Summary

Adds a content-returning path to actions_get for workflow artifacts, so callers can resolve an artifact by workflow run and exact name and receive bounded extracted file contents instead of dropping out to raw ZIP handling.

Why

actions_list can enumerate artifacts and actions_get can return a signed download URL for a known artifact ID, but agents still have to chain raw REST calls, download a ZIP, and extract files outside MCP to inspect a run artifact. The issue's agent-artifacts and token-usage.jsonl workflow needs the server to bridge that metadata-to-content gap while preserving size limits, exact-name resolution, and binary safety.

Fixes #2329

What changed

• pkg/github/actions.go: extend download_workflow_run_artifact handling to accept run_id, artifact_name, optional path, and max_bytes, resolve the artifact by exact name, and download/extract bounded ZIP contents.
• pkg/github/actions.go: keep the existing artifact-id URL path for callers that pass only resource_id, cap archive downloads before ZIP parsing, and return metadata-only entries for binary or non-text files.
• pkg/github/actions_test.go: add focused mock tests for exact artifact-name resolution, missing artifact handling, legacy URL behavior, path filtering, bounded ZIP text extraction, archive-size rejection, and UTF-8-safe truncation.
• pkg/github/__toolsnaps__/actions_get.snap and README.md: regenerate schema and docs.

MCP impact

• Tool schema or behavior changed
  actions_get keeps download_workflow_run_artifact but adds parameters for run/name content retrieval; existing artifact-id URL behavior stays available.

Prompts tested (tool changes only)

• "Download the agent-artifacts artifact from workflow run 123 and show me token-usage.jsonl."
• "Download the agent-artifacts artifact from workflow run 123 and show me nested/result.txt with a 4 byte cap."
• "Get a temporary download URL for artifact ID 456."

Security / limits

• Data exposure, filtering, or token/size limits considered
  Artifact contents are bounded by max_bytes; artifact archives are capped before ZIP parsing; exact path filtering is optional; binary or non-UTF-8 entries return metadata only instead of unsafe content.

Tool renaming

• I am not renaming tools as part of this PR

Lint & tests

• Linted locally with golangci-lint run

• Tested locally with targeted package commands plus the required schema/doc generation commands

• go test ./pkg/github -run "Test_ActionsGet|TestActionsGet|Test.*Artifact" — passed; covers the actions_get schema, legacy artifact-ID URL behavior, run/name artifact resolution, missing artifact errors, exact path filtering, truncation, archive-size rejection, UTF-8-safe truncation, and binary metadata-only output.

• $env:UPDATE_TOOLSNAPS='true'; go test ./pkg/github; Remove-Item env:UPDATE_TOOLSNAPS — passed; required full pkg/github toolsnap regeneration command.

• bash script/generate-docs — passed; regenerated README.md.

• golangci-lint run — passed with 0 issues.

Docs

• Updated (README / docs / examples)
  Regenerated the generated README tool section with bash script/generate-docs; restored unrelated generated docs so the final diff stays within the target allowlist.