GitHub access token with read-only access to private repositories

The most straightforward way I can think of to create a token that provides read-only access to a private repo is to:

1. Have a user who has read-only access to the given private repo (and ideally, not much else)
2. As that user create a Personal Access Token with the "repo" scope

It would be best if they didn't have access to other orgs/repos, since the "repo" scope grants the user total control over any repos that user has write access to.

I know in an Enterprise solution we would do that with a System ID, but on GitHub you can instead create a Machine User.

If you think it's a bad idea to put your credentials in your source code (as you should!) then you have few options:

1. Keep it hosted in a private GitHub repo but add those dozens of other people as collaborators to this repo (with read only access).

2. Keep it hosted in a private GitHub repo but owned as an organization and add those people to the organization.

3. Publish it as a private npm module.

4. Publish it in a private npm registry.

5. Include the dependency in the source code of the program that needs it.

The last one is basically like including the node_modules in the original code that uses that module so of course it's not pretty. Hosting your own npm registry is not trivial but you can automate adding users that way. Publishing private npm module is not free. Maintaining an organization full of people who should be able to access your repo is annoying.

Keep in mind one thing: if you share your credentials with more than one person, expect everyone to eventually have access to it, it's just a matter of time. The credentials could have a limited scope, it can be a read only deploy key or a machine user with restricted access, but if it is distributed it will leak eventually as it always does, especially when you share it with dozens of people. It's much better to keep a list of people who can access the code, and you can automate keeping that list up to date using the GitHub API.

I would never recommend distributing credentials in the source code of the project, no matter how limited access those credentials provide.

Deploy keys are the way to go. By default they don't allow write access and they are scoped to the specific repository (unlike the GitHub personal access token). So you can now generate a private/public key pair, set one as read/pull only deploy key on a single repository in GitHub and use the private key in your CI.

For instance run a bash script:

eval "$(ssh-agent -s)";
ssh-add <your private deploy key>;

Now your CI has rights to access private repo's during the build.

You can add a Deploy key by going to your repository on Github and then clicking Settings > Deploy keys > Add deploy key