[plan] Investigate signal propagation path in AWF agent step (sudo + pipe + Docker PID namespace)

[github-actions]

Objective

Investigate the signal propagation path in the AWF agent step command to understand exactly why timeout-minutes may not be enforced, and validate or refute this as the root cause.

Context

Issue #23965 reports that timeout-minutes is ignored on the agent step. Initial code analysis suggests the root cause is signal delivery failure through the execution pipeline:

GitHub Actions runner (SIGTERM on timeout)
  ↓
Bash shell (`set -o pipefail` script)
  ├─ sudo -E awf ... -- /bin/bash -c '...'   ← may not receive SIGTERM
  │    └─ AWF Docker container (separate PID namespace)
  │          └─ agent process
  └─ tee -a ${LOG_FILE}                       ← pipe may block signal propagation

The command in pkg/workflow/awf_helpers.go builds:

sudo -E awf <args> -- /bin/bash -c '...' 2>&1 | tee -a <logfile>

Potential contributing factors:

1. Pipe (|) breaks SIGTERM chain — tee doesn't forward signals upstream to awf
2. sudo intercepts signals — sudo may not forward SIGTERM to the awf child
3. Docker PID namespace isolation — awf manages a container; SIGTERM to awf may not propagate into the container
4. No dumb-init/tini in the Dockerfile — Alpine base with gh-aw as entrypoint has no init for signal reaping

Approach

1. Trace the signal path through sudo → awf → Docker container:

   • Check if awf (the firewall binary) handles SIGTERM and forwards it to the container process
   • Check if sudo forwards signals or drops them
   • Check Docker signal handling behavior when the host process receives SIGTERM

2. Verify the pipe problem: Write a small shell test confirming that cmd 2>&1 | tee file — when the shell receives SIGTERM — does not reliably kill cmd.

3. Check AWF binary behavior (if source is available or if documentation exists): Does awf handle SIGTERM and issue docker stop/docker kill?

4. Review the set -o pipefail effect: Confirm it only controls exit code propagation, not signal propagation.

Files of Interest

• pkg/workflow/awf_helpers.go — BuildAWFCommand() (the pipe construction)
• pkg/constants/constants.go — AWFDefaultCommand constant
• Dockerfile — confirms no init process
• actions/setup/sh/stop_mcp_gateway.sh — example of correct SIGTERM handling with fallback to SIGKILL (pattern to compare against)

Acceptance Criteria

• Identified which specific mechanism (pipe, sudo, Docker PID namespace, or missing init) prevents signal delivery
• Root cause narrowed to one or more specific code locations
• Findings documented as a comment on issue timeout-minutes on agent step not enforced inside AWF container #23965 with a clear explanation and recommendation
  Related to timeout-minutes on agent step not enforced inside AWF container #23965

Generated by Plan Command for issue #23965 · ◷

• expires on Apr 3, 2026, 11:47 PM UTC

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot coding agent.

The Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · ◷