Got it, let's walk through exactly how to create a GitHub token that restricts users to only clone and pull operations (full read-only access) while blocking any push, delete, or write actions entirely. This uses GitHub's modern fine-grained tokens, which are way more secure and precise than the old classic tokens.

Step 1: Generate a Fine-Grained Personal Access Token #

This is the recommended approach because you can lock down permissions to exactly what's needed:

• Head to your GitHub account Settings → Developer settings → Personal access tokens → Fine-grained tokens
• Click "Generate new token"
• Give it a clear, descriptive name (like "Read-Only Clone/Pull Token for External Team") and set an expiration date (critical for security — don't leave it permanent!)
• Under "Repository access", choose one of the options:
  • Only select repositories: Pick the specific repo(s) you want to grant access to (follow the principle of least privilege here)
  • All repositories: Only use this if you need the token to work with every repo you own/manage
• Now configure permissions — this is where we lock it to read-only:
  • For Repository permissions:
    • Find the "Contents" permission and set it to Read-only (this covers clone, pull, and fetch operations)
    • Leave all other repository permissions (Issues, Pull Requests, Actions, Projects, etc.) set to No access — you don't need any of these for basic clone/pull access
  • For Account permissions: Leave every single option set to No access — we don't want any account-level access here
• Click "Generate token" at the bottom, and copy the token immediately (GitHub won't display it again once you leave this page!)

Step 2: Test the Token to Validate Permissions #

Before sharing the token, make sure it actually blocks write actions:

• Clone a repo using the token:

  git clone https://<YOUR_TOKEN>@github.com/<YOUR_USERNAME>/<TARGET_REPO>.git
  

• Make a random change to a file, then try to commit and push:

  git add . && git commit -m "Test write access" && git push
  

• You should get an error message saying you don't have permission to push to the repository — that means the token is working as intended!

Key Security Tips #

• Avoid classic tokens: Fine-grained tokens are far safer because they limit access to specific repos and permissions, unlike classic tokens which can have broad, overscoped access
• Rotate tokens regularly: Even with an expiration date, it's good practice to generate new tokens every few months
• Revoke immediately if leaked: If you suspect the token has been shared or compromised, head back to the fine-grained tokens page and delete it right away

内容的提问来源于stack exchange，提问作者user6934519