chore: use OPENHANDS_BOT_GITHUB_PAT_PUBLIC in pr-review-by-openhands.yml

[simonrosenberg]

Part of OpenHands/evaluation#428 (PAT blast-radius reduction).

Replaces secrets.ALLHANDS_BOT_GITHUB_PAT → secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC on L49. The ALLHANDS_BOT_GITHUB_PAT is the shared bot token with write access to private repos; OPENHANDS_BOT_GITHUB_PAT_PUBLIC is a fine-grained PAT scoped only to public OpenHands repos (contents+pull-requests+issues:write). This matches the pattern already used in the other repos' pr-review-by-openhands.yml workflows.

Prerequisites

• OPENHANDS_BOT_GITHUB_PAT_PUBLIC secret added to OpenHands/docs repository secrets (if not already present from chore: use OPENHANDS_BOT_GITHUB_PAT_PUBLIC in sync workflows #473)
• OpenHands/docs on the PAT_PUBLIC fine-grained PAT allowlist (should already be, from chore: use OPENHANDS_BOT_GITHUB_PAT_PUBLIC in sync workflows #473)

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
all-hands-ai	🟢 Ready	View Preview	Apr 23, 2026, 8:36 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[all-hands-bot]

🟢 Good taste - Clean security improvement.

[RISK ASSESSMENT]

• [Overall PR] ⚠️ Risk Assessment: 🟢 LOW

This is a straightforward security improvement that reduces blast radius by replacing a broad-scope shared token with a fine-grained PAT scoped only to public repos. The change is minimal, clear, and fail-safe: if the new secret is misconfigured, the workflow will fail rather than cause damage.

VERDICT:
✅ Worth merging: Simple configuration change that improves security posture.

KEY INSIGHT:
Textbook example of least-privilege principle applied to automation credentials.