Github: readonly access to a private repo

I am developing some private projects on Github, and I would like to add nightly cronjobs to my deployments servers to pull the latest version from github. I am currently doing this by generating keypairs on every deployment server and adding the public key to the github project as 'Deployment key'.

However, I recently found out that these deployment keys actually do have write access to the project. Hence, every of the server administrators could potentially start editing. Furthermore I can add every deployment key to only one repository, whereas I would like to be able to deploy multiple repositories on one and the same deployment server.

Is there a way to provide read-only access for private repositories to selected users on Github?

I have it on good authority that the (relatively new) "Organizations" feature allows you to add people with read-only access to a private repository.

For anyone else finding this question, know that nowadays you can in fact create read-only deploy keys:

https://github.com/blog/2024-read-only-deploy-keys

You can still create deploy keys with write access, but have to explicitly grant that permission when adding the key.

For Organizations: I suggest creating a new team specifically for the user. This team can then grant read-only access to the repositories you specify. I hope this helps!