Correct way to pull a repo to a server over SSH without giving everyone on the server access to my github?

Question

I am currently doing a lot of work on a remote server. Quite a few people have access to this server, and we have all been using our own credentials when we need to pull the repo. I am starting to make some CI bash scripts, that need to run without a password prompt. After some research I found the way around this is to add the servers public key to my github.

Is this a secure method? It does not seem like github has any sort of IAM for ssh keys. Meaning now anyone with access to the server can access my other git repositories. I am sure this is a common problem, but I can't seem to find the right combination of words to get a good google result.Thanks for any advice!

Answer 1

What you're looking for is what GitHub calls a deploy key. This is an SSH key that isn't associated with anyone's account, but instead has access to just one specific repository. This key will provide read access, and can optionally provide write access as well. It's designed specifically for cases where a server or automated system needs to access a repository on its own accord.

Note that an SSH key used as a deploy key cannot be associated with any account, and trying to do so will lead to an error. This is because an SSH key uniquely identifies a set of access permissions.