chore: use OPENHANDS_BOT_GITHUB_PAT_PUBLIC in sync workflows

[simonrosenberg]

Part of OpenHands/evaluation#428 (PAT blast-radius reduction).

Replaces secrets.PAT_TOKEN → secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC in the two auto-approve workflows:

• .github/workflows/sync-docs-code-blocks.yml
• .github/workflows/sync-agent-sdk-openapi.yml

The OPENHANDS_BOT_GITHUB_PAT_PUBLIC token is a fine-grained PAT scoped only to public OpenHands repos with the narrowest permissions needed to approve these bot-authored PRs — tighter than the shared PAT_TOKEN it replaces.

Prerequisites

• OpenHands/docs added to the OPENHANDS_BOT_GITHUB_PAT_PUBLIC fine-grained PAT repo allowlist
• OPENHANDS_BOT_GITHUB_PAT_PUBLIC secret added to OpenHands/docs repository secrets

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
all-hands-ai	🟢 Ready	View Preview	Apr 23, 2026, 7:31 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[all-hands-bot]

Taste Rating: 🟢 Good taste - Clean, focused security improvement

[RISK ASSESSMENT]

• [Overall PR] ⚠️ Risk Assessment: 🟢 LOW

This is a workflow-only change that improves security by replacing a shared PAT with a fine-grained token. Defensive conditionals ensure graceful degradation if the secret is missing. No code logic changes, easily revertible.

VERDICT:
⏸️ Ready to merge after prerequisites - Code changes are correct, but verify prerequisites are met before merging

KEY INSIGHT:
Textbook example of reducing security blast radius through fine-grained permissions - clean implementation with defensive fallbacks.

[enyst]

Let's do it!