I don’t believe you can restrict github OAuth tokens in that way. The github docs for OAuth say that
While Git over HTTP with OAuth reduces friction for some types of applications, keep in mind that unlike deploy keys, OAuth tokens work for any repository for which the user has access.
So while you can limit the scope of the token in terms of the types of activities, you can’t limit it to a subset of repos.
Deploy keys can be restricted to a single repo, but allow write access.
The obvious tactic (as mentioned by Thomas) is to create a dummy account that represents the application. Given the goals of OAuth, this might be a better workflow in any case — it’ll let you easily change the permissions the app has as if it were in fact a user.
Github even mentions/endorses this strategy explicitly, calling them machine users.