq: GetSignedArtifactURLRequest = {
+    workflowRunBackendId: artifacts[0].workflowRunBackendId,
+    workflowJobRunBackendId: artifacts[0].workflowJobRunBackendId,
+    name: artifacts[0].name
+  }
+
+  const {signedUrl} = await artifactClient.GetSignedArtifactURL(signedReq)
+
+  core.info(
+    `Redirecting to blob download url: ${scrubQueryParameters(signedUrl)}`
+  )
+
+  try {
+    core.info(`Starting download of artifact to: ${downloadPath}`)
+    const extractResponse = await streamExtract(signedUrl, downloadPath)
+    core.info(`Artifact download completed successfully.`)
+    if (options?.expectedHash) {
+      if (options?.expectedHash !== extractResponse.sha256Digest) {
+        digestMismatch = true
+        core.debug(`Computed digest: ${extractResponse.sha256Digest}`)
+        core.debug(`Expected digest: ${options.expectedHash}`)
+      }
+    }
+  } catch (error) {
+    throw new Error(`Unable to download and extract artifact: ${error.message}`)
+  }
+
+  return {downloadPath, digestMismatch}
+}
+
+async function resolveOrCreateDirectory(
+  downloadPath = getGitHubWorkspaceDir()
+): Promise<string> {
+  if (!(await exists(downloadPath))) {
+    core.debug(
+      `Artifact destination folder does not exist, creating: ${downloadPath}`
+    )
+    await fs.mkdir(downloadPath, {recursive: true})
+  } else {
+    core.debug(`Artifact destination folder already exists: ${downloadPath}`)
+  }
+
+  return downloadPath
 }
--- a/packages/artifact/src/internal/find/get-artifact.ts
+++ b/packages/artifact/src/internal/find/get-artifact.ts
@ -1,14 +1,18 @@
-import {GetArtifactResponse} from '../shared/interfaces'
 import {getOctokit} from '@actions/github'
-import {getUserAgentString} from '../shared/user-agent'
-import {defaults as defaultGitHubOptions} from '@actions/github/lib/utils'
-import {getRetryOptions} from './retry-options'
-import {requestLog} from '@octokit/plugin-request-log'
 import {retry} from '@octokit/plugin-retry'
 import * as core from '@actions/core'
 import {OctokitOptions} from '@octokit/core/dist-types/types'
+import {defaults as defaultGitHubOptions} from '@actions/github/lib/utils'
+import {getRetryOptions} from './retry-options'
+import {requestLog} from '@octokit/plugin-request-log'
+import {GetArtifactResponse} from '../shared/interfaces'
+import {getBackendIdsFromToken} from '../shared/util'
+import {getUserAgentString} from '../shared/user-agent'
+import {internalArtifactTwirpClient} from '../shared/artifact-twirp-client'
+import {ListArtifactsRequest, StringValue, Timestamp} from '../../generated'
+import {ArtifactNotFoundError, InvalidResponseError} from '../shared/errors'

-export async function getArtifact(
+export async function getArtifactPublic(
  artifactName: string,
  workflowRunId: number,
  repositoryOwner: string,
@ -38,32 +42,84 @@ export async function getArtifact(
  )

  if (getArtifactResp.status !== 200) {
-    core.warning(`non-200 response from GitHub API: ${getArtifactResp.status}`)
-    return {
-      success: false
-    }
+    throw new InvalidResponseError(
+      `Invalid response from GitHub API: ${getArtifactResp.status} (${getArtifactResp?.headers?.['x-github-request-id']})`
+    )
  }

  if (getArtifactResp.data.artifacts.length === 0) {
-    core.warning('no artifacts found')
-    return {
-      success: false
-    }
+    throw new ArtifactNotFoundError(
+      `Artifact not found for name: ${artifactName}
+        Please ensure that your artifact is not expired and the artifact was uploaded using a compatible version of toolkit/upload-artifact.
+        For more information, visit the GitHub Artifacts FAQ: https://github.com/actions/toolkit/blob/main/packages/artifact/docs/faq.md`
+    )
  }

+  let artifact = getArtifactResp.data.artifacts[0]
  if (getArtifactResp.data.artifacts.length > 1) {
-    core.warning(
-      'more than one artifact found for a single name, returning first'
+    artifact = getArtifactResp.data.artifacts.sort((a, b) => b.id - a.id)[0]
+    core.debug(
+      `More than one artifact found for a single name, returning newest (id: ${artifact.id})`
    )
  }

  return {
-    success: true,
    artifact: {
-      name: getArtifactResp.data.artifacts[0].name,
-      id: getArtifactResp.data.artifacts[0].id,
-      url: getArtifactResp.data.artifacts[0].url,
-      size: getArtifactResp.data.artifacts[0].size_in_bytes
+      name: artifact.name,
+      id: artifact.id,
+      size: artifact.size_in_bytes,
+      createdAt: artifact.created_at
+        ? new Date(artifact.created_at)
+        : undefined,
+      digest: artifact.digest
+    }
+  }
+}
+
+export async function getArtifactInternal(
+  artifactName: string
+): Promise<GetArtifactResponse> {
+  const artifactClient = internalArtifactTwirpClient()
+
+  const {workflowRunBackendId, workflowJobRunBackendId} =
+    getBackendIdsFromToken()
+
+  const req: ListArtifactsRequest = {
+    workflowRunBackendId,
+    workflowJobRunBackendId,
+    nameFilter: StringValue.create({value: artifactName})
+  }
+
+  const res = await artifactClient.ListArtifacts(req)
+
+  if (res.artifacts.length === 0) {
+    throw new ArtifactNotFoundError(
+      `Artifact not found for name: ${artifactName}
+        Please ensure that your artifact is not expired and the artifact was uploaded using a compatible version of toolkit/upload-artifact.
+        For more information, visit the GitHub Artifacts FAQ: https://github.com/actions/toolkit/blob/main/packages/artifact/docs/faq.md`
+    )
+  }
+
+  let artifact = res.artifacts[0]
+  if (res.artifacts.length > 1) {
+    artifact = res.artifacts.sort(
+      (a, b) => Number(b.databaseId) - Number(a.databaseId)
+    )[0]
+
+    core.debug(
+      `More than one artifact found for a single name, returning newest (id: ${artifact.databaseId})`
+    )
+  }
+
+  return {
+    artifact: {
+      name: artifact.name,
+      id: Number(artifact.databaseId),
+      size: Number(artifact.size),
+      createdAt: artifact.createdAt
+        ? Timestamp.toDate(artifact.createdAt)
+        : undefined,
+      digest: artifact.digest?.value
    }
  }
 }
--- a/packages/artifact/src/internal/find/list-artifacts.ts
+++ b/packages/artifact/src/internal/find/list-artifacts.ts
@ -7,23 +7,27 @@ import {defaults as defaultGitHubOptions} from '@actions/github/lib/utils'
 import {requestLog} from '@octokit/plugin-request-log'
 import {retry} from '@octokit/plugin-retry'
 import {OctokitOptions} from '@octokit/core/dist-types/types'
+import {internalArtifactTwirpClient} from '../shared/artifact-twirp-client'
+import {getBackendIdsFromToken} from '../shared/util'
+import {getMaxArtifactListCount} from '../shared/config'
+import {ListArtifactsRequest, Timestamp} from '../../generated'

-// Limiting to 1000 for perf reasons
-const maximumArtifactCount = 1000
+const maximumArtifactCount = getMaxArtifactListCount()
 const paginationCount = 100
-const maxNumberOfPages = maximumArtifactCount / paginationCount
+const maxNumberOfPages = Math.ceil(maximumArtifactCount / paginationCount)

-export async function listArtifacts(
+export async function listArtifactsPublic(
  workflowRunId: number,
  repositoryOwner: string,
  repositoryName: string,
-  token: string
+  token: string,
+  latest = false
 ): Promise<ListArtifactsResponse> {
  info(
    `Fetching artifact list for workflow run ${workflowRunId} in repository ${repositoryOwner}/${repositoryName}`
  )

-  const artifacts: Artifact[] = []
+  let artifacts: Artifact[] = []
  const [retryOpts, requestOpts] = getRetryOptions(defaultGitHubOptions)

  const opts: OctokitOptions = {
@ -37,14 +41,17 @@ export async function listArtifacts(
  const github = getOctokit(token, opts, retry, requestLog)

  let currentPageNumber = 1
-  const {data: listArtifactResponse} =
-    await github.rest.actions.listWorkflowRunArtifacts({
+
+  const {data: listArtifactResponse} = await github.request(
+    'GET /repos/{owner}/{repo}/actions/runs/{run_id}/artifacts',
+    {
      owner: repositoryOwner,
      repo: repositoryName,
      run_id: workflowRunId,
      per_page: paginationCount,
      page: currentPageNumber
-    })
+    }
+  )

  let numberOfPages = Math.ceil(
    listArtifactResponse.total_count / paginationCount
@ -52,7 +59,7 @@ export async function listArtifacts(
  const totalArtifactCount = listArtifactResponse.total_count
  if (totalArtifactCount > maximumArtifactCount) {
    warning(
-      `Workflow run ${workflowRunId} has more than 1000 artifacts. Results will be incomplete as only the first ${maximumArtifactCount} artifacts will be returned`
+      `Workflow run ${workflowRunId} has ${totalArtifactCount} artifacts, exceeding the limit of ${maximumArtifactCount}. Results will be incomplete as only the first ${maximumArtifactCount} artifacts will be returned`
    )
    numberOfPages = maxNumberOfPages
  }
@ -62,42 +69,119 @@ export async function listArtifacts(
    artifacts.push({
      name: artifact.name,
      id: artifact.id,
-      url: artifact.url,
-      size: artifact.size_in_bytes
+      size: artifact.size_in_bytes,
+      createdAt: artifact.created_at
+        ? new Date(artifact.created_at)
+        : undefined,
+      digest: (artifact as ArtifactResponse).digest
    })
  }
-
+  // Move to the next page
+  currentPageNumber++
  // Iterate over any remaining pages
  for (
    currentPageNumber;
-    currentPageNumber < numberOfPages;
+    currentPageNumber <= numberOfPages;
    currentPageNumber++
  ) {
-    currentPageNumber++
    debug(`Fetching page ${currentPageNumber} of artifact list`)

-    const {data: listArtifactResponse} =
-      await github.rest.actions.listWorkflowRunArtifacts({
+    const {data: listArtifactResponse} = await github.request(
+      'GET /repos/{owner}/{repo}/actions/runs/{run_id}/artifacts',
+      {
        owner: repositoryOwner,
        repo: repositoryName,
        run_id: workflowRunId,
        per_page: paginationCount,
        page: currentPageNumber
-      })
+      }
+    )

    for (const artifact of listArtifactResponse.artifacts) {
      artifacts.push({
        name: artifact.name,
        id: artifact.id,
-        url: artifact.url,
-        size: artifact.size_in_bytes
+        size: artifact.size_in_bytes,
+        createdAt: artifact.created_at
+          ? new Date(artifact.created_at)
+          : undefined,
+        digest: (artifact as ArtifactResponse).digest
      })
    }
  }

-  info(`Finished fetching artifact list`)
+  if (latest) {
+    artifacts = filterLatest(artifacts)
+  }
+
+  info(`Found ${artifacts.length} artifact(s)`)

  return {
    artifacts
  }
 }
+
+export async function listArtifactsInternal(
+  latest = false
+): Promise<ListArtifactsResponse> {
+  const artifactClient = internalArtifactTwirpClient()
+
+  const {workflowRunBackendId, workflowJobRunBackendId} =
+    getBackendIdsFromToken()
+
+  const req: ListArtifactsRequest = {
+    workflowRunBackendId,
+    workflowJobRunBackendId
+  }
+
+  const res = await artifactClient.ListArtifacts(req)
+  let artifacts: Artifact[] = res.artifacts.map(artifact => ({
+    name: artifact.name,
+    id: Number(artifact.databaseId),
+    size: Number(artifact.size),
+    createdAt: artifact.createdAt
+      ? Timestamp.toDate(artifact.createdAt)
+      : undefined,
+    digest: artifact.digest?.value
+  }))
+
+  if (latest) {
+    artifacts = filterLatest(artifacts)
+  }
+
+  info(`Found ${artifacts.length} artifact(s)`)
+
+  return {
+    artifacts
+  }
+}
+
+/**
+ * This exists so that we don't have to use 'any' when receiving the artifact list from the GitHub API.
+ * The digest field is not present in OpenAPI/types at time of writing, which necessitates this change.
+ */
+interface ArtifactResponse {
+  name: string
+  id: number
+  size_in_bytes: number
+  created_at?: string
+  digest?: string
+}
+
+/**
+ * Filters a list of artifacts to only include the latest artifact for each name
+ * @param artifacts The artifacts to filter
+ * @returns The filtered list of artifacts
+ */
+function filterLatest(artifacts: Artifact[]): Artifact[] {
+  artifacts.sort((a, b) => b.id - a.id)
+  const latestArtifacts: Artifact[] = []
+  const seenArtifactNames = new Set<string>()
+  for (const artifact of artifacts) {
+    if (!seenArtifactNames.has(artifact.name)) {
+      latestArtifacts.push(artifact)
+      seenArtifactNames.add(artifact.name)
+    }
+  }
+  return latestArtifacts
+}
--- a/packages/artifact/src/internal/shared/artifact-twirp-client.ts
+++ b/packages/artifact/src/internal/shared/artifact-twirp-client.ts
@ -3,6 +3,9 @@ import {BearerCredentialHandler} from '@actions/http-client/lib/auth'
 import {info, debug} from '@actions/core'
 import {ArtifactServiceClientJSON} from '../../generated'
 import {getResultsServiceUrl, getRuntimeToken} from './config'
+import {getUserAgentString} from './user-agent'
+import {NetworkError, UsageError} from './errors'
+import {maskSecretUrls} from './util'

 // The twirp http client must implement this interface
 interface Rpc {
@ -52,17 +55,17 @@ class ArtifactHttpClient implements Rpc {
    contentType: 'application/json' | 'application/protobuf',
    data: object | Uint8Array
  ): Promise<object | Uint8Array> {
-    const url = `${this.baseUrl}/twirp/${service}/${method}`
-    debug(`Requesting ${url}`)
+    const url = new URL(`/twirp/${service}/${method}`, this.baseUrl).href
+    debug(`[Request] ${method} ${url}`)
    const headers = {
      'Content-Type': contentType
    }
    try {
-      const response = await this.retryableRequest(async () =>
+      const {body} = await this.retryableRequest(async () =>
        this.httpClient.post(url, JSON.stringify(data), headers)
      )
-      const body = await response.readBody()
-      return JSON.parse(body)
+
+      return body
    } catch (error) {
      throw new Error(`Failed to ${method}: ${error.message}`)
    }
@ -70,23 +73,47 @@ class ArtifactHttpClient implements Rpc {

  async retryableRequest(
    operation: () => Promise<HttpClientResponse>
-  ): Promise<HttpClientResponse> {
+  ): Promise<{response: HttpClientResponse; body: object}> {
    let attempt = 0
    let errorMessage = ''
+    let rawBody = ''
    while (attempt < this.maxAttempts) {
      let isRetryable = false

      try {
        const response = await operation()
        const statusCode = response.message.statusCode
-
+        rawBody = await response.readBody()
+        debug(`[Response] - ${response.message.statusCode}`)
+        debug(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`)
+        const body = JSON.parse(rawBody)
+        maskSecretUrls(body)
+        debug(`Body: ${JSON.stringify(body, null, 2)}`)
        if (this.isSuccessStatusCode(statusCode)) {
-          return response
+          return {response, body}
        }
-
        isRetryable = this.isRetryableHttpStatusCode(statusCode)
        errorMessage = `Failed request: (${statusCode}) ${response.message.statusMessage}`
+        if (body.msg) {
+          if (UsageError.isUsageErrorMessage(body.msg)) {
+            throw new UsageError()
+          }
+
+          errorMessage = `${errorMessage}: ${body.msg}`
+        }
      } catch (error) {
+        if (error instanceof SyntaxError) {
+          debug(`Raw Body: ${rawBody}`)
+        }
+
+        if (error instanceof UsageError) {
+          throw error
+        }
+
+        if (NetworkError.isNetworkErrorCode(error?.code)) {
+          throw new NetworkError(error?.code)
+        }
+
        isRetryable = true
        errorMessage = error.message
      }
@ -128,8 +155,7 @@ class ArtifactHttpClient implements Rpc {
      HttpCodes.GatewayTimeout,
      HttpCodes.InternalServerError,
      HttpCodes.ServiceUnavailable,
-      HttpCodes.TooManyRequests,
-      413 // Payload Too Large
+      HttpCodes.TooManyRequests
    ]

    return retryableStatusCodes.includes(statusCode)
@ -157,17 +183,16 @@ class ArtifactHttpClient implements Rpc {
  }
 }

-export function createArtifactTwirpClient(
-  type: 'upload' | 'download',
-  maxAttempts?: number,
-  baseRetryIntervalMilliseconds?: number,
+export function internalArtifactTwirpClient(options?: {
+  maxAttempts?: number
+  retryIntervalMs?: number
  retryMultiplier?: number
-): ArtifactServiceClientJSON {
+}): ArtifactServiceClientJSON {
  const client = new ArtifactHttpClient(
-    `@actions/artifact-${type}`,
-    maxAttempts,
-    baseRetryIntervalMilliseconds,
-    retryMultiplier
+    getUserAgentString(),
+    options?.maxAttempts,
+    options?.retryIntervalMs,
+    options?.retryMultiplier
  )
  return new ArtifactServiceClientJSON(client)
 }
--- a/packages/artifact/src/internal/shared/config.ts
+++ b/packages/artifact/src/internal/shared/config.ts
@ -1,3 +1,6 @@
+import os from 'os'
+import {info} from '@actions/core'
+
 // Used for controlling the highWaterMark value of the zip that is being streamed
 // The same value is used as the chunk size that is use during upload to blob storage
 export function getUploadChunkSize(): number {
@ -17,14 +20,21 @@ export function getResultsServiceUrl(): string {
  if (!resultsUrl) {
    throw new Error('Unable to get the ACTIONS_RESULTS_URL env variable')
  }
-  return resultsUrl
+
+  return new URL(resultsUrl).origin
 }

 export function isGhes(): boolean {
  const ghUrl = new URL(
    process.env['GITHUB_SERVER_URL'] || 'https://github.com'
  )
-  return ghUrl.hostname.toUpperCase() !== 'GITHUB.COM'
+
+  const hostname = ghUrl.hostname.trimEnd().toUpperCase()
+  const isGitHubHost = hostname === 'GITHUB.COM'
+  const isGheHost = hostname.endsWith('.GHE.COM')
+  const isLocalHost = hostname.endsWith('.LOCALHOST')
+
+  return !isGitHubHost && !isGheHost && !isLocalHost
 }

 export function getGitHubWorkspaceDir(): string {
@ -34,3 +44,72 @@ export function getGitHubWorkspaceDir(): string {
  }
  return ghWorkspaceDir
 }
+
+// The maximum value of concurrency is 300.
+// This value can be changed with ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY variable.
+export function getConcurrency(): number {
+  const numCPUs = os.cpus().length
+  let concurrencyCap = 32
+
+  if (numCPUs > 4) {
+    const concurrency = 16 * numCPUs
+    concurrencyCap = concurrency > 300 ? 300 : concurrency
+  }
+
+  const concurrencyOverride = process.env['ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY']
+  if (concurrencyOverride) {
+    const concurrency = parseInt(concurrencyOverride)
+    if (isNaN(concurrency) || concurrency < 1) {
+      throw new Error(
+        'Invalid value set for ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY env variable'
+      )
+    }
+
+    if (concurrency < concurrencyCap) {
+      info(
+        `Set concurrency based on the value set in ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY.`
+      )
+      return concurrency
+    }
+
+    info(
+      `ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY is higher than the cap of ${concurrencyCap} based on the number of cpus. Set it to the maximum value allowed.`
+    )
+    return concurrencyCap
+  }
+
+  // default concurrency to 5
+  return 5
+}
+
+export function getUploadChunkTimeout(): number {
+  const timeoutVar = process.env['ACTIONS_ARTIFACT_UPLOAD_TIMEOUT_MS']
+  if (!timeoutVar) {
+    return 300000 // 5 minutes
+  }
+
+  const timeout = parseInt(timeoutVar)
+  if (isNaN(timeout)) {
+    throw new Error(
+      'Invalid value set for ACTIONS_ARTIFACT_UPLOAD_TIMEOUT_MS env variable'
+    )
+  }
+
+  return timeout
+}
+
+// This value can be changed with ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT variable.
+// Defaults to 1000 as a safeguard for rate limiting.
+export function getMaxArtifactListCount(): number {
+  const maxCountVar =
+    process.env['ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT'] || '1000'
+
+  const maxCount = parseInt(maxCountVar)
+  if (isNaN(maxCount) || maxCount < 1) {
+    throw new Error(
+      'Invalid value set for ACTIONS_ARTIFACT_MAX_ARTIFACT_COUNT env variable'
+    )
+  }
+
+  return maxCount
+}
--- a/packages/artifact/src/internal/shared/errors.ts
+++ b/packages/artifact/src/internal/shared/errors.ts
@ -0,0 +1,72 @@
+export class FilesNotFoundError extends Error {
+  files: string[]
+
+  constructor(files: string[] = []) {
+    let message = 'No files were found to upload'
+    if (files.length > 0) {
+      message += `: ${files.join(', ')}`
+    }
+
+    super(message)
+    this.files = files
+    this.name = 'FilesNotFoundError'
+  }
+}
+
+export class InvalidResponseError extends Error {
+  constructor(message: string) {
+    super(message)
+    this.name = 'InvalidResponseError'
+  }
+}
+
+export class ArtifactNotFoundError extends Error {
+  constructor(message = 'Artifact not found') {
+    super(message)
+    this.name = 'ArtifactNotFoundError'
+  }
+}
+
+export class GHESNotSupportedError extends Error {
+  constructor(
+    message = '@actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not currently supported on GHES.'
+  ) {
+    super(message)
+    this.name = 'GHESNotSupportedError'
+  }
+}
+
+export class NetworkError extends Error {
+  code: string
+
+  constructor(code: string) {
+    const message = `Unable to make request: ${code}\nIf you are using self-hosted runners, please make sure your runner has access to all GitHub endpoints: https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github`
+    super(message)
+    this.code = code
+    this.name = 'NetworkError'
+  }
+
+  static isNetworkErrorCode = (code?: string): boolean => {
+    if (!code) return false
+    return [
+      'ECONNRESET',
+      'ENOTFOUND',
+      'ETIMEDOUT',
+      'ECONNREFUSED',
+      'EHOSTUNREACH'
+    ].includes(code)
+  }
+}
+
+export class UsageError extends Error {
+  constructor() {
+    const message = `Artifact storage quota has been hit. Unable to upload any new artifacts. Usage is recalculated every 6-12 hours.\nMore info on storage limits: https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions#calculating-minute-and-storage-spending`
+    super(message)
+    this.name = 'UsageError'
+  }
+
+  static isUsageErrorMessage = (msg?: string): boolean => {
+    if (!msg) return false
+    return msg.includes('insufficient usage')
+  }
+}
--- a/packages/artifact/src/internal/shared/interfaces.ts
+++ b/packages/artifact/src/internal/shared/interfaces.ts
@ -1,14 +1,7 @@
-/*****************************************************************************
- *                                                                           *
- *                            UploadArtifact                                 *
- *                                                                           *
- *****************************************************************************/
-export interface UploadResponse {
-  /**
-   * Denotes if an artifact was successfully uploaded
-   */
-  success: boolean
-
+/**
+ * Response from the server when an artifact is uploaded
+ */
+export interface UploadArtifactResponse {
  /**
   * Total size of the artifact in bytes. Not provided if no artifact was uploaded
   */
@ -19,9 +12,17 @@ export interface UploadResponse {
   * This ID can be used as input to other APIs to download, delete or get more information about an artifact: https://docs.github.com/en/rest/actions/artifacts
   */
  id?: number
+
+  /**
+   * The SHA256 digest of the artifact that was created. Not provided if no artifact was uploaded
+   */
+  digest?: string
 }

-export interface UploadOptions {
+/**
+ * Options for uploading an artifact
+ */
+export interface UploadArtifactOptions {
  /**
   * Duration after which artifact will expire in days.
   *
@ -38,31 +39,43 @@ export interface UploadOptions {
   * input of 0 assumes default retention setting.
   */
  retentionDays?: number
+  /**
+   * The level of compression for Zlib to be applied to the artifact archive.
+   * The value can range from 0 to 9:
+   * - 0: No compression
+   * - 1: Best speed
+   * - 6: Default compression (same as GNU Gzip)
+   * - 9: Best compression
+   * Higher levels will result in better compression, but will take longer to complete.
+   * For large files that are not easily compressed, a value of 0 is recommended for significantly faster uploads.
+   */
+  compressionLevel?: number
 }

-/*****************************************************************************
- *                                                                           *
- *                              GetArtifact                                  *
- *                                                                           *
- *****************************************************************************/
-
+/**
+ * Response from the server when getting an artifact
+ */
 export interface GetArtifactResponse {
-  /**
-   * If an artifact was found
-   */
-  success: boolean
-
  /**
   * Metadata about the artifact that was found
   */
-  artifact?: Artifact
+  artifact: Artifact
 }

-/*****************************************************************************
- *                                                                           *
- *                             ListArtifact                                  *
- *                                                                           *
- *****************************************************************************/
+/**
+ * Options for listing artifacts
+ */
+export interface ListArtifactsOptions {
+  /**
+   * Filter the workflow run's artifacts to the latest by name
+   * In the case of reruns, this can be useful to avoid duplicates
+   */
+  latest?: boolean
+}
+
+/**
+ * Response from the server when listing artifacts
+ */
 export interface ListArtifactsResponse {
  /**
   * A list of artifacts that were found
@ -70,34 +83,48 @@ export interface ListArtifactsResponse {
  artifacts: Artifact[]
 }

-/*****************************************************************************
- *                                                                           *
- *                           DownloadArtifact                                *
- *                                                                           *
- *****************************************************************************/
+/**
+ * Response from the server when downloading an artifact
+ */
 export interface DownloadArtifactResponse {
-  /**
-   * If the artifact download was successful
-   */
-  success: boolean
  /**
   * The path where the artifact was downloaded to
   */
  downloadPath?: string
+
+  /**
+   * Returns true if the digest of the downloaded artifact does not match the expected hash
+   */
+  digestMismatch?: boolean
 }

+/**
+ * Options for downloading an artifact
+ */
 export interface DownloadArtifactOptions {
  /**
   * Denotes where the artifact will be downloaded to. If not specified then the artifact is download to GITHUB_WORKSPACE
   */
  path?: string
+
+  /**
+   * The hash that was computed for the artifact during upload. If provided, the outcome of the download
+   * will provide a digestMismatch property indicating whether the hash of the downloaded artifact
+   * matches the expected hash.
+   */
+  expectedHash?: string
 }

-/*****************************************************************************
- *                                                                           *
- *                                 Shared                                    *
- *                                                                           *
- *****************************************************************************/
+export interface StreamExtractResponse {
+  /**
+   * The SHA256 hash of the downloaded file
+   */
+  sha256Digest?: string
+}
+
+/**
+ * An Actions Artifact
+ */
 export interface Artifact {
  /**
   * The name of the artifact
@ -109,13 +136,53 @@ export interface Artifact {
   */
  id: number

-  /**
-   * The URL of the artifact
-   */
-  url: string
-
  /**
   * The size of the artifact in bytes
   */
  size: number
+
+  /**
+   * The time when the artifact was created
+   */
+  createdAt?: Date
+
+  /**
+   * The digest of the artifact, computed at time of upload.
+   */
+  digest?: string
+}
+
+// FindOptions are for fetching Artifact(s) out of the scope of the current run.
+export interface FindOptions {
+  /**
+   * The criteria for finding Artifact(s) out of the scope of the current run.
+   */
+  findBy?: {
+    /**
+     * Token with actions:read permissions
+     */
+    token: string
+    /**
+     * WorkflowRun of the artifact(s) to lookup
+     */
+    workflowRunId: number
+    /**
+     * Repository owner (eg. 'actions')
+     */
+    repositoryOwner: string
+    /**
+     * Repository owner (eg. 'toolkit')
+     */
+    repositoryName: string
+  }
+}
+
+/**
+ * Response from the server when deleting an artifact
+ */
+export interface DeleteArtifactResponse {
+  /**
+   * The id of the artifact that was deleted
+   */
+  id: number
 }
--- a/packages/artifact/src/internal/shared/util.ts
+++ b/packages/artifact/src/internal/shared/util.ts
@ -1,5 +1,7 @@
+import * as core from '@actions/core'
 import {getRuntimeToken} from './config'
 import jwt_decode from 'jwt-decode'
+import {debug, setSecret} from '@actions/core'

 export interface BackendIds {
  workflowRunBackendId: string
@ -11,7 +13,7 @@ interface ActionsToken {
 }

 const InvalidJwtError = new Error(
-  'Failed to get backend IDs: The provided JWT token is invalid'
+  'Failed to get backend IDs: The provided JWT token is invalid and/or missing claims'
 )

 // uses the JWT token claims to get the
@ -41,25 +43,103 @@ export function getBackendIdsFromToken(): BackendIds {

  for (const scopes of scpParts) {
    const scopeParts = scopes.split(':')
+    if (scopeParts?.[0] !== 'Actions.Results') {
+      // not the Actions.Results scope
+      continue
+    }
+
    /*
     * example scopeParts:
     * ["Actions.Results", "ce7f54c7-61c7-4aae-887f-30da475f5f1a", "ca395085-040a-526b-2ce8-bdc85f692774"]
     */
    if (scopeParts.length !== 3) {
-      // not the Actions.Results scope
-      continue
+      // missing expected number of claims
+      throw InvalidJwtError
    }

-    if (scopeParts[0] !== 'Actions.Results') {
-      // not the Actions.Results scope
-      continue
-    }
-
-    return {
+    const ids = {
      workflowRunBackendId: scopeParts[1],
      workflowJobRunBackendId: scopeParts[2]
    }
+
+    core.debug(`Workflow Run Backend ID: ${ids.workflowRunBackendId}`)
+    core.debug(`Workflow Job Run Backend ID: ${ids.workflowJobRunBackendId}`)
+
+    return ids
  }

  throw InvalidJwtError
 }
+
+/**
+ * Masks the `sig` parameter in a URL and sets it as a secret.
+ *
+ * @param url - The URL containing the signature parameter to mask
+ * @remarks
+ * This function attempts to parse the provided URL and identify the 'sig' query parameter.
+ * If found, it registers both the raw and URL-encoded signature values as secrets using
+ * the Actions `setSecret` API, which prevents them from being displayed in logs.
+ *
+ * The function handles errors gracefully if URL parsing fails, logging them as debug messages.
+ *
+ * @example
+ * ```typescript
+ * // Mask a signature in an Azure SAS token URL
+ * maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01');
+ * ```
+ */
+export function maskSigUrl(url: string): void {
+  if (!url) return
+  try {
+    const parsedUrl = new URL(url)
+    const signature = parsedUrl.searchParams.get('sig')
+    if (signature) {
+      setSecret(signature)
+      setSecret(encodeURIComponent(signature))
+    }
+  } catch (error) {
+    debug(
+      `Failed to parse URL: ${url} ${
+        error instanceof Error ? error.message : String(error)
+      }`
+    )
+  }
+}
+
+/**
+ * Masks sensitive information in URLs containing signature parameters.
+ * Currently supports masking 'sig' parameters in the 'signed_upload_url'
+ * and 'signed_download_url' properties of the provided object.
+ *
+ * @param body - The object should contain a signature
+ * @remarks
+ * This function extracts URLs from the object properties and calls maskSigUrl
+ * on each one to redact sensitive signature information. The function doesn't
+ * modify the original object; it only marks the signatures as secrets for
+ * logging purposes.
+ *
+ * @example
+ * ```typescript
+ * const responseBody = {
+ *   signed_upload_url: 'https://example.com?sig=abc123',
+ *   signed_download_url: 'https://example.com?sig=def456'
+ * };
+ * maskSecretUrls(responseBody);
+ * ```
+ */
+export function maskSecretUrls(body: Record<string, unknown> | null): void {
+  if (typeof body !== 'object' || body === null) {
+    debug('body is not an object or is null')
+    return
+  }
+
+  if (
+    'signed_upload_url' in body &&
+    typeof body.signed_upload_url === 'string'
+  ) {
+    maskSigUrl(body.signed_upload_url)
+  }
+  if ('signed_url' in body && typeof body.signed_url === 'string') {
+    maskSigUrl(body.signed_url)
+  }
+}
--- a/packages/artifact/src/internal/upload/blob-upload.ts
+++ b/packages/artifact/src/internal/upload/blob-upload.ts
@ -1,26 +1,26 @@
 import {BlobClient, BlockBlobUploadStreamOptions} from '@azure/storage-blob'
-import {TransferProgressEvent} from '@azure/core-http'
+import {TransferProgressEvent} from '@azure/core-http-compat'
 import {ZipUploadStream} from './zip'
-import {getUploadChunkSize} from '../shared/config'
+import {
+  getUploadChunkSize,
+  getConcurrency,
+  getUploadChunkTimeout
+} from '../shared/config'
 import * as core from '@actions/core'
 import * as crypto from 'crypto'
 import * as stream from 'stream'
+import {NetworkError} from '../shared/errors'

 export interface BlobUploadResponse {
-  /**
-   * If the upload was successful or not
-   */
-  isSuccess: boolean
-
  /**
   * The total reported upload size in bytes. Empty if the upload failed
   */
  uploadSize?: number

  /**
-   * The MD5 hash of the uploaded file. Empty if the upload failed
+   * The SHA256 hash of the uploaded file. Empty if the upload failed
   */
-  md5Hash?: string
+  sha256Hash?: string
 }

 export async function uploadZipToBlobStorage(
@ -28,69 +28,85 @@ export async function uploadZipToBlobStorage(
  zipUploadStream: ZipUploadStream
 ): Promise<BlobUploadResponse> {
  let uploadByteCount = 0
+  let lastProgressTime = Date.now()
+  const abortController = new AbortController()

-  const maxBuffers = 5
+  const chunkTimer = async (interval: number): Promise<void> =>
+    new Promise((resolve, reject) => {
+      const timer = setInterval(() => {
+        if (Date.now() - lastProgressTime > interval) {
+          reject(new Error('Upload progress stalled.'))
+        }
+      }, interval)
+
+      abortController.signal.addEventListener('abort', () => {
+        clearInterval(timer)
+        resolve()
+      })
+    })
+
+  const maxConcurrency = getConcurrency()
  const bufferSize = getUploadChunkSize()
  const blobClient = new BlobClient(authenticatedUploadURL)
  const blockBlobClient = blobClient.getBlockBlobClient()

  core.debug(
-    `Uploading artifact zip to blob storage with maxBuffers: ${maxBuffers}, bufferSize: ${bufferSize}`
+    `Uploading artifact zip to blob storage with maxConcurrency: ${maxConcurrency}, bufferSize: ${bufferSize}`
  )

  const uploadCallback = (progress: TransferProgressEvent): void => {
    core.info(`Uploaded bytes ${progress.loadedBytes}`)
    uploadByteCount = progress.loadedBytes
+    lastProgressTime = Date.now()
  }

  const options: BlockBlobUploadStreamOptions = {
    blobHTTPHeaders: {blobContentType: 'zip'},
-    onProgress: uploadCallback
+    onProgress: uploadCallback,
+    abortSignal: abortController.signal
  }

-  let md5Hash: string | undefined = undefined
+  let sha256Hash: string | undefined = undefined
  const uploadStream = new stream.PassThrough()
-  const hashStream = crypto.createHash('md5')
+  const hashStream = crypto.createHash('sha256')

  zipUploadStream.pipe(uploadStream) // This stream is used for the upload
  zipUploadStream.pipe(hashStream).setEncoding('hex') // This stream is used to compute a hash of the zip content that gets used. Integrity check

+  core.info('Beginning upload of artifact content to blob storage')
+
  try {
-    core.info('Beginning upload of artifact content to blob storage')
-
-    await blockBlobClient.uploadStream(
-      uploadStream,
-      bufferSize,
-      maxBuffers,
-      options
-    )
-
-    core.info('Finished uploading artifact content to blob storage!')
-
-    hashStream.end()
-    md5Hash = hashStream.read() as string
-    core.info(`MD5 hash of uploaded artifact zip is ${md5Hash}`)
+    await Promise.race([
+      blockBlobClient.uploadStream(
+        uploadStream,
+        bufferSize,
+        maxConcurrency,
+        options
+      ),
+      chunkTimer(getUploadChunkTimeout())
+    ])
  } catch (error) {
-    core.warning(
-      `Failed to upload artifact zip to blob storage, error: ${error}`
-    )
-    return {
-      isSuccess: false
+    if (NetworkError.isNetworkErrorCode(error?.code)) {
+      throw new NetworkError(error?.code)
    }
+    throw error
+  } finally {
+    abortController.abort()
  }

+  core.info('Finished uploading artifact content to blob storage!')
+
+  hashStream.end()
+  sha256Hash = hashStream.read() as string
+  core.info(`SHA256 digest of uploaded artifact zip is ${sha256Hash}`)
+
  if (uploadByteCount === 0) {
    core.warning(
-      `No data was uploaded to blob storage. Reported upload byte count is 0`
+      `No data was uploaded to blob storage. Reported upload byte count is 0.`
    )
-    return {
-      isSuccess: false
-    }
  }
-
  return {
-    isSuccess: true,
    uploadSize: uploadByteCount,
-    md5Hash
+    sha256Hash
  }
 }
--- a/packages/artifact/src/internal/upload/upload-artifact.ts
+++ b/packages/artifact/src/internal/upload/upload-artifact.ts
@ -1,8 +1,11 @@
 import * as core from '@actions/core'
-import {UploadOptions, UploadResponse} from '../shared/interfaces'
+import {
+  UploadArtifactOptions,
+  UploadArtifactResponse
+} from '../shared/interfaces'
 import {getExpiration} from './retention'
 import {validateArtifactName} from './path-and-artifact-name-validation'
-import {createArtifactTwirpClient} from '../shared/artifact-twirp-client'
+import {internalArtifactTwirpClient} from '../shared/artifact-twirp-client'
 import {
  UploadZipSpecification,
  getUploadZipSpecification,
@ -16,13 +19,14 @@ import {
  FinalizeArtifactRequest,
  StringValue
 } from '../../generated'
+import {FilesNotFoundError, InvalidResponseError} from '../shared/errors'

 export async function uploadArtifact(
  name: string,
  files: string[],
  rootDirectory: string,
-  options?: UploadOptions | undefined
-): Promise<UploadResponse> {
+  options?: UploadArtifactOptions | undefined
+): Promise<UploadArtifactResponse> {
  validateArtifactName(name)
  validateRootDirectory(rootDirectory)

@ -31,31 +35,16 @@ export async function uploadArtifact(
    rootDirectory
  )
  if (zipSpecification.length === 0) {
-    core.warning(`No files were found to upload`)
-    return {
-      success: false
-    }
+    throw new FilesNotFoundError(
+      zipSpecification.flatMap(s => (s.sourcePath ? [s.sourcePath] : []))
+    )
  }

-  const zipUploadStream = await createZipUploadStream(zipSpecification)
-
  // get the IDs needed for the artifact creation
  const backendIds = getBackendIdsFromToken()
-  if (!backendIds.workflowRunBackendId || !backendIds.workflowJobRunBackendId) {
-    core.warning(
-      `Failed to get the necessary backend ids which are required to create the artifact`
-    )
-    return {
-      success: false
-    }
-  }
-  core.debug(`Workflow Run Backend ID: ${backendIds.workflowRunBackendId}`)
-  core.debug(
-    `Workflow Job Run Backend ID: ${backendIds.workflowJobRunBackendId}`
-  )

  // create the artifact client
-  const artifactClient = createArtifactTwirpClient('upload')
+  const artifactClient = internalArtifactTwirpClient()

  // create the artifact
  const createArtifactReq: CreateArtifactRequest = {
@ -71,26 +60,24 @@ export async function uploadArtifact(
    createArtifactReq.expiresAt = expiresAt
  }

-  const createArtifactResp = await artifactClient.CreateArtifact(
-    createArtifactReq
-  )
+  const createArtifactResp =
+    await artifactClient.CreateArtifact(createArtifactReq)
  if (!createArtifactResp.ok) {
-    core.warning(`Failed to create artifact`)
-    return {
-      success: false
-    }
+    throw new InvalidResponseError(
+      'CreateArtifact: response from backend was not ok'
+    )
  }

+  const zipUploadStream = await createZipUploadStream(
+    zipSpecification,
+    options?.compressionLevel
+  )
+
  // Upload zip to blob storage
  const uploadResult = await uploadZipToBlobStorage(
    createArtifactResp.signedUploadUrl,
    zipUploadStream
  )
-  if (uploadResult.isSuccess === false) {
-    return {
-      success: false
-    }
-  }

  // finalize the artifact
  const finalizeArtifactReq: FinalizeArtifactRequest = {
@ -100,22 +87,20 @@ export async function uploadArtifact(
    size: uploadResult.uploadSize ? uploadResult.uploadSize.toString() : '0'
  }

-  if (uploadResult.md5Hash) {
+  if (uploadResult.sha256Hash) {
    finalizeArtifactReq.hash = StringValue.create({
-      value: `md5:${uploadResult.md5Hash}`
+      value: `sha256:${uploadResult.sha256Hash}`
    })
  }

  core.info(`Finalizing artifact upload`)

-  const finalizeArtifactResp = await artifactClient.FinalizeArtifact(
-    finalizeArtifactReq
-  )
+  const finalizeArtifactResp =
+    await artifactClient.FinalizeArtifact(finalizeArtifactReq)
  if (!finalizeArtifactResp.ok) {
-    core.warning(`Failed to finalize artifact`)
-    return {
-      success: false
-    }
+    throw new InvalidResponseError(
+      'FinalizeArtifact: response from backend was not ok'
+    )
  }

  const artifactId = BigInt(finalizeArtifactResp.artifactId)
@ -124,8 +109,8 @@ export async function uploadArtifact(
  )

  return {
-    success: true,
    size: uploadResult.uploadSize,
+    digest: uploadResult.sha256Hash,
    id: Number(artifactId)
  }
 }
--- a/packages/artifact/src/internal/upload/upload-zip-specification.ts
+++ b/packages/artifact/src/internal/upload/upload-zip-specification.ts
@ -13,6 +13,12 @@ export interface UploadZipSpecification {
   * The destination path in a zip for a file
   */
  destinationPath: string
+
+  /**
+   * Information about the file
+   * https://nodejs.org/api/fs.html#class-fsstats
+   */
+  stats: fs.Stats
 }

 /**
@ -75,10 +81,11 @@ export function getUploadZipSpecification(
          - file3.txt
  */
  for (let file of filesToZip) {
-    if (!fs.existsSync(file)) {
+    const stats = fs.lstatSync(file, {throwIfNoEntry: false})
+    if (!stats) {
      throw new Error(`File ${file} does not exist`)
    }
-    if (!fs.statSync(file).isDirectory()) {
+    if (!stats.isDirectory()) {
      // Normalize and resolve, this allows for either absolute or relative paths to be used
      file = normalize(file)
      file = resolve(file)
@ -94,7 +101,8 @@ export function getUploadZipSpecification(

      specification.push({
        sourcePath: file,
-        destinationPath: uploadPath
+        destinationPath: uploadPath,
+        stats
      })
    } else {
      // Empty directory
@ -103,7 +111,8 @@ export function getUploadZipSpecification(

      specification.push({
        sourcePath: null,
-        destinationPath: directoryPath
+        destinationPath: directoryPath,
+        stats
      })
    }
  }
--- a/packages/artifact/src/internal/upload/zip.ts
+++ b/packages/artifact/src/internal/upload/zip.ts
@ -1,10 +1,12 @@
 import * as stream from 'stream'
+import {realpath} from 'fs/promises'
 import * as archiver from 'archiver'
 import * as core from '@actions/core'
-import {createReadStream} from 'fs'
 import {UploadZipSpecification} from './upload-zip-specification'
 import {getUploadChunkSize} from '../shared/config'

+export const DEFAULT_COMPRESSION_LEVEL = 6
+
 // Custom stream transformer so we can set the highWaterMark property
 // See https://github.com/nodejs/node/issues/8855
 export class ZipUploadStream extends stream.Transform {
@ -21,14 +23,16 @@ export class ZipUploadStream extends stream.Transform {
 }

 export async function createZipUploadStream(
-  uploadSpecification: UploadZipSpecification[]
+  uploadSpecification: UploadZipSpecification[],
+  compressionLevel: number = DEFAULT_COMPRESSION_LEVEL
 ): Promise<ZipUploadStream> {
+  core.debug(
+    `Creating Artifact archive with compressionLevel: ${compressionLevel}`
+  )
+
  const zip = archiver.create('zip', {
-    zlib: {level: 9} // Sets the compression level.
-    // Available options are 0-9
-    // 0 => no compression
-    // 1 => fastest with low compression
-    // 9 => highest compression ratio but the slowest
+    highWaterMark: getUploadChunkSize(),
+    zlib: {level: compressionLevel}
  })

  // register callbacks for various events during the zip lifecycle
@ -39,8 +43,14 @@ export async function createZipUploadStream(

  for (const file of uploadSpecification) {
    if (file.sourcePath !== null) {
-      // Add a normal file to the zip
-      zip.append(createReadStream(file.sourcePath), {
+      // Check if symlink and resolve the source path
+      let sourcePath = file.sourcePath
+      if (file.stats.isSymbolicLink()) {
+        sourcePath = await realpath(file.sourcePath)
+      }
+
+      // Add the file to the zip
+      zip.file(sourcePath, {
        name: file.destinationPath
      })
    } else {
--- a/packages/attest/LICENSE.md
+++ b/packages/attest/LICENSE.md
@ -0,0 +1,9 @@
+The MIT License (MIT)
+
+Copyright 2024 GitHub
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/packages/attest/README.md
+++ b/packages/attest/README.md
@ -0,0 +1,191 @@
+# `@actions/attest`
+
+Functions for generating signed attestations for workflow artifacts.
+
+Attestations bind some subject (a named artifact along with its digest) to a
+predicate (some assertion about that subject) using the [in-toto
+statement](https://github.com/in-toto/attestation/tree/main/spec/v1) format. A
+signature is generated for the attestation using a
+[Sigstore](https://www.sigstore.dev/)-issued signing certificate.
+
+Once the attestation has been created and signed, it will be uploaded to the GH
+attestations API and associated with the repository from which the workflow was
+initiated.
+
+See [Using artifact attestations to establish provenance for builds](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)
+for more information on artifact attestations.
+
+## Usage
+
+### `attest`
+
+The `attest` function takes the supplied subject/predicate pair and generates a
+signed attestation.
+
+```js
+const { attest } = require('@actions/attest');
+const core = require('@actions/core');
+
+async function run() {
+    // In order to persist attestations to the repo, this should be a token with
+    // repository write permissions.
+    const ghToken = core.getInput('gh-token');
+
+    const attestation = await attest({
+        subjects: [{name: 'my-artifact-name', digest: { 'sha256': '36ab4667...'}}],
+        predicateType: 'https://in-toto.io/attestation/release',
+        predicate: { . . . },
+        token: ghToken
+    });
+
+    console.log(attestation);
+}
+
+run();
+```
+
+The `attest` function supports the following options:
+
+```typescript
+export type AttestOptions = {
+  // Deprecated. Use 'subjects' instead.
+  subjectName?: string
+  // Deprecated. Use 'subjects' instead.
+  subjectDigest?: Record<string, string>
+  // Collection of subjects to be attested
+  subjects?: Subject[]
+  // URI identifying the content type of the predicate being attested.
+  predicateType: string
+  // Predicate to be attested.
+  predicate: object
+  // GitHub token for writing attestations.
+  token: string
+  // Sigstore instance to use for signing. Must be one of "public-good" or
+  // "github".
+  sigstore?: 'public-good' | 'github'
+  // HTTP headers to include in request to attestations API.
+  headers?: {[header: string]: string | number | undefined}
+  // Whether to skip writing the attestation to the GH attestations API.
+  skipWrite?: boolean
+}
+
+export type Subject = {
+   // Name of the subject.
+  name: string
+   // Digests of the subject. Should be a map of digest algorithms to their hex-encoded values.
+  digest: Record<string, string>
+}
+```
+
+### `attestProvenance`
+
+The `attestProvenance` function accepts the name and digest of some artifact and
+generates a build provenance attestation over those values.
+
+The attestation is formed by first generating a [SLSA provenance
+predicate](https://slsa.dev/spec/v1.0/provenance) populated with
+[metadata](https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1)
+pulled from the GitHub Actions run.
+
+```js
+const { attestProvenance } = require('@actions/attest');
+const core = require('@actions/core');
+
+async function run() {
+    // In order to persist attestations to the repo, this should be a token with
+    // repository write permissions.
+    const ghToken = core.getInput('gh-token');
+
+    const attestation = await attestProvenance({
+        subjectName: 'my-artifact-name',
+        subjectDigest: { 'sha256': '36ab4667...'},
+        token: ghToken
+    });
+
+    console.log(attestation);
+}
+
+run();
+```
+
+The `attestProvenance` function supports the following options:
+
+```typescript
+export type AttestProvenanceOptions = {
+  // Deprecated. Use 'subjects' instead.
+  subjectName?: string
+  // Deprecated. Use 'subjects' instead.
+  subjectDigest?: Record<string, string>
+  // Collection of subjects to be attested
+  subjects?: Subject[]
+  // URI identifying the content type of the predicate being attested.
+  token: string
+  // Sigstore instance to use for signing. Must be one of "public-good" or
+  // "github".
+  sigstore?: 'public-good' | 'github'
+  // HTTP headers to include in request to attestations API.
+  headers?: {[header: string]: string | number | undefined}
+  // Whether to skip writing the attestation to the GH attestations API.
+  skipWrite?: boolean
+  // Issuer URL responsible for minting the OIDC token from which the
+  // provenance data is read. Defaults to
+  // 'https://token.actions.githubusercontent.com".
+  issuer?: string
+}
+```
+
+### `Attestation`
+
+The `Attestation` returned by `attest`/`attestProvenance` has the following
+fields:
+
+```typescript
+export type Attestation = {
+  /*
+   * JSON-serialized Sigstore bundle containing the provenance attestation,
+   * signature, signing certificate and witnessed timestamp.
+   */
+  bundle: SerializedBundle
+  /*
+   * PEM-encoded signing certificate used to sign the attestation.
+   */
+  certificate: string
+  /*
+   * ID of Rekor transparency log entry created for the attestation (if
+   * applicable).
+   */
+  tlogID?: string
+  /*
+   * ID of the persisted attestation (accessible via the GH API).
+   */
+  attestationID?: string
+}
+```
+
+For details about the Sigstore bundle format, see the [Bundle protobuf
+specification](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto).
+
+## Sigstore Instance
+
+When generating the signed attestation there are two different Sigstore
+instances which can be used to issue the signing certificate. By default,
+workflows initiated from public repositories will use the Sigstore public-good
+instance and persist the attestation signature to the public [Rekor transparency
+log](https://docs.sigstore.dev/logging/overview/). Workflows initiated from
+private/internal repositories will use the GitHub-internal Sigstore instance
+which uses a signed timestamp issued by GitHub's timestamp authority in place of
+the public transparency log.
+
+The default Sigstore instance selection can be overridden by passing an explicit
+value of either "public-good" or "github" for the `sigstore` option when calling
+either `attest` or `attestProvenance`.
+
+## Storage
+
+Attestations created by `attest`/`attestProvenance` will be uploaded to the GH
+attestations API and associated with the appropriate repository. Attestation
+storage is only supported for public repositories or repositories which belong
+to a GitHub Enterprise Cloud account.
+
+In order to generate attestations for private, non-Enterprise repositories, the
+`skipWrite` option should be set to `true`.
--- a/packages/attest/RELEASES.md
+++ b/packages/attest/RELEASES.md
@ -0,0 +1,63 @@
+# @actions/attest Releases
+
+### 2.0.0
+
+- Add support for Node 24 [#2110](https://github.com/actions/toolkit/pull/2110)
+- Bump @sigstore/bundle from 3.0.0 to 3.1.0
+- Bump @sigstore/sign from 3.0.0 to 3.1.0
+- Bump jose from 5.2.3 to 5.10.0
+
+### 1.6.0
+
+- Update `buildSLSAProvenancePredicate` to populate `workflow.ref` field from the `ref` claim in the OIDC token [#1969](https://github.com/actions/toolkit/pull/1969)
+
+### 1.5.0
+
+- Bump @actions/core from 1.10.1 to 1.11.1 [#1847](https://github.com/actions/toolkit/pull/1847)
+- Bump @sigstore/bundle from 2.3.2 to 3.0.0 [#1846](https://github.com/actions/toolkit/pull/1846)
+- Bump @sigstore/sign from 2.3.2 to 3.0.0 [#1846](https://github.com/actions/toolkit/pull/1846)
+- Support for generating multi-subject attestations [#1864](https://github.com/actions/toolkit/pull/1865)
+- Fix bug in `buildSLSAProvenancePredicate` related to `workflow_ref` OIDC token claims containing the "@" symbol in the tag name [#1863](https://github.com/actions/toolkit/pull/1863)
+
+### 1.4.2
+
+- Fix bug in `buildSLSAProvenancePredicate`/`attestProvenance` when generating provenance statement for enterprise account using customized OIDC issuer value [#1823](https://github.com/actions/toolkit/pull/1823)
+
+### 1.4.1
+
+- Bump @actions/http-client from 2.2.1 to 2.2.3 [#1805](https://github.com/actions/toolkit/pull/1805)
+
+### 1.4.0
+
+- Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790](https://github.com/actions/toolkit/pull/1790)
+- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context [#1796](https://github.com/actions/toolkit/pull/1796)
+### 1.3.1
+
+- Fix bug with proxy support when retrieving JWKS for OIDC issuer [#1776](https://github.com/actions/toolkit/pull/1776)
+
+### 1.3.0
+
+- Dynamic construction of Sigstore API URLs [#1735](https://github.com/actions/toolkit/pull/1735)
+- Switch to new GH provenance build type [#1745](https://github.com/actions/toolkit/pull/1745)
+- Fetch existing Rekor entry on 409 conflict error [#1759](https://github.com/actions/toolkit/pull/1759)
+- Bump @sigstore/bundle from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738)
+- Bump @sigstore/sign from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738)
+
+### 1.2.1
+
+- Retry request on attestation persistence failure [#1725](https://github.com/actions/toolkit/pull/1725)
+
+### 1.2.0
+
+- Generate attestations using the v0.3 Sigstore bundle format [#1701](https://github.com/actions/toolkit/pull/1701)
+- Bump @sigstore/bundle from 2.2.0 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701)
+- Bump @sigstore/sign from 2.2.3 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701)
+- Remove dependency on make-fetch-happen [#1714](https://github.com/actions/toolkit/pull/1714)
+
+### 1.1.0
+
+- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement [#1693](https://github.com/actions/toolkit/pull/1693)
+
+### 1.0.0
+
+- Initial release
--- a/packages/attest/tests/snapshots/intoto.test.ts.snap
+++ b/packages/attest/tests/snapshots/intoto.test.ts.snap
@ -0,0 +1,19 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`buildIntotoStatement returns an intoto statement 1`] = `
+{
+  "_type": "https://in-toto.io/Statement/v1",
+  "predicate": {
+    "key": "value",
+  },
+  "predicateType": "predicatey",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32",
+      },
+      "name": "subjecty",
+    },
+  ],
+}
+`;
--- a/packages/attest/tests/snapshots/provenance.test.ts.snap
+++ b/packages/attest/tests/snapshots/provenance.test.ts.snap
@ -0,0 +1,43 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`provenance functions buildSLSAProvenancePredicate returns a provenance hydrated from an OIDC token 1`] = `
+{
+  "params": {
+    "buildDefinition": {
+      "buildType": "https://actions.github.io/buildtypes/workflow/v1",
+      "externalParameters": {
+        "workflow": {
+          "path": ".github/workflows/main.yml",
+          "ref": "refs/heads/main",
+          "repository": "https://foo.ghe.com/owner/repo",
+        },
+      },
+      "internalParameters": {
+        "github": {
+          "event_name": "push",
+          "repository_id": "repo-id",
+          "repository_owner_id": "owner-id",
+          "runner_environment": "github-hosted",
+        },
+      },
+      "resolvedDependencies": [
+        {
+          "digest": {
+            "gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b",
+          },
+          "uri": "git+https://foo.ghe.com/owner/repo@refs/heads/main",
+        },
+      ],
+    },
+    "runDetails": {
+      "builder": {
+        "id": "https://foo.ghe.com/owner/workflows/.github/workflows/publish.yml@main",
+      },
+      "metadata": {
+        "invocationId": "https://foo.ghe.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
+      },
+    },
+  },
+  "type": "https://slsa.dev/provenance/v1",
+}
+`;
--- a/packages/attest/tests/attest.test.ts
+++ b/packages/attest/tests/attest.test.ts
@ -0,0 +1,16 @@
+import {attest} from '../src/attest'
+
+describe('attest', () => {
+  describe('when no subject information is provided', () => {
+    it('throws an error', async () => {
+      const options = {
+        predicateType: 'foo',
+        predicate: {bar: 'baz'},
+        token: 'token'
+      }
+      expect(attest(options)).rejects.toThrowError(
+        'Must provide either subjectName and subjectDigest or subjects'
+      )
+    })
+  })
+})
--- a/packages/attest/tests/endpoints.test.ts
+++ b/packages/attest/tests/endpoints.test.ts
@ -0,0 +1,41 @@
+import {signingEndpoints} from '../src/endpoints'
+
+describe('signingEndpoints', () => {
+  const originalEnv = process.env
+
+  afterEach(() => {
+    process.env = originalEnv
+  })
+
+  describe('when using github.com', () => {
+    beforeEach(async () => {
+      process.env = {
+        ...originalEnv,
+        GITHUB_SERVER_URL: 'https://github.com'
+      }
+    })
+
+    it('returns expected endpoints', async () => {
+      const endpoints = signingEndpoints('github')
+
+      expect(endpoints.fulcioURL).toEqual('https://fulcio.githubapp.com')
+      expect(endpoints.tsaServerURL).toEqual('https://timestamp.githubapp.com')
+    })
+  })
+
+  describe('when using custom domain', () => {
+    beforeEach(async () => {
+      process.env = {
+        ...originalEnv,
+        GITHUB_SERVER_URL: 'https://foo.bar.com'
+      }
+    })
+
+    it('returns a expected endpoints', async () => {
+      const endpoints = signingEndpoints('github')
+
+      expect(endpoints.fulcioURL).toEqual('https://fulcio.foo.bar.com')
+      expect(endpoints.tsaServerURL).toEqual('https://timestamp.foo.bar.com')
+    })
+  })
+})
--- a/packages/attest/tests/index.test.ts
+++ b/packages/attest/tests/index.test.ts
@ -0,0 +1,6 @@
+import {attest, attestProvenance} from '../src'
+
+it('exports functions', () => {
+  expect(attestProvenance).toBeInstanceOf(Function)
+  expect(attest).toBeInstanceOf(Function)
+})
--- a/packages/attest/tests/intoto.test.ts
+++ b/packages/attest/tests/intoto.test.ts
@ -0,0 +1,23 @@
+import {buildIntotoStatement} from '../src/intoto'
+import type {Predicate, Subject} from '../src/shared.types'
+
+describe('buildIntotoStatement', () => {
+  const subject: Subject = {
+    name: 'subjecty',
+    digest: {
+      sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+    }
+  }
+
+  const predicate: Predicate = {
+    type: 'predicatey',
+    params: {
+      key: 'value'
+    }
+  }
+
+  it('returns an intoto statement', () => {
+    const statement = buildIntotoStatement([subject], predicate)
+    expect(statement).toMatchSnapshot()
+  })
+})
--- a/packages/attest/tests/oidc.test.ts
+++ b/packages/attest/tests/oidc.test.ts
@ -0,0 +1,199 @@
+import * as jose from 'jose'
+import nock from 'nock'
+import {getIDTokenClaims} from '../src/oidc'
+
+describe('getIDTokenClaims', () => {
+  const originalEnv = process.env
+  const issuer = 'https://example.com'
+  const audience = 'nobody'
+  const requestToken = 'token'
+  const openidConfigPath = '/.well-known/openid-configuration'
+  const jwksPath = '/.well-known/jwks.json'
+  const tokenPath = '/token'
+  const openIDConfig = {jwks_uri: `${issuer}${jwksPath}`}
+
+  /* eslint-disable-next-line @typescript-eslint/no-explicit-any */
+  let key: any
+
+  beforeEach(async () => {
+    process.env = {
+      ...originalEnv,
+      ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
+      ACTIONS_ID_TOKEN_REQUEST_TOKEN: requestToken
+    }
+
+    // Generate JWT signing key
+    key = await jose.generateKeyPair('PS256')
+
+    // Create JWK and JWKS
+    const jwk = await jose.exportJWK(key.publicKey)
+    const jwks = {keys: [jwk]}
+
+    nock(issuer).get(openidConfigPath).reply(200, openIDConfig)
+    nock(issuer).get(jwksPath).reply(200, jwks)
+  })
+
+  afterEach(() => {
+    process.env = originalEnv
+  })
+
+  describe('when ID token is valid', () => {
+    const claims = {
+      iss: issuer,
+      aud: audience,
+      ref: 'ref',
+      sha: 'sha',
+      repository: 'repo',
+      event_name: 'push',
+      job_workflow_ref: 'job_workflow_ref',
+      workflow_ref: 'workflow',
+      repository_id: '1',
+      repository_owner_id: '1',
+      runner_environment: 'github-hosted',
+      run_id: '1',
+      run_attempt: '1'
+    }
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('returns the ID token claims', async () => {
+      const result = await getIDTokenClaims(issuer)
+      expect(result).toEqual(claims)
+    })
+  })
+
+  describe('when ID token is valid (w/ enterprise slug)', () => {
+    const claims = {
+      iss: `${issuer}/foo-bar`,
+      aud: audience,
+      ref: 'ref',
+      sha: 'sha',
+      repository: 'repo',
+      event_name: 'push',
+      job_workflow_ref: 'job_workflow_ref',
+      workflow_ref: 'workflow',
+      repository_id: '1',
+      repository_owner_id: '1',
+      runner_environment: 'github-hosted',
+      run_id: '1',
+      run_attempt: '1'
+    }
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('returns the ID token claims', async () => {
+      const result = await getIDTokenClaims(issuer)
+      expect(result).toEqual(claims)
+    })
+  })
+
+  describe('when ID token is missing the "iss" claim', () => {
+    const claims = {
+      aud: audience
+    }
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('throws an error', async () => {
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(/missing "iss"/i)
+    })
+  })
+
+  describe('when ID token is missing required claims', () => {
+    const claims = {
+      iss: issuer,
+      aud: audience
+    }
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('throws an error', async () => {
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(/missing claims/i)
+    })
+  })
+
+  describe('when ID has the wrong issuer', () => {
+    const claims = {foo: 'bar', iss: 'foo', aud: 'nobody'}
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('throws an error', async () => {
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(
+        /unexpected "iss"/i
+      )
+    })
+  })
+
+  describe('when ID has the wrong audience', () => {
+    const claims = {foo: 'bar', iss: issuer, aud: 'bar'}
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('throw an error', async () => {
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(/unexpected "aud"/)
+    })
+  })
+
+  describe('when openid config cannot be retrieved', () => {
+    const claims = {foo: 'bar', iss: issuer, aud: 'nobody'}
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+
+      // Disable the openid config endpoint
+      nock.removeInterceptor({
+        proto: 'https',
+        hostname: 'example.com',
+        port: '443',
+        method: 'GET',
+        path: openidConfigPath
+      })
+    })
+
+    it('throws an error', async () => {
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(
+        /failed to get id/i
+      )
+    })
+  })
+})
--- a/packages/attest/tests/provenance.test.ts
+++ b/packages/attest/tests/provenance.test.ts
@ -0,0 +1,248 @@
+import * as github from '@actions/github'
+import {mockFulcio, mockRekor, mockTSA} from '@sigstore/mock'
+import * as jose from 'jose'
+import nock from 'nock'
+import {MockAgent, setGlobalDispatcher} from 'undici'
+import {SIGSTORE_PUBLIC_GOOD, signingEndpoints} from '../src/endpoints'
+import {attestProvenance, buildSLSAProvenancePredicate} from '../src/provenance'
+
+describe('provenance functions', () => {
+  const originalEnv = process.env
+  const issuer = 'https://token.actions.foo.ghe.com'
+  const audience = 'nobody'
+  const jwksPath = '/.well-known/jwks.json'
+  const tokenPath = '/token'
+
+  // MockAgent for mocking @actions/github
+  const mockAgent = new MockAgent()
+  setGlobalDispatcher(mockAgent)
+
+  const claims = {
+    iss: issuer,
+    aud: 'nobody',
+    repository: 'owner/repo',
+    ref: 'refs/heads/main',
+    sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
+    job_workflow_ref: 'owner/workflows/.github/workflows/publish.yml@main',
+    workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
+    event_name: 'push',
+    repository_id: 'repo-id',
+    repository_owner_id: 'owner-id',
+    run_id: 'run-id',
+    run_attempt: 'run-attempt',
+    runner_environment: 'github-hosted'
+  }
+
+  const mockIssuer = async (claims: jose.JWTPayload): Promise<void> => {
+    // Generate JWT signing key
+    const key = await jose.generateKeyPair('PS256')
+
+    // Create JWK, JWKS, and JWT
+    const jwk = await jose.exportJWK(key.publicKey)
+    const jwks = {keys: [jwk]}
+    const jwt = await new jose.SignJWT(claims)
+      .setProtectedHeader({alg: 'PS256'})
+      .sign(key.privateKey)
+
+    // Mock OpenID configuration and JWKS endpoints
+    nock(issuer)
+      .get('/.well-known/openid-configuration')
+      .reply(200, {jwks_uri: `${issuer}${jwksPath}`})
+    nock(issuer).get(jwksPath).reply(200, jwks)
+
+    // Mock OIDC token endpoint for populating the provenance
+    nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+  }
+
+  beforeEach(async () => {
+    process.env = {
+      ...originalEnv,
+      ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
+      ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
+      GITHUB_SERVER_URL: 'https://foo.ghe.com',
+      GITHUB_REPOSITORY: claims.repository
+    }
+
+    await mockIssuer(claims)
+  })
+
+  afterEach(() => {
+    process.env = originalEnv
+  })
+
+  describe('buildSLSAProvenancePredicate', () => {
+    it('returns a provenance hydrated from an OIDC token', async () => {
+      const predicate = await buildSLSAProvenancePredicate()
+      expect(predicate).toMatchSnapshot()
+    })
+  })
+
+  describe('attestProvenance', () => {
+    // Subject to attest
+    const subjectName = 'subjective'
+    const subjectDigest = {
+      sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+    }
+
+    // Fake an OIDC token
+    const oidcPayload = {sub: 'foo@bar.com', iss: ''}
+    const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString(
+      'base64'
+    )}.}`
+
+    const attestationID = '1234567890'
+
+    beforeEach(async () => {
+      nock(issuer)
+        .get(tokenPath)
+        .query({audience: 'sigstore'})
+        .reply(200, {value: oidcToken})
+    })
+
+    describe('when using the github Sigstore instance', () => {
+      beforeEach(async () => {
+        const {fulcioURL, tsaServerURL} = signingEndpoints('github')
+
+        // Mock Sigstore
+        await mockFulcio({baseURL: fulcioURL, strict: false})
+        await mockTSA({baseURL: tsaServerURL})
+
+        mockAgent
+          .get('https://api.github.com')
+          .intercept({
+            path: /^\/repos\/.*\/.*\/attestations$/,
+            method: 'post'
+          })
+          .reply(201, {id: attestationID})
+      })
+
+      describe('when the sigstore instance is explicitly set', () => {
+        it('attests provenance', async () => {
+          const attestation = await attestProvenance({
+            subjects: [{name: subjectName, digest: subjectDigest}],
+            token: 'token',
+            sigstore: 'github'
+          })
+
+          expect(attestation).toBeDefined()
+          expect(attestation.bundle).toBeDefined()
+          expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
+          expect(attestation.tlogID).toBeUndefined()
+          expect(attestation.attestationID).toBe(attestationID)
+        })
+      })
+
+      describe('when the sigstore instance is inferred from the repo visibility', () => {
+        const savedRepository = github.context.payload.repository
+
+        beforeEach(() => {
+          /* eslint-disable-next-line @typescript-eslint/no-explicit-any */
+          github.context.payload.repository = {visibility: 'private'} as any
+        })
+
+        afterEach(() => {
+          github.context.payload.repository = savedRepository
+        })
+
+        it('attests provenance', async () => {
+          const attestation = await attestProvenance({
+            subjects: [{name: subjectName, digest: subjectDigest}],
+            token: 'token'
+          })
+
+          expect(attestation).toBeDefined()
+          expect(attestation.bundle).toBeDefined()
+          expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
+          expect(attestation.tlogID).toBeUndefined()
+          expect(attestation.attestationID).toBe(attestationID)
+        })
+      })
+    })
+
+    describe('when using the public-good Sigstore instance', () => {
+      const {fulcioURL, rekorURL} = SIGSTORE_PUBLIC_GOOD
+
+      beforeEach(async () => {
+        // Mock Sigstore
+        await mockFulcio({baseURL: fulcioURL, strict: false})
+        await mockRekor({baseURL: rekorURL})
+
+        // Mock GH attestations API
+        mockAgent
+          .get('https://api.github.com')
+          .intercept({
+            path: /^\/repos\/.*\/.*\/attestations$/,
+            method: 'post'
+          })
+          .reply(201, {id: attestationID})
+      })
+
+      describe('when the sigstore instance is explicitly set', () => {
+        it('attests provenance', async () => {
+          const attestation = await attestProvenance({
+            subjects: [{name: subjectName, digest: subjectDigest}],
+            token: 'token',
+            sigstore: 'public-good'
+          })
+
+          expect(attestation).toBeDefined()
+          expect(attestation.bundle).toBeDefined()
+          expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
+          expect(attestation.tlogID).toBeDefined()
+          expect(attestation.attestationID).toBe(attestationID)
+        })
+      })
+
+      describe('when the sigstore instance is inferred from the repo visibility', () => {
+        const savedRepository = github.context.payload.repository
+
+        beforeEach(() => {
+          /* eslint-disable-next-line @typescript-eslint/no-explicit-any */
+          github.context.payload.repository = {visibility: 'public'} as any
+        })
+
+        afterEach(() => {
+          github.context.payload.repository = savedRepository
+        })
+
+        it('attests provenance', async () => {
+          const attestation = await attestProvenance({
+            subjects: [{name: subjectName, digest: subjectDigest}],
+            token: 'token'
+          })
+
+          expect(attestation).toBeDefined()
+          expect(attestation.bundle).toBeDefined()
+          expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
+          expect(attestation.tlogID).toBeDefined()
+          expect(attestation.attestationID).toBe(attestationID)
+        })
+      })
+    })
+
+    describe('when skipWrite is set to true', () => {
+      const {fulcioURL, rekorURL} = SIGSTORE_PUBLIC_GOOD
+      beforeEach(async () => {
+        // Mock Sigstore
+        await mockFulcio({baseURL: fulcioURL, strict: false})
+        await mockRekor({baseURL: rekorURL})
+      })
+
+      it('attests provenance', async () => {
+        const attestation = await attestProvenance({
+          subjectName,
+          subjectDigest,
+          token: 'token',
+          sigstore: 'public-good',
+          skipWrite: true
+        })
+
+        expect(attestation).toBeDefined()
+        expect(attestation.bundle).toBeDefined()
+        expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
+        expect(attestation.tlogID).toBeDefined()
+        expect(attestation.attestationID).toBeUndefined()
+      })
+    })
+  })
+})
--- a/packages/attest/tests/sign.test.ts
+++ b/packages/attest/tests/sign.test.ts
@ -0,0 +1,101 @@
+import {mockFulcio, mockRekor, mockTSA} from '@sigstore/mock'
+import nock from 'nock'
+import {Payload, signPayload} from '../src/sign'
+
+describe('signProvenance', () => {
+  const originalEnv = process.env
+
+  // Fake an OIDC token
+  const subject = 'foo@bar.com'
+  const oidcPayload = {sub: subject, iss: ''}
+  const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString(
+    'base64'
+  )}.}`
+
+  // Dummy provenance to be signed
+  const provenance = {
+    _type: 'https://in-toto.io/Statement/v1',
+    subject: {
+      name: 'subjective',
+      digest: {
+        sha256:
+          '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+      }
+    }
+  }
+
+  const payload: Payload = {
+    body: Buffer.from(JSON.stringify(provenance)),
+    type: 'application/vnd.in-toto+json'
+  }
+
+  const fulcioURL = 'https://fulcio.url'
+  const rekorURL = 'https://rekor.url'
+  const tsaServerURL = 'https://tsa.url'
+
+  beforeEach(() => {
+    // Mock OIDC token endpoint
+    const tokenURL = 'https://token.url'
+
+    process.env = {
+      ...originalEnv,
+      ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,
+      ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token'
+    }
+
+    nock(tokenURL)
+      .get('/')
+      .query({audience: 'sigstore'})
+      .reply(200, {value: oidcToken})
+  })
+
+  afterEach(() => {
+    process.env = originalEnv
+  })
+
+  describe('when visibility is public', () => {
+    beforeEach(async () => {
+      await mockFulcio({baseURL: fulcioURL, strict: false})
+      await mockRekor({baseURL: rekorURL})
+    })
+
+    it('returns a bundle', async () => {
+      const att = await signPayload(payload, {fulcioURL, rekorURL})
+
+      expect(att).toBeDefined()
+      expect(att.mediaType).toEqual(
+        'application/vnd.dev.sigstore.bundle.v0.3+json'
+      )
+
+      expect(att.content.$case).toEqual('dsseEnvelope')
+      expect(att.verificationMaterial.content.$case).toEqual('certificate')
+      expect(att.verificationMaterial.tlogEntries).toHaveLength(1)
+      expect(
+        att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
+      ).toHaveLength(0)
+    })
+  })
+
+  describe('when visibility is private', () => {
+    beforeEach(async () => {
+      await mockFulcio({baseURL: fulcioURL, strict: false})
+      await mockTSA({baseURL: tsaServerURL})
+    })
+
+    it('returns a bundle', async () => {
+      const att = await signPayload(payload, {fulcioURL, tsaServerURL})
+
+      expect(att).toBeDefined()
+      expect(att.mediaType).toEqual(
+        'application/vnd.dev.sigstore.bundle.v0.3+json'
+      )
+
+      expect(att.content.$case).toEqual('dsseEnvelope')
+      expect(att.verificationMaterial.content.$case).toEqual('certificate')
+      expect(att.verificationMaterial.tlogEntries).toHaveLength(0)
+      expect(
+        att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
+      ).toHaveLength(1)
+    })
+  })
+})
--- a/packages/attest/tests/store.test.ts
+++ b/packages/attest/tests/store.test.ts
@ -0,0 +1,93 @@
+import {MockAgent, setGlobalDispatcher} from 'undici'
+import {writeAttestation} from '../src/store'
+
+describe('writeAttestation', () => {
+  const originalEnv = process.env
+  const attestation = {foo: 'bar '}
+  const token = 'token'
+  const headers = {'X-GitHub-Foo': 'true'}
+
+  const mockAgent = new MockAgent()
+  setGlobalDispatcher(mockAgent)
+
+  beforeEach(() => {
+    process.env = {
+      ...originalEnv,
+      GITHUB_REPOSITORY: 'foo/bar'
+    }
+  })
+
+  afterEach(() => {
+    process.env = originalEnv
+  })
+
+  describe('when the api call is successful', () => {
+    beforeEach(() => {
+      mockAgent
+        .get('https://api.github.com')
+        .intercept({
+          path: '/repos/foo/bar/attestations',
+          method: 'POST',
+          headers: {authorization: `token ${token}`, ...headers},
+          body: JSON.stringify({bundle: attestation})
+        })
+        .reply(201, {id: '123'})
+    })
+
+    it('persists the attestation', async () => {
+      await expect(
+        writeAttestation(attestation, token, {headers})
+      ).resolves.toEqual('123')
+    })
+  })
+
+  describe('when the api call fails', () => {
+    beforeEach(() => {
+      mockAgent
+        .get('https://api.github.com')
+        .intercept({
+          path: '/repos/foo/bar/attestations',
+          method: 'POST',
+          headers: {authorization: `token ${token}`},
+          body: JSON.stringify({bundle: attestation})
+        })
+        .reply(500, 'oops')
+    })
+
+    it('throws an error', async () => {
+      await expect(
+        writeAttestation(attestation, token, {retry: 0})
+      ).rejects.toThrow(/oops/)
+    })
+  })
+
+  describe('when the api call fails but succeeds on retry', () => {
+    beforeEach(() => {
+      const pool = mockAgent.get('https://api.github.com')
+
+      pool
+        .intercept({
+          path: '/repos/foo/bar/attestations',
+          method: 'POST',
+          headers: {authorization: `token ${token}`},
+          body: JSON.stringify({bundle: attestation})
+        })
+        .reply(500, 'oops')
+        .times(1)
+
+      pool
+        .intercept({
+          path: '/repos/foo/bar/attestations',
+          method: 'POST',
+          headers: {authorization: `token ${token}`},
+          body: JSON.stringify({bundle: attestation})
+        })
+        .reply(201, {id: '123'})
+        .times(1)
+    })
+
+    it('persists the attestation', async () => {
+      await expect(writeAttestation(attestation, token)).resolves.toEqual('123')
+    })
+  })
+})
--- a/packages/attest/package-lock.json
+++ b/packages/attest/package-lock.json
--- a/packages/attest/package.json
+++ b/packages/attest/package.json
@ -0,0 +1,58 @@
+{
+  "name": "@actions/attest",
+  "version": "2.0.0",
+  "description": "Actions attestation lib",
+  "keywords": [
+    "github",
+    "actions",
+    "attestation"
+  ],
+  "homepage": "https://github.com/actions/toolkit/tree/main/packages/attest",
+  "license": "MIT",
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "directories": {
+    "lib": "lib",
+    "test": "__tests__"
+  },
+  "files": [
+    "lib"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/actions/toolkit.git",
+    "directory": "packages/attest"
+  },
+  "scripts": {
+    "test": "echo \"Error: run tests from root\" && exit 1",
+    "tsc": "tsc"
+  },
+  "bugs": {
+    "url": "https://github.com/actions/toolkit/issues"
+  },
+  "devDependencies": {
+    "@sigstore/mock": "^0.10.0",
+    "@sigstore/rekor-types": "^3.0.0",
+    "@types/jsonwebtoken": "^9.0.6",
+    "nock": "^13.5.1",
+    "undici": "^6.20.0"
+  },
+  "dependencies": {
+    "@actions/core": "^1.11.1",
+    "@actions/github": "^6.0.0",
+    "@actions/http-client": "^2.2.3",
+    "@octokit/plugin-retry": "^6.0.1",
+    "@sigstore/bundle": "^3.1.0",
+    "@sigstore/sign": "^3.1.0",
+    "jose": "^5.10.0"
+  },
+  "overrides": {
+    "@octokit/plugin-retry": {
+      "@octokit/core": "^5.2.0"
+    }
+  }
+}
--- a/packages/attest/src/attest.ts
+++ b/packages/attest/src/attest.ts
@ -0,0 +1,117 @@
+import {bundleToJSON} from '@sigstore/bundle'
+import {X509Certificate} from 'crypto'
+import {SigstoreInstance, signingEndpoints} from './endpoints'
+import {buildIntotoStatement} from './intoto'
+import {Payload, signPayload} from './sign'
+import {writeAttestation} from './store'
+
+import type {Bundle} from '@sigstore/sign'
+import type {Attestation, Predicate, Subject} from './shared.types'
+
+const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json'
+
+/**
+ * Options for attesting a subject / predicate.
+ */
+export type AttestOptions = {
+  /**
+   * @deprecated Use `subjects` instead.
+   **/
+  subjectName?: string
+  /**
+   * @deprecated Use `subjects` instead.
+   **/
+  subjectDigest?: Record<string, string>
+  // Subjects to be attested.
+  subjects?: Subject[]
+  // Content type of the predicate being attested.
+  predicateType: string
+  // Predicate to be attested.
+  predicate: object
+  // GitHub token for writing attestations.
+  token: string
+  // Sigstore instance to use for signing. Must be one of "public-good" or
+  // "github".
+  sigstore?: SigstoreInstance
+  // HTTP headers to include in request to attestations API.
+  headers?: {[header: string]: string | number | undefined}
+  // Whether to skip writing the attestation to the GH attestations API.
+  skipWrite?: boolean
+}
+
+/**
+ * Generates an attestation for the given subject and predicate. The subject and
+ * predicate are combined into an in-toto statement, which is then signed using
+ * the identified Sigstore instance and stored as an attestation.
+ * @param options - The options for attestation.
+ * @returns A promise that resolves to the attestation.
+ */
+export async function attest(options: AttestOptions): Promise<Attestation> {
+  let subjects: Subject[]
+
+  if (options.subjects) {
+    subjects = options.subjects
+  } else if (options.subjectName && options.subjectDigest) {
+    subjects = [{name: options.subjectName, digest: options.subjectDigest}]
+  } else {
+    throw new Error(
+      'Must provide either subjectName and subjectDigest or subjects'
+    )
+  }
+
+  const predicate: Predicate = {
+    type: options.predicateType,
+    params: options.predicate
+  }
+
+  const statement = buildIntotoStatement(subjects, predicate)
+
+  // Sign the provenance statement
+  const payload: Payload = {
+    body: Buffer.from(JSON.stringify(statement)),
+    type: INTOTO_PAYLOAD_TYPE
+  }
+  const endpoints = signingEndpoints(options.sigstore)
+  const bundle = await signPayload(payload, endpoints)
+
+  // Store the attestation
+  let attestationID: string | undefined
+  if (options.skipWrite !== true) {
+    attestationID = await writeAttestation(
+      bundleToJSON(bundle),
+      options.token,
+      {headers: options.headers}
+    )
+  }
+
+  return toAttestation(bundle, attestationID)
+}
+
+function toAttestation(bundle: Bundle, attestationID?: string): Attestation {
+  let certBytes: Buffer
+  switch (bundle.verificationMaterial.content.$case) {
+    case 'x509CertificateChain':
+      certBytes =
+        bundle.verificationMaterial.content.x509CertificateChain.certificates[0]
+          .rawBytes
+      break
+    case 'certificate':
+      certBytes = bundle.verificationMaterial.content.certificate.rawBytes
+      break
+    default:
+      throw new Error('Bundle must contain an x509 certificate')
+  }
+
+  const signingCert = new X509Certificate(certBytes)
+
+  // Collect transparency log ID if available
+  const tlogEntries = bundle.verificationMaterial.tlogEntries
+  const tlogID = tlogEntries.length > 0 ? tlogEntries[0].logIndex : undefined
+
+  return {
+    bundle: bundleToJSON(bundle),
+    certificate: signingCert.toString(),
+    tlogID,
+    attestationID
+  }
+}
--- a/packages/attest/src/endpoints.ts
+++ b/packages/attest/src/endpoints.ts
@ -0,0 +1,55 @@
+import * as github from '@actions/github'
+
+const PUBLIC_GOOD_ID = 'public-good'
+const GITHUB_ID = 'github'
+
+const FULCIO_PUBLIC_GOOD_URL = 'https://fulcio.sigstore.dev'
+const REKOR_PUBLIC_GOOD_URL = 'https://rekor.sigstore.dev'
+
+export type SigstoreInstance = typeof PUBLIC_GOOD_ID | typeof GITHUB_ID
+
+export type Endpoints = {
+  fulcioURL: string
+  rekorURL?: string
+  tsaServerURL?: string
+}
+
+export const SIGSTORE_PUBLIC_GOOD: Endpoints = {
+  fulcioURL: FULCIO_PUBLIC_GOOD_URL,
+  rekorURL: REKOR_PUBLIC_GOOD_URL
+}
+
+export const signingEndpoints = (sigstore?: SigstoreInstance): Endpoints => {
+  let instance: SigstoreInstance
+
+  // An explicitly set instance type takes precedence, but if not set, use the
+  // repository's visibility to determine the instance type.
+  if (sigstore && [PUBLIC_GOOD_ID, GITHUB_ID].includes(sigstore)) {
+    instance = sigstore
+  } else {
+    instance =
+      github.context.payload.repository?.visibility === 'public'
+        ? PUBLIC_GOOD_ID
+        : GITHUB_ID
+  }
+
+  switch (instance) {
+    case PUBLIC_GOOD_ID:
+      return SIGSTORE_PUBLIC_GOOD
+    case GITHUB_ID:
+      return buildGitHubEndpoints()
+  }
+}
+
+function buildGitHubEndpoints(): Endpoints {
+  const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'
+  let host = new URL(serverURL).hostname
+
+  if (host === 'github.com') {
+    host = 'githubapp.com'
+  }
+  return {
+    fulcioURL: `https://fulcio.${host}`,
+    tsaServerURL: `https://timestamp.${host}`
+  }
+}
--- a/packages/attest/src/index.ts
+++ b/packages/attest/src/index.ts
@ -0,0 +1,9 @@
+export {AttestOptions, attest} from './attest'
+export {
+  AttestProvenanceOptions,
+  attestProvenance,
+  buildSLSAProvenancePredicate
+} from './provenance'
+
+export type {SerializedBundle} from '@sigstore/bundle'
+export type {Attestation, Predicate, Subject} from './shared.types'
--- a/packages/attest/src/intoto.ts
+++ b/packages/attest/src/intoto.ts
@ -0,0 +1,32 @@
+import {Predicate, Subject} from './shared.types'
+
+const INTOTO_STATEMENT_V1_TYPE = 'https://in-toto.io/Statement/v1'
+
+/**
+ * An in-toto statement.
+ * https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md
+ */
+export type InTotoStatement = {
+  _type: string
+  subject: Subject[]
+  predicateType: string
+  predicate: object
+}
+
+/**
+ * Assembles the given subject and predicate into an in-toto statement.
+ * @param subject - The subject of the statement.
+ * @param predicate - The predicate of the statement.
+ * @returns The constructed in-toto statement.
+ */
+export const buildIntotoStatement = (
+  subjects: Subject[],
+  predicate: Predicate
+): InTotoStatement => {
+  return {
+    _type: INTOTO_STATEMENT_V1_TYPE,
+    subject: subjects,
+    predicateType: predicate.type,
+    predicate: predicate.params
+  }
+}
--- a/packages/attest/src/oidc.ts
+++ b/packages/attest/src/oidc.ts
@ -0,0 +1,117 @@
+import {getIDToken} from '@actions/core'
+import {HttpClient} from '@actions/http-client'
+import * as jose from 'jose'
+
+const OIDC_AUDIENCE = 'nobody'
+
+const VALID_SERVER_URLS = [
+  'https://github.com',
+  new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$')
+] as const
+
+const REQUIRED_CLAIMS = [
+  'iss',
+  'ref',
+  'sha',
+  'repository',
+  'event_name',
+  'job_workflow_ref',
+  'workflow_ref',
+  'repository_id',
+  'repository_owner_id',
+  'runner_environment',
+  'run_id',
+  'run_attempt'
+] as const
+
+export type ClaimSet = {[K in (typeof REQUIRED_CLAIMS)[number]]: string}
+
+type OIDCConfig = {
+  jwks_uri: string
+}
+
+export const getIDTokenClaims = async (issuer?: string): Promise<ClaimSet> => {
+  issuer = issuer || getIssuer()
+  try {
+    const token = await getIDToken(OIDC_AUDIENCE)
+    const claims = await decodeOIDCToken(token, issuer)
+    assertClaimSet(claims)
+    return claims
+  } catch (error) {
+    throw new Error(`Failed to get ID token: ${error.message}`)
+  }
+}
+
+const decodeOIDCToken = async (
+  token: string,
+  issuer: string
+): Promise<jose.JWTPayload> => {
+  // Verify and decode token
+  const jwks = jose.createLocalJWKSet(await getJWKS(issuer))
+  const {payload} = await jose.jwtVerify(token, jwks, {
+    audience: OIDC_AUDIENCE
+  })
+
+  if (!payload.iss) {
+    throw new Error('Missing "iss" claim')
+  }
+
+  // Check that the issuer STARTS WITH the expected issuer URL to account for
+  // the fact that the value may include an enterprise-specific slug
+  if (!payload.iss.startsWith(issuer)) {
+    throw new Error(`Unexpected "iss" claim: ${payload.iss}`)
+  }
+
+  return payload
+}
+
+const getJWKS = async (issuer: string): Promise<jose.JSONWebKeySet> => {
+  const client = new HttpClient('@actions/attest')
+  const config = await client.getJson<OIDCConfig>(
+    `${issuer}/.well-known/openid-configuration`
+  )
+
+  if (!config.result) {
+    throw new Error('No OpenID configuration found')
+  }
+
+  const jwks = await client.getJson<jose.JSONWebKeySet>(config.result.jwks_uri)
+
+  if (!jwks.result) {
+    throw new Error('No JWKS found for issuer')
+  }
+
+  return jwks.result
+}
+
+function assertClaimSet(claims: jose.JWTPayload): asserts claims is ClaimSet {
+  const missingClaims: string[] = []
+
+  for (const claim of REQUIRED_CLAIMS) {
+    if (!(claim in claims)) {
+      missingClaims.push(claim)
+    }
+  }
+
+  if (missingClaims.length > 0) {
+    throw new Error(`Missing claims: ${missingClaims.join(', ')}`)
+  }
+}
+
+// Derive the current OIDC issuer based on the server URL
+function getIssuer(): string {
+  const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'
+
+  // Ensure the server URL is a valid GitHub server URL
+  if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) {
+    throw new Error(`Invalid server URL: ${serverURL}`)
+  }
+
+  let host = new URL(serverURL).hostname
+
+  if (host === 'github.com') {
+    host = 'githubusercontent.com'
+  }
+
+  return `https://token.actions.${host}`
+}
--- a/packages/attest/src/provenance.ts
+++ b/packages/attest/src/provenance.ts
@ -0,0 +1,95 @@
+import {attest, AttestOptions} from './attest'
+import {getIDTokenClaims} from './oidc'
+import type {Attestation, Predicate} from './shared.types'
+
+const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
+const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'
+
+export type AttestProvenanceOptions = Omit<
+  AttestOptions,
+  'predicate' | 'predicateType'
+> & {
+  issuer?: string
+}
+
+/**
+ * Builds an SLSA (Supply Chain Levels for Software Artifacts) provenance
+ * predicate using the GitHub Actions Workflow build type.
+ * https://slsa.dev/spec/v1.0/provenance
+ * https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1
+ * @param issuer - URL for the OIDC issuer. Defaults to the GitHub Actions token
+ * issuer.
+ * @returns The SLSA provenance predicate.
+ */
+export const buildSLSAProvenancePredicate = async (
+  issuer?: string
+): Promise<Predicate> => {
+  const serverURL = process.env.GITHUB_SERVER_URL
+  const claims = await getIDTokenClaims(issuer)
+
+  // Split just the path and ref from the workflow string.
+  // owner/repo/.github/workflows/main.yml@main =>
+  //   .github/workflows/main.yml, main
+  const [workflowPath] = claims.workflow_ref
+    .replace(`${claims.repository}/`, '')
+    .split('@')
+
+  return {
+    type: SLSA_PREDICATE_V1_TYPE,
+    params: {
+      buildDefinition: {
+        buildType: GITHUB_BUILD_TYPE,
+        externalParameters: {
+          workflow: {
+            ref: claims.ref,
+            repository: `${serverURL}/${claims.repository}`,
+            path: workflowPath
+          }
+        },
+        internalParameters: {
+          github: {
+            event_name: claims.event_name,
+            repository_id: claims.repository_id,
+            repository_owner_id: claims.repository_owner_id,
+            runner_environment: claims.runner_environment
+          }
+        },
+        resolvedDependencies: [
+          {
+            uri: `git+${serverURL}/${claims.repository}@${claims.ref}`,
+            digest: {
+              gitCommit: claims.sha
+            }
+          }
+        ]
+      },
+      runDetails: {
+        builder: {
+          id: `${serverURL}/${claims.job_workflow_ref}`
+        },
+        metadata: {
+          invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}`
+        }
+      }
+    }
+  }
+}
+
+/**
+ * Attests the build provenance of the provided subject. Generates the SLSA
+ * build provenance predicate, assembles it into an in-toto statement, and
+ * attests it.
+ *
+ * @param options - The options for attesting the provenance.
+ * @returns A promise that resolves to the attestation.
+ */
+export async function attestProvenance(
+  options: AttestProvenanceOptions
+): Promise<Attestation> {
+  const predicate = await buildSLSAProvenancePredicate(options.issuer)
+  return attest({
+    ...options,
+    predicateType: predicate.type,
+    predicate: predicate.params
+  })
+}
--- a/packages/attest/src/shared.types.ts
+++ b/packages/attest/src/shared.types.ts
@ -0,0 +1,52 @@
+import type {SerializedBundle} from '@sigstore/bundle'
+
+/*
+ * The subject of an attestation.
+ */
+export type Subject = {
+  /*
+   * Name of the subject.
+   */
+  name: string
+  /*
+   * Digests of the subject. Should be a map of digest algorithms to their hex-encoded values.
+   */
+  digest: Record<string, string>
+}
+
+/*
+ * The predicate of an attestation.
+ */
+export type Predicate = {
+  /*
+   * URI identifying the content type of the predicate.
+   */
+  type: string
+  /*
+   * Predicate parameters.
+   */
+  params: object
+}
+
+/*
+ * Artifact attestation.
+ */
+export type Attestation = {
+  /*
+   * Serialized Sigstore bundle containing the provenance attestation,
+   * signature, signing certificate and witnessed timestamp.
+   */
+  bundle: SerializedBundle
+  /*
+   * PEM-encoded signing certificate used to sign the attestation.
+   */
+  certificate: string
+  /*
+   * ID of Rekor transparency log entry created for the attestation.
+   */
+  tlogID?: string
+  /*
+   * ID of the persisted attestation (accessible via the GH API).
+   */
+  attestationID?: string
+}
--- a/packages/attest/src/sign.ts
+++ b/packages/attest/src/sign.ts
@ -0,0 +1,109 @@
+import {
+  Bundle,
+  BundleBuilder,
+  CIContextProvider,
+  DSSEBundleBuilder,
+  FulcioSigner,
+  RekorWitness,
+  TSAWitness,
+  Witness
+} from '@sigstore/sign'
+
+const OIDC_AUDIENCE = 'sigstore'
+const DEFAULT_TIMEOUT = 10000
+const DEFAULT_RETRIES = 3
+
+/**
+ * The payload to be signed (body) and its media type (type).
+ */
+export type Payload = {
+  body: Buffer
+  type: string
+}
+
+/**
+ * Options for signing a document.
+ */
+export type SignOptions = {
+  /**
+   * The URL of the Fulcio service.
+   */
+  fulcioURL: string
+  /**
+   * The URL of the Rekor service.
+   */
+  rekorURL?: string
+  /**
+   * The URL of the TSA (Time Stamping Authority) server.
+   */
+  tsaServerURL?: string
+  /**
+   * The timeout duration in milliseconds when communicating with Sigstore
+   * services.
+   */
+  timeout?: number
+  /**
+   * The number of retry attempts.
+   */
+  retry?: number
+}
+
+/**
+ * Signs the provided payload with a Sigstore-issued certificate and returns the
+ * signature bundle.
+ * @param payload Payload to be signed.
+ * @param options Signing options.
+ * @returns A promise that resolves to the Sigstore signature bundle.
+ */
+export const signPayload = async (
+  payload: Payload,
+  options: SignOptions
+): Promise<Bundle> => {
+  const artifact = {
+    data: payload.body,
+    type: payload.type
+  }
+
+  // Sign the artifact and build the bundle
+  return initBundleBuilder(options).create(artifact)
+}
+
+// Assembles the Sigstore bundle builder with the appropriate options
+const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
+  const identityProvider = new CIContextProvider(OIDC_AUDIENCE)
+  const timeout = opts.timeout || DEFAULT_TIMEOUT
+  const retry = opts.retry || DEFAULT_RETRIES
+  const witnesses: Witness[] = []
+
+  const signer = new FulcioSigner({
+    identityProvider,
+    fulcioBaseURL: opts.fulcioURL,
+    timeout,
+    retry
+  })
+
+  if (opts.rekorURL) {
+    witnesses.push(
+      new RekorWitness({
+        rekorBaseURL: opts.rekorURL,
+        fetchOnConflict: true,
+        timeout,
+        retry
+      })
+    )
+  }
+
+  if (opts.tsaServerURL) {
+    witnesses.push(
+      new TSAWitness({
+        tsaBaseURL: opts.tsaServerURL,
+        timeout,
+        retry
+      })
+    )
+  }
+
+  // Build the bundle with the singleCertificate option which will
+  // trigger the creation of v0.3 DSSE bundles
+  return new DSSEBundleBuilder({signer, witnesses})
+}
--- a/packages/attest/src/store.ts
+++ b/packages/attest/src/store.ts
@ -0,0 +1,48 @@
+import * as github from '@actions/github'
+import {retry} from '@octokit/plugin-retry'
+import {RequestHeaders} from '@octokit/types'
+
+const CREATE_ATTESTATION_REQUEST = 'POST /repos/{owner}/{repo}/attestations'
+const DEFAULT_RETRY_COUNT = 5
+
+export type WriteOptions = {
+  retry?: number
+  headers?: RequestHeaders
+}
+/**
+ * Writes an attestation to the repository's attestations endpoint.
+ * @param attestation - The attestation to write.
+ * @param token - The GitHub token for authentication.
+ * @returns The ID of the attestation.
+ * @throws Error if the attestation fails to persist.
+ */
+export const writeAttestation = async (
+  attestation: unknown,
+  token: string,
+  options: WriteOptions = {}
+): Promise<string> => {
+  const retries = options.retry ?? DEFAULT_RETRY_COUNT
+  const octokit = github.getOctokit(token, {retry: {retries}}, retry)
+
+  try {
+    const response = await octokit.request(CREATE_ATTESTATION_REQUEST, {
+      owner: github.context.repo.owner,
+      repo: github.context.repo.repo,
+      headers: options.headers,
+      bundle: attestation as {
+        mediaType?: string
+        verificationMaterial?: {[key: string]: unknown}
+        dsseEnvelope?: {[key: string]: unknown}
+      }
+    })
+
+    const data =
+      typeof response.data == 'string'
+        ? JSON.parse(response.data)
+        : response.data
+    return data?.id
+  } catch (err) {
+    const message = err instanceof Error ? err.message : err
+    throw new Error(`Failed to persist attestation: ${message}`)
+  }
+}
--- a/packages/attest/tsconfig.json
+++ b/packages/attest/tsconfig.json
@ -0,0 +1,12 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "baseUrl": "./",
+    "outDir": "./lib",
+    "declaration": true,
+    "rootDir": "./src"
+  },
+  "include": [
+    "./src"
+  ]
+}
--- a/packages/cache/README.md
+++ b/packages/cache/README.md
@ -6,6 +6,20 @@ See ["Caching dependencies to speed up workflows"](https://docs.github.com/en/ac

 Note that GitHub will remove any cache entries that have not been accessed in over 7 days. There is no limit on the number of caches you can store, but the total size of all caches in a repository is limited to 10 GB. If you exceed this limit, GitHub will save your cache but will begin evicting caches until the total size is less than 10 GB.

+## ⚠️ Important changes
+
+The cache backend service has been rewritten from the ground up for improved performance and reliability. The [@actions/cache](https://github.com/actions/toolkit/tree/main/packages/cache) package now integrates with the new cache service (v2) APIs.
+
+The new service will gradually roll out as of **February 1st, 2025**. The legacy service will also be sunset on the same date. Changes in this release are **fully backward compatible**.
+
+**All previous versions of this package will be deprecated**. We recommend upgrading to version `4.0.0` as soon as possible before **February 1st, 2025.**
+
+If you do not upgrade, all workflow runs using any of the deprecated [@actions/cache](https://github.com/actions/toolkit/tree/main/packages/cache) packages will fail.
+
+Upgrading to the recommended version should not break or require any changes to your workflows beyond updating your `package.json` to version `4.0.0`.
+
+Read more about the change & access the migration guide: [reference to the announcement](https://github.com/actions/toolkit/discussions/1890).
+
 ## Usage

 This package is used by the v2+ versions of our first party cache action. You can find an example implementation in the cache repo [here](https://github.com/actions/cache).
@ -47,5 +61,3 @@ const cacheKey = await cache.restoreCache(paths, key, restoreKeys)
 A cache gets downloaded in multiple segments of fixed sizes (now `128MB` to fail-fast, previously `1GB` for a `32-bit` runner and `2GB` for a `64-bit` runner were used). Sometimes, a segment download gets stuck which causes the workflow job to be stuck forever and fail. Version `v3.0.4` of cache package introduces a segment download timeout. The segment download timeout will allow the segment download to get aborted and hence allow the job to proceed with a cache miss.

 Default value of this timeout is 10 minutes (starting `v3.2.1` and higher, previously 60 minutes in versions between `v.3.0.4` and `v3.2.0`, both included) and can be customized by specifying an [environment variable](https://docs.github.com/en/actions/learn-github-actions/environment-variables) named `SEGMENT_DOWNLOAD_TIMEOUT_MINS` with timeout value in minutes.
-
-
--- a/Show More
+++ b/Show More
				`@ -1 +0,0 @@`
				Docs will be added here once development of version `2.0.0` has finished