ProxyCommand nc github.com %p
And if you are on Github's per-user pricing model, machine users are not free.
Use API + oauth access?
You can't give read only Oauth access to private repos....it has to be read/write. Which means if you want to use online CI tools with those private repos....you've got to hope they don't either turn malicious, or they get hacked and have their keys copied.
From what I can tell, there's no write:tags scope: https://developer.github.com/v3/oauth/#scopes
Personally, I've used them a lot to mirror from my own gitlab server onto github, so having them be read+write was a good thing in my case.
I know a lot more people use them to mirror stuff onto gh as well.
It's weird that they didn't have an option to write only for tags. "CI build X"...
I stopped using deploy keys long ago because of the security issue and instead opted to create additional github users with read-only access for each use case.
Why did GitHub call these "deploy" keys if they had write access? Why would a deploy user need full write privileges to a repository to deploy something?
Edit: and to paint a more complete picture, you pointed out in your answer that many folks were using deploy keys to promote from a development branch to the master branch. Some commenters in this thread may, like myself, just not have thought to use deploy keys for this purpose, or that others would want to.
Not that I really expect that to happen anytime soon, I believe others have been asking for the above for quite some time.
Iirc only the owner can create deploy keys, so it wasn't a feature aimed to teams either.