From 987e1c7bc726fff1f1d34d6e488103d3b2dcb2e1 Mon Sep 17 00:00:00 2001
From: Debug Agent <debug@example.com>
Date: Mon, 20 Apr 2026 14:08:49 -0300
Subject: [PATCH 1/2] chore: rename ALLHANDS_BOT_TOKEN secret to
 ALLHANDS_BOT_GITHUB_PAT

Standardises on the org-wide secret name ALLHANDS_BOT_GITHUB_PAT so
that a single secret covers both the pr-review and the sync-doc workflows,
removing the need for a separate ALLHANDS_BOT_TOKEN secret in this repo.

Part of OpenHands/evaluation#428 (PAT_TOKEN blast radius reduction).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/sync-agent-sdk-openapi.yml | 10 +++++-----
 .github/workflows/sync-docs-code-blocks.yml  | 10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/sync-agent-sdk-openapi.yml b/.github/workflows/sync-agent-sdk-openapi.yml
index 0c18e287a..a9bc400c6 100644
--- a/.github/workflows/sync-agent-sdk-openapi.yml
+++ b/.github/workflows/sync-agent-sdk-openapi.yml
@@ -114,21 +114,21 @@ jobs:
 
             **Note**: This is an automated pull request. Please review the changes to ensure they are correct before merging.
 
-      # Auto-approve using ALLHANDS_BOT_TOKEN (all-hands-bot). PR is created by
+      # Auto-approve using ALLHANDS_BOT_GITHUB_PAT (all-hands-bot). PR is created by
       # github-actions[bot], so a different identity (all-hands-bot) can approve it.
       - name: Auto-approve PR
-        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_TOKEN != ''
+        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_GITHUB_PAT != ''
         env:
-          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
         run: |
           gh pr review "${{ steps.cpr.outputs.pull-request-url }}" \
             --approve \
             --body "Auto-approving automated OpenAPI sync PR."
 
       - name: Enable auto-merge (squash)
-        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_TOKEN != ''
+        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_GITHUB_PAT != ''
         env:
-          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
         run: |
           PR_URL="${{ steps.cpr.outputs.pull-request-url }}"
 
diff --git a/.github/workflows/sync-docs-code-blocks.yml b/.github/workflows/sync-docs-code-blocks.yml
index ab53cc7f7..68a749e45 100644
--- a/.github/workflows/sync-docs-code-blocks.yml
+++ b/.github/workflows/sync-docs-code-blocks.yml
@@ -103,21 +103,21 @@ jobs:
             - [x] I have read and reviewed the documentation changes to the best of my ability.
             - [x] If the change is significant, I have run the documentation site locally and confirmed it renders as expected.
 
-      # Auto-approve using ALLHANDS_BOT_TOKEN (all-hands-bot). PR is created by
+      # Auto-approve using ALLHANDS_BOT_GITHUB_PAT (all-hands-bot). PR is created by
       # github-actions[bot], so a different identity (all-hands-bot) can approve it.
       - name: Auto-approve PR
-        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_TOKEN != ''
+        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_GITHUB_PAT != ''
         env:
-          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
         run: |
           gh pr review "${{ steps.cpr.outputs.pull-request-url }}" \
             --approve \
             --body "Auto-approving automated docs sync PR."
 
       - name: Enable auto-merge (squash)
-        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_TOKEN != ''
+        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_GITHUB_PAT != ''
         env:
-          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
         run: |
           PR_URL="${{ steps.cpr.outputs.pull-request-url }}"
 

From bd644f9dcb5ed30581b45946dd4ce36ffdffbbd5 Mon Sep 17 00:00:00 2001
From: Debug Agent <debug@example.com>
Date: Mon, 20 Apr 2026 14:19:13 -0300
Subject: [PATCH 2/2] chore: rename ALLHANDS_BOT_TOKEN secret to PAT_TOKEN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Standardises on the org-wide PAT_TOKEN secret name so a single secret
covers all bot workflows — no separate ALLHANDS_BOT_TOKEN needed.

Part of OpenHands/evaluation#428 (PAT_TOKEN blast radius reduction).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/sync-agent-sdk-openapi.yml | 10 +++++-----
 .github/workflows/sync-docs-code-blocks.yml  | 10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/sync-agent-sdk-openapi.yml b/.github/workflows/sync-agent-sdk-openapi.yml
index a9bc400c6..1062fd884 100644
--- a/.github/workflows/sync-agent-sdk-openapi.yml
+++ b/.github/workflows/sync-agent-sdk-openapi.yml
@@ -114,21 +114,21 @@ jobs:
 
             **Note**: This is an automated pull request. Please review the changes to ensure they are correct before merging.
 
-      # Auto-approve using ALLHANDS_BOT_GITHUB_PAT (all-hands-bot). PR is created by
+      # Auto-approve using PAT_TOKEN (all-hands-bot). PR is created by
       # github-actions[bot], so a different identity (all-hands-bot) can approve it.
       - name: Auto-approve PR
-        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_GITHUB_PAT != ''
+        if: steps.cpr.outputs.pull-request-url && secrets.PAT_TOKEN != ''
         env:
-          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+          GH_TOKEN: ${{ secrets.PAT_TOKEN }}
         run: |
           gh pr review "${{ steps.cpr.outputs.pull-request-url }}" \
             --approve \
             --body "Auto-approving automated OpenAPI sync PR."
 
       - name: Enable auto-merge (squash)
-        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_GITHUB_PAT != ''
+        if: steps.cpr.outputs.pull-request-url && secrets.PAT_TOKEN != ''
         env:
-          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+          GH_TOKEN: ${{ secrets.PAT_TOKEN }}
         run: |
           PR_URL="${{ steps.cpr.outputs.pull-request-url }}"
 
diff --git a/.github/workflows/sync-docs-code-blocks.yml b/.github/workflows/sync-docs-code-blocks.yml
index 68a749e45..354d90fc8 100644
--- a/.github/workflows/sync-docs-code-blocks.yml
+++ b/.github/workflows/sync-docs-code-blocks.yml
@@ -103,21 +103,21 @@ jobs:
             - [x] I have read and reviewed the documentation changes to the best of my ability.
             - [x] If the change is significant, I have run the documentation site locally and confirmed it renders as expected.
 
-      # Auto-approve using ALLHANDS_BOT_GITHUB_PAT (all-hands-bot). PR is created by
+      # Auto-approve using PAT_TOKEN (all-hands-bot). PR is created by
       # github-actions[bot], so a different identity (all-hands-bot) can approve it.
       - name: Auto-approve PR
-        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_GITHUB_PAT != ''
+        if: steps.cpr.outputs.pull-request-url && secrets.PAT_TOKEN != ''
         env:
-          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+          GH_TOKEN: ${{ secrets.PAT_TOKEN }}
         run: |
           gh pr review "${{ steps.cpr.outputs.pull-request-url }}" \
             --approve \
             --body "Auto-approving automated docs sync PR."
 
       - name: Enable auto-merge (squash)
-        if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_GITHUB_PAT != ''
+        if: steps.cpr.outputs.pull-request-url && secrets.PAT_TOKEN != ''
         env:
-          GH_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+          GH_TOKEN: ${{ secrets.PAT_TOKEN }}
         run: |
           PR_URL="${{ steps.cpr.outputs.pull-request-url }}"