How to automate clone from private repo with no user interaction from command line?

We are doing IOT device setup where the custom OS image performs a clone of a private repo to pull code to a unit while it comes up on network after a series of firstboot.sh events take place.

With the end of username/password access I’m confused with the overloaded git specific concepts and language being used to describe the new approaches. Its buried in the personal token and app authentication that the simple paradigm we had that was zero human interaction is now gone.

Am I understanding this confusing documentation correctly; We will have to now perform interactive sessions and insert of key for authentication that is ephemeral (as opposed to be configurable to persist) to do our setup? Everything I’m reading requires interaction and establishing credential cache’s for an ephemeral script run that deletes itself after its done…

Has anyone identified a way to persist a read only key that can be embedded in scripting to avoid having the overhead of chasing tokens with someone on a keyboard to do this?