From d6fcb562f4e7e7373a214fd8ec5437fac862bf8f Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Tue, 26 May 2026 17:58:42 +0200
Subject: [PATCH] fix(podman): bound setup image builds

---
 scripts/podman/setup.sh                     | 15 ++++++++++++++-
 test/scripts/test-install-sh-docker.test.ts | 14 ++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/scripts/podman/setup.sh b/scripts/podman/setup.sh
index d3b4bab79208..151147223bb2 100755
--- a/scripts/podman/setup.sh
+++ b/scripts/podman/setup.sh
@@ -29,6 +29,7 @@ PLATFORM_NAME="$(uname -s 2>/dev/null || echo unknown)"
 HOST_GATEWAY_PORT="${OPENCLAW_PODMAN_GATEWAY_HOST_PORT:-${OPENCLAW_GATEWAY_PORT:-18789}}"
 QUADLET_GATEWAY_PORT="18789"
 PODMAN_PULL_TIMEOUT="${OPENCLAW_PODMAN_SETUP_PULL_TIMEOUT:-600s}"
+PODMAN_BUILD_TIMEOUT="${OPENCLAW_PODMAN_SETUP_BUILD_TIMEOUT:-1800s}"
 
 require_cmd() {
   if ! command -v "$1" >/dev/null 2>&1; then
@@ -57,6 +58,18 @@ run_podman_pull() {
   podman pull "$image"
 }
 
+run_podman_build() {
+  if command -v timeout >/dev/null 2>&1; then
+    if timeout --kill-after=1s 1s true >/dev/null 2>&1; then
+      timeout --kill-after=30s "$PODMAN_BUILD_TIMEOUT" podman build "$@"
+    else
+      timeout "$PODMAN_BUILD_TIMEOUT" podman build "$@"
+    fi
+    return
+  fi
+  podman build "$@"
+}
+
 validate_single_line_value() {
   local label="$1"
   local value="$2"
@@ -390,7 +403,7 @@ fi
 
 if [[ "$OPENCLAW_IMAGE" == "openclaw:local" ]]; then
   echo "Building image $OPENCLAW_IMAGE ..."
-  podman build -t "$OPENCLAW_IMAGE" -f "$REPO_PATH/Dockerfile" "${BUILD_ARGS[@]+"${BUILD_ARGS[@]}"}" "$REPO_PATH"
+  run_podman_build -t "$OPENCLAW_IMAGE" -f "$REPO_PATH/Dockerfile" "${BUILD_ARGS[@]+"${BUILD_ARGS[@]}"}" "$REPO_PATH"
 else
   if podman image exists "$OPENCLAW_IMAGE" >/dev/null 2>&1; then
     echo "Using existing image $OPENCLAW_IMAGE"
diff --git a/test/scripts/test-install-sh-docker.test.ts b/test/scripts/test-install-sh-docker.test.ts
index f0e2f4f4dc3e..8d7d61e98289 100644
--- a/test/scripts/test-install-sh-docker.test.ts
+++ b/test/scripts/test-install-sh-docker.test.ts
@@ -147,6 +147,20 @@ describe("test-install-sh-docker", () => {
     expect(script).not.toContain('podman pull "$OPENCLAW_IMAGE"');
   });
 
+  it("bounds Podman setup image builds", () => {
+    const script = readFileSync(PODMAN_SETUP_PATH, "utf8");
+
+    expect(script).toContain(
+      'PODMAN_BUILD_TIMEOUT="${OPENCLAW_PODMAN_SETUP_BUILD_TIMEOUT:-1800s}"',
+    );
+    expect(script).toContain("run_podman_build()");
+    expect(script).toContain("timeout --kill-after=1s 1s true");
+    expect(script).toContain('timeout --kill-after=30s "$PODMAN_BUILD_TIMEOUT" podman build "$@"');
+    expect(script).toContain('timeout "$PODMAN_BUILD_TIMEOUT" podman build "$@"');
+    expect(script).toContain('run_podman_build -t "$OPENCLAW_IMAGE"');
+    expect(script).not.toContain('podman build -t "$OPENCLAW_IMAGE"');
+  });
+
   it("bounds detached Podman launches without timing out onboarding", () => {
     const script = readFileSync(PODMAN_RUN_PATH, "utf8");