Objective
Reproduce and confirm the bug reported in #23965: timeout-minutes on agent steps is not enforced when the agent runs inside the AWF Docker container.
Context
Issue #23965 reports that when timeout-minutes is set on the GitHub Actions step that runs the Copilot CLI agent inside the AWF firewall container, the step continues past the timeout until the job-level or workflow-level timeout. This may be caused by signal delivery (SIGTERM/SIGKILL) not reaching processes inside the container.
Approach
- Create a test workflow that has an agent step with a short
timeout-minutes (e.g., 5 minutes) and a task that is designed to run longer (e.g., an agent instructed to sleep or loop for 30 minutes).
- Trigger the workflow and observe whether the step terminates at 5 minutes or continues running.
- Collect evidence: Capture the step log to confirm whether the runner emits "##[error]The operation was cancelled because the step exceeded the configured timeout." vs. the step running indefinitely.
- Document the process tree at the time of timeout: use
ps auxf or similar inside the runner to show the process hierarchy (runner shell → sudo awf → docker container → agent).
Files of Interest
pkg/workflow/awf_helpers.go — BuildAWFCommand() at lines ~70-142 (builds the sudo -E awf ... | tee command)- Compiled
.lock.yml files — check that timeout-minutes appears on the agent step YAML
actions/setup/sh/ — shell scripts managing AWF lifecycle
Acceptance Criteria
Generated by Plan Command for issue #23965 · ◷
Objective
Reproduce and confirm the bug reported in #23965:
timeout-minuteson agent steps is not enforced when the agent runs inside the AWF Docker container.Context
Issue #23965 reports that when
timeout-minutesis set on the GitHub Actions step that runs the Copilot CLI agent inside the AWF firewall container, the step continues past the timeout until the job-level or workflow-level timeout. This may be caused by signal delivery (SIGTERM/SIGKILL) not reaching processes inside the container.Approach
timeout-minutes(e.g., 5 minutes) and a task that is designed to run longer (e.g., an agent instructed to sleep or loop for 30 minutes).ps auxfor similar inside the runner to show the process hierarchy (runner shell → sudo awf → docker container → agent).Files of Interest
pkg/workflow/awf_helpers.go—BuildAWFCommand()at lines ~70-142 (builds thesudo -E awf ... | teecommand).lock.ymlfiles — check thattimeout-minutesappears on the agent step YAMLactions/setup/sh/— shell scripts managing AWF lifecycleAcceptance Criteria
timeout-minutesor not?Related to timeout-minutes on agent step not enforced inside AWF container #23965