workflows: validate CHUNK_INDEX / CHUNK_COUNT inputs explicitly

igorpecovnik · igorpecovnik · commit f16304af6ec5 · 2026-04-15T19:40:19.000+02:00
workflow_call's `type: number` is enforced at the YAML boundary
only; direct API or templated callers can send non-numeric strings
that end up in the env. Bash's arithmetic context silently treats
non-numeric as 0, so "abc" passed `-lt 1`, hit the silent reset
to 1, and the chunk slice ran with a quietly-wrong CHUNK_COUNT.

Add explicit guards before any numeric comparison:

1. Regex `^[0-9]+$` on both CHUNK_INDEX and CHUNK_COUNT — fail
   with "is not a non-negative integer" naming the bad field.
2. Hard-fail CHUNK_COUNT &lt; 1 (was: silent reset to 1) — masking
   caller bugs is worse than failing loudly.
3. Existing CHUNK_INDEX &gt;= CHUNK_COUNT range check unchanged.

Each failure mode emits a distinct error message so a misconfig
caller can tell format-error from range-error at a glance.
diff --git a/.github/workflows/infrastructure-download-external.yml b/.github/workflows/infrastructure-download-external.yml
@@ -376,9 +376,29 @@ jobs:
             # below GitHub Actions' 256-entry cap. Callers that don't
             # know about chunking get CHUNK_COUNT=1 and pass the whole
             # thing through (legacy behavior).
+            #
+            # Validate the inputs explicitly. workflow_call input
+            # `type: number` is only enforced at the YAML boundary;
+            # direct API / curl invocations or templated callers can
+            # send anything that ends up as a string in the env. Bash's
+            # arithmetic context silently treats non-numeric as 0,
+            # which would let "abc" pass `-lt 1` and reset CHUNK_COUNT
+            # to 1 with no warning. Regex-check first, then range.
             CHUNK_INDEX="${{ inputs.CHUNK_INDEX }}"
             CHUNK_COUNT="${{ inputs.CHUNK_COUNT }}"
-            if [[ "${CHUNK_COUNT}" -lt 1 ]]; then CHUNK_COUNT=1; fi
+
+            if [[ ! "${CHUNK_INDEX}" =~ ^[0-9]+$ ]]; then
+              echo "::error::CHUNK_INDEX=${CHUNK_INDEX} is not a non-negative integer" >&2
+              exit 1
+            fi
+            if [[ ! "${CHUNK_COUNT}" =~ ^[0-9]+$ ]]; then
+              echo "::error::CHUNK_COUNT=${CHUNK_COUNT} is not a non-negative integer" >&2
+              exit 1
+            fi
+            if [[ "${CHUNK_COUNT}" -lt 1 ]]; then
+              echo "::error::CHUNK_COUNT=${CHUNK_COUNT} must be >= 1" >&2
+              exit 1
+            fi
             if [[ "${CHUNK_INDEX}" -ge "${CHUNK_COUNT}" ]]; then
               echo "::error::CHUNK_INDEX=${CHUNK_INDEX} must be < CHUNK_COUNT=${CHUNK_COUNT}" >&2
               exit 1
