The most straightforward way I can think of to create a token that provides read-only access to a private repo is to:
- Have a user who has read-only access to the given private repo
(and ideally, not much else) - As that user create a Personal Access Token with the “repo” scope
It would be best if they didn’t have access to other orgs/repos, since the “repo” scope grants the user total control over any repos that user has write access to.
I know in an Enterprise solution we would do that with a System ID, but on GitHub you can instead create a Machine User.