I don't know about your use-case, but in my experience by far the greatest use of these keys is (as they say in the linked article) for use by continuous integration servers. Some folks tag each build (if it creates an artifact), and almost everyone tags release builds created by CI. Thus, these keys need to be R/W to push tags back up.
Fine, let's be picky. Pushing a new tag onto an existing commit is a vastly smaller privilege than being able to push objects and point branches at them.
You can have a read-write user on your CI server, but use a read-only user for any remote server where code is deployed. It's bad security policy that GitHub ever allowed deploy keys to be RW.
API access is a lot more permissive. A deploy key only have access to 1 repo, but there's no way to limit API tokens to a single repo (and by default they have access to all repos in all organizations the issuer of a token have access to).
You can't give read only Oauth access to private repos....it has to be read/write. Which means if you want to use online CI tools with those private repos....you've got to hope they don't either turn malicious, or they get hacked and have their keys copied.
Some people using manual tagging as a mechanism to communicate something to CI as you suggest, but others let CI tag successful builds. When I re-did my team's CI a few years ago I chose the latter because it creates less friction for continuous deployment -- every commit which passes the tests automatically becomes a deployable artifact with a monotonically increasing build number which can be tracked across SCM, CI, and deployment.
Heh, you've never worked with a project/product manager, have you? "Yes, ma'am, version 1b6411f has been deployed successfully. Now I just need to edit the pom and bump the version to 2e1080d"
Yep, and there was a big fat warning in the documentation saying that they had full access to the repo. Couple this with being able to be used on only a single repo - github blocks other repos from using the same key - and you may as well just make a normal github account for your deploy system and manage it that way...
It's weird that they didn't have an option to write only for tags. "CI build X"...
Yeah, one or more deployment accounts is the approach I've seen most "in the wild". Machine users[1] with tightly scoped access to a collection of repos. Access can then be managed through the relevant Read-only GitHub team.
It's ridiculous it has taken GitHub so long to provide this basic functionality. Judging by comments on this thread, it looks like a lot of people assumed the keys were already read-only. And i'm not surprised because GitHub has never made it explicitly clear in documentation and their website that the keys had full write access!
I stopped using deploy keys long ago because of the security issue and instead opted to create additional github users with read-only access for each use case.
Why did GitHub call these "deploy" keys if they had write access? Why would a deploy user need full write privileges to a repository to deploy something?
I asked Zach Holman at one of his tech talks a couple years ago and he replied (paraphrasing): "Yes read/write deploy keys are not ideal. That's why we don't ourselves use deploy keys at GitHub, and in fact we regret that the feature exists." I think he used an expression like "deploy keys are a red-headed stepchild".
I like to pride myself on never having used a clumsy phrase like that. That said, machine users were en vogue at GitHub, although maybe that's changing with more consideration being given to deploy keys nowadays.
Sorry, I believe you used a more palatable expression than that, but having a similar meaning.
Edit: and to paint a more complete picture, you pointed out in your answer that many folks were using deploy keys to promote from a development branch to the master branch. Some commenters in this thread may, like myself, just not have thought to use deploy keys for this purpose, or that others would want to.
