Skip to content

docs: scope bot-token guidance to trust boundary#314

Merged
simonrosenberg merged 1 commit into
mainfrom
scope-bot-token-guidance
Jun 8, 2026
Merged

docs: scope bot-token guidance to trust boundary#314
simonrosenberg merged 1 commit into
mainfrom
scope-bot-token-guidance

Conversation

@simonrosenberg

@simonrosenberg simonrosenberg commented Jun 8, 2026

Copy link
Copy Markdown
Member

Why

The pr-review and vulnerability-remediation plugin READMEs are the canonical guidance other repos copy. They recommend a single broad bot secret (ALLHANDS_BOT_GITHUB_PAT) for posting comments / opening PRs, with no distinction between public and private repos. That guidance drives the trust-boundary problem tracked in evaluation#428 / #478: a public repo ends up wired to a credential that can also reach private repos.

Summary

  • Replace ALLHANDS_BOT_GITHUB_PAT in both plugin READMEs with trust-boundary guidance.
  • Recommend OPENHANDS_BOT_GITHUB_PAT_PUBLIC (fine-grained, public-repos-only) for public repositories.
  • For private repositories, recommend a token scoped to that repository — stated generically, no private secret name in a public repo.
  • Add the rule: never give a public repository a token that can reach private repositories.

Docs-only; no workflow or code changes.

How to test

  • grep -rn ALLHANDS_BOT_GITHUB_PAT plugins/ returns nothing.
  • Rendered READMEs read correctly and the YAML snippet uses OPENHANDS_BOT_GITHUB_PAT_PUBLIC.

🤖 Generated with Claude Code

@claude
docs: scope bot-token guidance to trust boundary
174973c 
Replace ALLHANDS_BOT_GITHUB_PAT in the pr-review and
vulnerability-remediation plugin READMEs with trust-boundary guidance:
recommend OPENHANDS_BOT_GITHUB_PAT_PUBLIC on public repos and a
repo-scoped token on private repos, never a token that can reach
private repos from a public workflow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the type: docs Documentation only changes label Jun 8, 2026
@simonrosenberg simonrosenberg requested a review from jlav June 8, 2026 16:11
@simonrosenberg simonrosenberg self-assigned this Jun 8, 2026
@simonrosenberg simonrosenberg merged commit ecb1818 into main Jun 8, 2026
6 checks passed
@simonrosenberg simonrosenberg deleted the scope-bot-token-guidance branch June 8, 2026 16:21
@openhands-release-bot openhands-release-bot Bot mentioned this pull request Jun 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jlav jlav jlav approved these changes

Assignees

@simonrosenberg simonrosenberg

Labels

type: docs Documentation only changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simonrosenberg @jlav