chore: rename ALLHANDS_BOT_TOKEN to PAT_TOKEN#462
Conversation
Standardises on the org-wide secret name ALLHANDS_BOT_GITHUB_PAT so that a single secret covers both the pr-review and the sync-doc workflows, removing the need for a separate ALLHANDS_BOT_TOKEN secret in this repo. Part of OpenHands/evaluation#428 (PAT_TOKEN blast radius reduction). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
🟢 Good taste - Clean refactoring for standardizing secret names across the org. One deployment note below.
| # github-actions[bot], so a different identity (all-hands-bot) can approve it. | ||
| - name: Auto-approve PR | ||
| if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_TOKEN != '' | ||
| if: steps.cpr.outputs.pull-request-url && secrets.ALLHANDS_BOT_GITHUB_PAT != '' |
There was a problem hiding this comment.
🟡 Suggestion: Consider adding a workflow validation step or branch protection rule to verify the new secret exists before allowing merge.
If ALLHANDS_BOT_GITHUB_PAT isn't configured when this merges, the auto-approve and auto-merge steps will silently skip (the if condition evaluates to false). While the PR description mentions setting this "before merging," there's no enforcement mechanism.
Options:
- Add a dedicated workflow step that fails if the secret is empty (forces manual verification)
- Document the deployment order in a checklist in the PR description
- Accept the risk (workflows gracefully degrade; easy to fix post-merge)
Given the limited blast radius (only affects auto-merge of sync PRs) and clear documentation in the PR, option 3 is pragmatic.
Standardises on the org-wide PAT_TOKEN secret name so a single secret covers all bot workflows — no separate ALLHANDS_BOT_TOKEN needed. Part of OpenHands/evaluation#428 (PAT_TOKEN blast radius reduction). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
simonrosenberg
changed the title
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
🟢 Good taste - Clean, consistent rename across both workflows. Low risk.
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
🟢 Good taste - Clean, consistent rename. Low risk.
[RISK ASSESSMENT]
- [Overall PR]
⚠️ Risk Assessment: 🟡 MEDIUM
Configuration change affecting automated workflows. If PAT_TOKEN secret is missing, auto-approve/auto-merge will silently skip (workflows won't fail, but sync PRs won't auto-merge). PR description confirms the org-wide secret has been validated. The conditional checks (if: secrets.PAT_TOKEN != '') provide appropriate safeguards.
VERDICT:
✅ Worth merging: Standard refactoring, properly guarded with conditionals.
KEY INSIGHT:
Simple configuration standardization with appropriate fail-safe behavior - workflows degrade gracefully if secret is misconfigured.
2 participants
Summary
ALLHANDS_BOT_TOKEN→PAT_TOKENinsync-agent-sdk-openapi.ymlandsync-docs-code-blocks.ymlPAT_TOKENsecret — no separateALLHANDS_BOT_TOKENsecret needed in this repoPAT_TOKENis an organization-wide secret with enough permissions to run those workflows. This has been validated.