What does "if only public resources are requested" mean here?

[jcflack]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#download-an-artifact

What part(s) of the article would you like to see updated?

The "Download an artifact" section (and possibly others that contain similar language).

Seeing this sentence in that section:

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

I tried that:

import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import static java.net.http.HttpResponse.BodyHandlers.*;
import static java.net.http.HttpClient.Redirect.NORMAL;
import java.net.CookieManager;

var client = HttpClient.newBuilder()
  .followRedirects(NORMAL)
  .cookieHandler(new CookieManager())
  .build();

var apiuri =
"https://api.github.com/repos/pfirmstone/jdk-with-authorization/actions/artifacts/2288175575/zip";

var req = HttpRequest.newBuilder(URI.create(apiuri)).GET()
  .header("X-GitHub-Api-Version", "2022-11-28").build();

var resp = client.send(req, ofInputStream());

But got this response:

{
 "message":
 "You must have the actions scope to download artifacts.",
 "documentation_url":
 "https://docs.github.com/rest/actions/artifacts#download-an-artifact",
 "status":"403"
}

As an API user, getting this result, there are three possibilities I cannot easily distinguish:

• Does it mean that even though the pfirmstone/jdk-with-authorization repo is public (I checked), the 2288175575 artifact is not a "public resource", but there is something the repo owner could change to make future uploaded artifacts be public, and then such a request ought to work?
• Does it mean the request really should have worked, and the 403 response was returned in error?
• Does it mean that really no workflow artifacts are ever "public resources", and therefore the documentation saying "can be used without authentication ... if only public resources are requested" is taunting me with a statement that applies to the empty-set of cases, like "you can connect without authentication whenever the cow you're downloading is spherical"?

Not knowing which of those explanations it is, I thought I would ask as a docs issue first.

Expected outcome or behavior would be that whatever the docs say about when an unauthenticated request can or can't be made would correspond to what actually happens—whether that requires a docs change or a behavior change—or at least the terms would be clarified so it's more obvious why the behavior is right.

Additional information

No response

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[subatoi]

Hi @jcflack, thanks for raising an issue and providing such detail

Typically I'd recommend that you open an issue with our Support team if your plan includes access to that, or opening a community discussion if not

Under the circumstances, since there might be a docs issue, I'm investigating if that's the case and I'll get back to you as soon as I can, but unlike with Support, I'm afraid I can't guarantee a specific timeframe for a response here.

[github-actions]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀