diff --git a/.forgejo/workflows/tag-release.yml b/.forgejo/workflows/tag-release.yml
index 224bfb0..5928733 100644
--- a/.forgejo/workflows/tag-release.yml
+++ b/.forgejo/workflows/tag-release.yml
@@ -18,6 +18,7 @@ on:
           - aws-configure
           - cache
           - checkout
+          - download-artifact
           - helm-deploy
           - inject-content
           - maven-build
@@ -25,6 +26,7 @@ on:
           - publish-static-contents
           - terraform-apply
           - terraform-validate
+          - upload-artifact
       major-version:
         description: 'Major version number (e.g. 1)'
         required: true
diff --git a/README.md b/README.md
index 07aa3e3..561812a 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@ Shared actions for Forgejo CI/CD pipelines.
 | [aws-configure](aws-configure) | Authenticate with AWS via OIDC |
 | [cache](cache) | Cache files between workflow runs |
 | [checkout](checkout) | Action for checking out a repository |
+| [download-artifact](download-artifact) | Download Forgejo Actions artifacts by name or pattern |
 | [helm-deploy](helm-deploy) | Deploy a service to Kubernetes via Helm over SSH |
 | [inject-content](inject-content) | Inject content into a file by appending or overwriting |
 | [maven-build](maven-build) | Action for building and validating Maven projects |
@@ -18,6 +19,7 @@ Shared actions for Forgejo CI/CD pipelines.
 | [publish-static-contents](publish-static-contents) | Syncs frontend assets to S3 and invalidates a CloudFront distribution |
 | [terraform-apply](terraform-apply) | Apply Terraform configuration files using the official Terraform CLI |
 | [terraform-validate](terraform-validate) | Validate Terraform configuration files using the official Terraform CLI |
+| [upload-artifact](upload-artifact) | Upload files as a Forgejo Actions artifact |
 
 
 ## Security
diff --git a/download-artifact/README.md b/download-artifact/README.md
new file mode 100644
index 0000000..e99bb09
--- /dev/null
+++ b/download-artifact/README.md
@@ -0,0 +1,46 @@
+# download-artifact
+
+Download Forgejo Actions artifacts by name or pattern. Thin wrapper around `forgejo/download-artifact` pinned to a specific commit SHA to prevent supply chain attacks.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `name` | No | `""` | Exact artifact name or glob pattern (e.g. `blob-report-*`). If omitted, all artifacts for the run are downloaded. |
+| `path` | No | `.` | Local destination directory |
+| `merge-multiple` | No | `false` | When true, merge all matched artifacts into a single directory |
+
+## Usage
+
+Download a single artifact by name:
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/download-artifact@download-artifact-v1
+  with:
+    name: my-artifact
+    path: dist/
+```
+
+Download all artifacts matching a pattern and merge into one directory:
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/download-artifact@download-artifact-v1
+  with:
+    name: blob-report-*
+    path: all-blob-reports/
+    merge-multiple: "true"
+```
+
+Download all artifacts for the run:
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/download-artifact@download-artifact-v1
+  with:
+    path: artifacts/
+```
+
+## Notes
+
+- Wraps `forgejo/download-artifact` v4 (node20), compatible with Ubuntu 22 runners.
+- The underlying action is pinned to a commit SHA rather than a mutable tag to prevent supply chain attacks.
+- When `merge-multiple` is false (default), each matched artifact is extracted into its own subdirectory under `path`.
diff --git a/download-artifact/action.yml b/download-artifact/action.yml
new file mode 100644
index 0000000..343135f
--- /dev/null
+++ b/download-artifact/action.yml
@@ -0,0 +1,30 @@
+name: Schmalz Download Artifact
+description: >
+  Download Forgejo Actions artifacts by name or pattern.
+  Thin wrapper around forgejo/download-artifact, pinned to a specific SHA.
+
+inputs:
+  name:
+    description: Exact artifact name or glob pattern (e.g. 'blob-report-*'). If omitted, all artifacts for the run are downloaded.
+    required: false
+    default: ""
+  path:
+    description: Local destination directory
+    required: false
+    default: "."
+  merge-multiple:
+    description: When true, merge all matched artifacts into a single directory
+    required: false
+    default: "false"
+
+runs:
+  using: composite
+  steps:
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # forgejo/download-artifact v4 — https://code.forgejo.org/forgejo/download-artifact/commits/tag/v4
+    - name: Download artifact
+      uses: https://code.forgejo.org/forgejo/download-artifact@d8d0a99033603453ad2255e58720b460a0555e1e
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ inputs.path }}
+        merge-multiple: ${{ inputs.merge-multiple }}
diff --git a/upload-artifact/README.md b/upload-artifact/README.md
new file mode 100644
index 0000000..3e93149
--- /dev/null
+++ b/upload-artifact/README.md
@@ -0,0 +1,37 @@
+# upload-artifact
+
+Upload files as a Forgejo Actions artifact. Thin wrapper around `forgejo/upload-artifact` pinned to a specific commit SHA to prevent supply chain attacks.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `name` | Yes | — | Artifact name |
+| `path` | Yes | — | File or directory path to upload |
+| `retention-days` | No | `30` | Number of days to retain the artifact |
+| `if-no-files-found` | No | `warn` | Behaviour when no files are found — `warn`, `error`, or `ignore` |
+
+## Usage
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/upload-artifact@upload-artifact-v1
+  with:
+    name: my-artifact
+    path: dist/
+```
+
+Upload and ignore if no files exist:
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/upload-artifact@upload-artifact-v1
+  with:
+    name: blob-report-${{ matrix.shard-index }}
+    path: frontend/blob-report/
+    retention-days: 3
+    if-no-files-found: ignore
+```
+
+## Notes
+
+- Wraps `forgejo/upload-artifact` v4 (node20), compatible with Ubuntu 22 runners.
+- The underlying action is pinned to a commit SHA rather than a mutable tag to prevent supply chain attacks.
diff --git a/upload-artifact/action.yml b/upload-artifact/action.yml
new file mode 100644
index 0000000..ccec5a4
--- /dev/null
+++ b/upload-artifact/action.yml
@@ -0,0 +1,33 @@
+name: Schmalz Upload Artifact
+description: >
+  Upload files as a Forgejo Actions artifact.
+  Thin wrapper around forgejo/upload-artifact, pinned to a specific SHA.
+
+inputs:
+  name:
+    description: Artifact name
+    required: true
+  path:
+    description: File or directory path to upload
+    required: true
+  retention-days:
+    description: Number of days to retain the artifact
+    required: false
+    default: "30"
+  if-no-files-found:
+    description: Behaviour when no files are found — 'warn', 'error', or 'ignore'
+    required: false
+    default: warn
+
+runs:
+  using: composite
+  steps:
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # forgejo/upload-artifact v4 — https://code.forgejo.org/forgejo/upload-artifact/commits/tag/v4
+    - name: Upload artifact
+      uses: https://code.forgejo.org/forgejo/upload-artifact@16871d9e8cfcf27ff31822cac382bbb5450f1e1e
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ inputs.path }}
+        retention-days: ${{ inputs.retention-days }}
+        if-no-files-found: ${{ inputs.if-no-files-found }}