+1 for this as a feature request.
I assumed this was possible, but couldn't figure out how to do it, and ended up here after googling and now learning that it's not possible.
Not being able to differentiate read-only vs. read/write access when selectively sharing something private seems to me to be somewhat of a departure from the common practice of other web services.
Maybe the description of a private repo needs to be changed? I'm a workshop presenter with proprietary material I need to let people clone, but not commit. A private repo looked ideal when I read:
You choose who can see and commit to this repository."
That gives the impression I can let someone see it, but not commit to it... which is what I need.
Add me to the list of people wanting read only access to private repo's. Right now you have to give read and write for access tokens.