diff --git a/app/server/post_results_e2e_test.go b/app/server/post_results_e2e_test.go
index f82b93b4..81dfeac5 100644
--- a/app/server/post_results_e2e_test.go
+++ b/app/server/post_results_e2e_test.go
@@ -17,8 +17,10 @@ package server
 import (
 	"context"
 	"io"
+	"net/http"
 	"os"
 
+	"github.com/google/go-github/v42/github"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
@@ -112,3 +114,36 @@ var _ = Describe("E2E Test: getAndVerifyWorkflowContent", func() {
 		AssertInvalidWorkflowContent("testdata/results/imposter-commit-results.json", "imposter commit")
 	})
 })
+
+// helper function to setup a github verifier with an appropriately set token.
+func getGithubVerifier() githubVerifier {
+	httpClient := http.DefaultClient
+	token, _ := readGitHubTokens()
+	if token != "" {
+		httpClient.Transport = githubTransport{
+			token: token,
+		}
+	}
+	return githubVerifier{
+		ctx:    context.Background(),
+		client: github.NewClient(httpClient),
+	}
+}
+
+var _ = Describe("E2E Test: githubVerifier_contains", func() {
+	Context("E2E Test: Validate known good commits", func() {
+		It("can detect actions/upload-artifact v3-node20 commits", func() {
+			gv := getGithubVerifier()
+			c, err := gv.contains("actions", "upload-artifact", "97a0fba1372883ab732affbe8f94b823f91727db")
+			Expect(err).Should(BeNil())
+			Expect(c).To(BeTrue())
+		})
+
+		It("can detect github/codeql-action backport commits", func() {
+			gv := getGithubVerifier()
+			c, err := gv.contains("github", "codeql-action", "a82bad71823183e5b120ab52d521460ecb0585fe")
+			Expect(err).Should(BeNil())
+			Expect(c).To(BeTrue())
+		})
+	})
+})
diff --git a/app/server/verify_workflow.go b/app/server/verify_workflow.go
index a936e980..b60b0615 100644
--- a/app/server/verify_workflow.go
+++ b/app/server/verify_workflow.go
@@ -263,9 +263,11 @@ func (g *githubVerifier) contains(owner, repo, hash string) (bool, error) {
 	if contains {
 		return true, nil
 	}
+
+	switch {
 	// github/codeql-action has commits from their v1 and v2 release branch that don't show up in the default branch
 	// this isn't the best approach for now, but theres no universal "does this commit belong to this repo" call
-	if owner == "github" && repo == "codeql-action" {
+	case owner == "github" && repo == "codeql-action":
 		contains, err = g.branchContains("releases/v2", owner, repo, hash)
 		if err != nil {
 			return false, err
@@ -273,6 +275,11 @@ func (g *githubVerifier) contains(owner, repo, hash string) (bool, error) {
 		if !contains {
 			contains, err = g.branchContains("releases/v1", owner, repo, hash)
 		}
+
+	// add fallback lookup for actions/upload-artifact v3/node20 branch
+	// https://github.com/actions/starter-workflows/pull/2348#discussion_r1536228344
+	case owner == "actions" && repo == "upload-artifact":
+		contains, err = g.branchContains("v3/node20", owner, repo, hash)
 	}
 	return contains, err
 }