Github: readonly access to a private repo

For anyone else finding this question, know that nowadays you can in fact create read-only deploy keys:

https://github.com/blog/2024-read-only-deploy-keys

You can still create deploy keys with write access, but have to explicitly grant that permission when adding the key.

I have it on good authority that the (relatively new) "Organizations" feature allows you to add people with read-only access to a private repository.