GitHub access token with read-only access to private repositories

Question

I have a project with a Node dependency on a private Git repository. I need to be able to run npm install without being prompted to enter a password or allow an SSH connection, so I'm using an access token that I created on GitHub in my package.json:

  "dependencies": {     "sass-theme": "git+https://[token]:[email protected]/MyOrg/sass-theme.git#v1.0.2",     "node-sass": "^4.5.0"   } 

This project is shared with dozens of other people, so obviously I don't want to keep my token in source control. I know I can create a read-only deployment key on GitHub, but I believe that would require other developers to import the SSH key to build the project locally.

Is it possible to create an access token that can be shared but that has read-only access to clone the repository?

Answer 1

the most straightforward way I can think of to create a token that provides read only access to a private repo is to

1. have a user who only has read access to the given private repo (and ideally, not much else)
2. As that user/have that user create a personal auth token with scope of "repo"

It would be best if they didnt have other repo accesses for other orgs/repos , since that scope essentially gives that total control over any repos that user controls.

I know in an Enterprise solution we would do that maybe with a system ID, I am not sure exactly what type of user account might be available in github.com actual but I would check the Terms of service first.