Read-only SSH Keys

I would like to add an SSH key from a machine that should only ever be able to read from the various repositories it’s allowed on, and never be able to write them. The use-case for this is that I want to make sure to NEVER deploy code from that machine (a work-owned computer) but would like to pull down from my personal, non-public repositories.

On the “SSH and GPG keys” page of settings, each of my keys are marked “Read/write”, but I do not see any way to make them read-only.

Is this a feature that exists? If so, how can I use it?

1 Like

Hi, @zachriggle,
No, it is not possible to add an SSH key on your account that is READ only.
Also in a private user repository, repository owners can only grant write access to collaborators. Collaborators can’t have read-only access to repositories owned by a user account, Collaborators on a personal repository can pull (read) the contents of the repository and push (write) changes to the repository.

A deploy key is an SSH key that is stored on your server and grants access to a single GitHub repository. This key is attached directly to the repository instead of to a personal user account.
When adding a Deploy Key you can choose to select Allow write access if you want this key to have write access to the repository.
As a Deploy key only grants access to a single repository, more complex projects may have many repositories to pull to the same server, so this could be a disadvantage for you if access to many repositories is needed

managing-deploy-keys#deploy-keys

There’s an alternative approach here: Newbie: How to use deploy keys

You could create a new GitHub account, setup an SSH key for it, and then grant it read-only access to your private repositories