Add repo-ask workflow for repository research

[Copilot]

Pull Request

Description

Implements the repo-ask workflow - a command-triggered GitHub Actions workflow that posts a templated response summarizing repository context. Users trigger it via /repo-ask [question] comments on issues/PRs.

Key components:

• .github/workflows/repo-ask.yml - Workflow triggered by issue_comment, validates permissions (OWNER/MEMBER/COLLABORATOR only), gathers repo context, posts findings
• docs/workflows/repo-ask.md - Full documentation with installation, configuration, use cases
• docs/workflows/README.md - Workflow index page
• .github/workflows/agentics/repo-ask.config.md - Configuration template (placeholder for future integration)

Security improvements applied:

• User input passed via environment variables instead of template literal interpolation
• Restricted workflow triggers to OWNER/MEMBER/COLLABORATOR only (removed CONTRIBUTOR)
• Fixed find command operator precedence with proper grouping
• Uses GITHUB_OUTPUT multiline EOF syntax for proper handling of special characters

Usage:

/repo-ask How does the authentication system work?
/repo-ask What are the testing requirements for this type of change?

Note: The current implementation returns a template-based response with file listing and README preview. Full AI agent integration is planned for future development.

Type of change

• Bug fix
• New feature
• Breaking change
• Documentation update
• Other (describe):

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

Screenshots (if applicable)

Additional context

YAML syntax validated. CodeQL security check passed with no alerts. No test infrastructure exists for GitHub Actions workflows in this repo.

All review feedback addressed including security fixes for input handling, permission restrictions, documentation accuracy updates, and proper GITHUB_OUTPUT syntax.

Original prompt

🔍 Repo Ask

For an overview of all available workflows, see the main README.

The repo-ask workflow is a command-triggered workflow that acts as an intelligent research assistant for your repository. When invoked with the repo-ask command, it provides accurate, well-researched answers to questions about your codebase, features, documentation, or any repository-related topics by leveraging web search, repository analysis, and bash commands.

You can trigger the workflow by adding a comment to any issue or pull request with the command:

/repo-ask

or by writing a comment with a specific question:

/repo-ask How does the authentication system work in this project?

Installation

# Install the 'gh aw' extension
gh extension install githubnext/gh-aw

# Add the Repo Ask workflow to your repository
gh aw add githubnext/agentics/repo-ask --pr

This creates a pull request to add the workflow to your repository.

You must also add choose a coding agent and add an API key secret for the agent to your repository.

You can't start a run of this workflow directly as it is triggered in the context of an issue or pull request comment.

To trigger the workflow on a specific issue or pull request, add a comment with the command:

/repo-ask [your question here]

Mandatory Checklist

• I have read the notes on coding tasks in the main README and understand the implications.

• I understand that this workflow will generate and run bash commands in the confine of the GitHub Actions VM, with network access.

• I am a repository admin, maintainer, or have write permissions to trigger this workflow.

• If in a fork, I have enabled "GitHub Actions" and "GitHub Issues" in the fork repository settings.

Configuration

This workflow requires no configuration and works out of the box. You can customize research behavior, response format, and allowed tools. Local configuration can be done in .github/workflows/agentics/repo-ask.config.md.

After editing run gh aw compile to update the workflow and commit all changes to the default branch.

What it reads from GitHub

• Repository contents and file structure
• Issue or pull request context where the command was triggered
• Pull requests and their metadata
• Actions workflow runs and results
• Repository documentation and code files
• Project configuration files

What it creates

• Adds detailed research-based comments to issues or pull requests
• Requires issues: write permission

What web searches it performs

• Searches for relevant documentation and resources online
• Looks up technical information related to the repository's technologies
• Researches best practices and solutions for specific questions
• May search for community discussions and expert opinions

What bash commands it runs

• Repository analysis commands (e.g., find, grep, ls)
• Code inspection commands to understand project structure
• Test execution to verify functionality
• Build commands to understand the development workflow
• Any other repository exploration commands needed to answer questions

Use Cases

• Documentation Research: Ask about how specific features work or are implemented
• Code Analysis: Get explanations of complex code patterns or architectures
• Troubleshooting: Research solutions for build issues or configuration problems
• Best Practices: Get recommendations for improving code or project structure
• Feature Investigation: Understand what features exist and how they're used
• Dependency Analysis: Learn about project dependencies and their purposes

Example Commands

/repo-ask Has anyone reported similar issues in the past?
/repo-ask Is this bug related to any known issues in the codebase?
/repo-ask What are the testing requirements for this type of change?
/repo-ask How does this PR affect the existing authentication flow?
/repo-ask Are there similar implementations I should look at for reference?
/repo-ask What's the best way to test this feature locally?
/repo-ask Does this change require any documentation updates?
/repo-ask What are the performance implications of this approach?

Human in the loop

• Review research findings and answers provided by the workflow
• Ask follow-up questions or request clarification as needed
• Validate technical recommendations before implementing them

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

Adds a new “Repo Ask” command-triggered GitHub Actions workflow plus documentation so users can ask repository questions via /repo-ask ... comments on issues/PRs.

Changes:

• Added .github/workflows/repo-ask.yml to trigger on issue_comment and post repository-context responses.
• Added documentation under docs/workflows/ and linked it from the root README.md.
• Added a configuration template at .github/workflows/agentics/repo-ask.config.md.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
.github/workflows/repo-ask.yml	New issue-comment-triggered workflow that parses /repo-ask, gathers basic repo context, and posts results.
.github/workflows/agentics/repo-ask.config.md	Template config file intended to customize repo-ask behavior.
docs/workflows/repo-ask.md	Primary workflow documentation: install, usage, security notes, and examples.
docs/workflows/README.md	Index page listing available agentic workflows and general guidance.
README.md	Adds an “Agentic Workflows” section linking to the new docs and showing /repo-ask usage.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This description claims the workflow leverages web search and an AI agent to provide “accurate, well-researched answers,” but the current repo-ask.yml only posts a basic template response with file listing/README preview and no web search/agent integration. Please update the wording to match actual behavior (or implement the agent/web-search pieces).

Suggested change

The [repo-ask workflow](../../.github/workflows/repo-ask.yml) is a command-triggered workflow that acts as an intelligent research assistant for your repository. When invoked with the `repo-ask` command, it provides accurate, well-researched answers to questions about your codebase, features, documentation, or any repository-related topics by leveraging web search, repository analysis, and bash commands.

The [repo-ask workflow](../../.github/workflows/repo-ask.yml) is a command-triggered workflow that posts a templated response summarizing your repository, such as a file listing and README preview, when invoked with the `repo-ask` command.

[Copilot]

Untrusted question text is injected into a JavaScript template literal at workflow-parse time: const question = `${{ steps.parse.outputs.question }}`;. If the question contains backticks or ${...}, it can break the script (and potentially enable code injection). Pass the value via env: and read from process.env, or avoid interpolation by reading from context.payload.comment.body and parsing in JS.

[Copilot]

find is used with multiple -o clauses without parentheses, so -type f / -maxdepth only apply to part of the expression due to operator precedence. This can include unintended paths (and potentially slow the run). Group the name predicates with parentheses, or repeat -type f for each branch.

[Copilot]

Similarly, this find command mixes -type f with multiple -o clauses without grouping, so later -name terms are not constrained by -type f. Add parentheses around the -name predicates (or use \( ... \)), ensuring -type f applies to all patterns.

[Copilot]

The workflow gate allows author_association == 'CONTRIBUTOR', which can include external users without write access. This contradicts the comment “user has write permissions” and can be unsafe if later steps start using secrets or more powerful tooling. Consider restricting to trusted associations (OWNER/MEMBER/COLLABORATOR) or perform an explicit permission check via the GitHub API (repos.getCollaboratorPermissionLevel).

Suggested change

	github.event.comment.author_association == 'COLLABORATOR' ||
	github.event.comment.author_association == 'CONTRIBUTOR'
	github.event.comment.author_association == 'COLLABORATOR'

[Copilot]

The output escaping (%0A, %0D, %25) is for the deprecated ::set-output command and will mutate the actual question stored in $GITHUB_OUTPUT (newlines become the literal string %0A). Use the $GITHUB_OUTPUT multiline syntax (name<<EOF ... EOF) and remove this percent-encoding so downstream steps receive the original text.

Suggested change

	# Escape special characters for GitHub output
	QUESTION="${QUESTION//'%'/'%25'}"
	QUESTION="${QUESTION//$'\n'/'%0A'}"
	QUESTION="${QUESTION//$'\r'/'%0D'}"
	echo "question=$QUESTION" >> $GITHUB_OUTPUT
	# Write the question to GITHUB_OUTPUT using multiline syntax to preserve newlines and special characters
	{
	echo 'question<<EOF_QUESTION' >> "$GITHUB_OUTPUT"
	echo "$QUESTION" >> "$GITHUB_OUTPUT"
	echo 'EOF_QUESTION' >> "$GITHUB_OUTPUT"
	}

[Copilot]

The status comment says “I'll update this comment with my findings,” but the workflow later creates a new comment instead of editing the original. Either edit the same comment (store its id and use issues.updateComment) or adjust the message so it doesn't promise an update.

Suggested change

	body: `🔍 **Repo Ask** is researching your question...\n\n> ${question}\n\n_This may take a moment. I'll update this comment with my findings._`
	body: `🔍 **Repo Ask** is researching your question...\n\n> ${question}\n\n_This may take a moment. I'll be back with my findings soon._`

[Copilot]

This second reference to the “main README” also uses ../README.md, which likely points to a non-existent docs/README.md. Update it to the correct relative path to the repository root README (e.g., ../../README.md).

Suggested change

	* [ ] I have read the notes on coding tasks in the [main README](../README.md) and understand the implications.
	* [ ] I have read the notes on coding tasks in the [main README](../../README.md) and understand the implications.

[Copilot]

The markdown table header uses double leading pipes (||), which breaks table rendering. Use single pipes for each row (e.g., | Workflow | Description | Trigger |) and a proper separator row.

[groupthinking]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied all review feedback in commit 7b9a9d3:

Security fixes:

• Pass question via env: + process.env instead of template literal interpolation
• Removed CONTRIBUTOR from allowed associations (now only OWNER/MEMBER/COLLABORATOR)
• Fixed find command operator precedence with proper grouping \( ... \)
• Use GITHUB_OUTPUT multiline EOF syntax instead of deprecated percent-encoding

Documentation updates:

• Fixed README links to use ../../README.md
• Fixed grammar: "in the confine" → "within the confines"
• Updated descriptions to reflect actual behavior (template-based response, not AI-powered)
• Clarified config file is a template not yet wired up
• Removed unused "Load configuration" step
• Fixed message about updating comment (now says "I'll be back with my findings soon")

[sentry]

Bug: The repo-ask workflow, when triggered by a PR comment, checks out the default branch instead of the PR branch because the checkout step is missing a ref.
_{Severity: HIGH}

Suggested Fix

In the checkout step, add the ref parameter and set it to github.event.issue.pull_request.head.sha. This will ensure that when the workflow is triggered by a comment on a pull request, it checks out the correct commit from the PR's head branch for analysis. You should also add a condition to this step to only run for PR comments.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/repo-ask.yml#L28-L31

Potential issue: The `repo-ask.yml` workflow is triggered by the `issue_comment` event.
When a comment is made on a pull request, the workflow runs in the context of the
repository's default branch. The `actions/checkout` step on lines 28-31 does not specify
a `ref` to check out. Consequently, it defaults to checking out the code from the
default branch, not the branch associated with the pull request. This causes the
workflow to analyze the wrong codebase, providing misleading information and defeating
its intended purpose of analyzing changes within a specific pull request.

_{Did we get this right? 👍 / 👎 to inform future reviews.}