diff --git a/packages/action/src/comment/postGithubCommentFromArtifact.ts b/packages/action/src/comment/postGithubCommentFromArtifact.ts
index 00959c53..fbe98809 100644
--- a/packages/action/src/comment/postGithubCommentFromArtifact.ts
+++ b/packages/action/src/comment/postGithubCommentFromArtifact.ts
@@ -10,10 +10,12 @@ import type { Logger } from "@covector/types";
 export function* postGithubCommentFromArtifact({
   logger,
   octokit,
+  token,
   payload,
 }: {
   logger: Logger;
   octokit: InstanceType<typeof GitHub>;
+  token: string;
   payload: WorkflowRunEvent;
 }): Operation<void> {
   const {
@@ -22,22 +24,28 @@ export function* postGithubCommentFromArtifact({
       owner: { login: owner },
     },
   } = payload;
-  const allArtifacts = yield octokit.rest.actions.listWorkflowRunArtifacts({
-    owner: owner,
-    repo: repo,
+
+  const artifacts = yield octokit.rest.actions.listWorkflowRunArtifacts({
+    owner,
+    repo,
     run_id: payload.workflow_run.id,
   });
-
-  // download the artifact from `pull_request` workflow that generated it
-  const commentArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+  const commentArtifact = artifacts.data.artifacts.filter((artifact) => {
     return artifact.name == "covector-comment";
   })[0];
 
   const artifact = new DefaultArtifactClient();
   const artifactRoot = process.env.RUNNER_TEMP ?? "..";
+  // this is required to elevate iternal permissions to fetch artifacts from another workflow
+  const findBy = {
+    token,
+    workflowRunId: payload.workflow_run.id,
+    repositoryOwner: owner,
+    repositoryName: repo,
+  };
   const { downloadPath } = yield artifact.downloadArtifact(commentArtifact.id, {
-    // optional: download destination path. otherwise defaults to $GITHUB_WORKSPACE
     path: artifactRoot,
+    findBy,
   });
 
   const comment = yield fs.readFile(
@@ -52,5 +60,12 @@ export function* postGithubCommentFromArtifact({
   );
   const prNumber = parseInt(prNumberAsString, 10);
 
-  yield postGithubComment({ logger, comment, octokit, repo, owner, prNumber });
+  yield postGithubComment({
+    logger,
+    comment,
+    octokit,
+    repo,
+    owner,
+    prNumber,
+  });
 }
diff --git a/packages/action/src/index.ts b/packages/action/src/index.ts
index 15847329..b52b0db1 100644
--- a/packages/action/src/index.ts
+++ b/packages/action/src/index.ts
@@ -65,7 +65,12 @@ export function* run(logger: Logger): Generator<any, any, any> {
       if (github.context.eventName === "workflow_run") {
         const octokit = github.getOctokit(token);
         const payload = github.context.payload as WorkflowRunEvent;
-        yield postGithubCommentFromArtifact({ logger, octokit, payload });
+        yield postGithubCommentFromArtifact({
+          logger,
+          octokit,
+          token,
+          payload,
+        });
       } else {
         const covectored: CovectorStatus = yield covector({
           logger,