zet

Whether to use GitHub PAT or SSH key pair or deployment key?

Personal access tokens and ssh key pairs are functionally equivalent. So why use one over the other?

One option is to setup personal access tokens on the account that has ownership of the private dependency:

Another is to create a generic account and add it as a collaborator to the dependent repo:

Either way, any private dependency requires that the private dependency owner explicitly grant access to the dependency. PAT requires regular re-authorization as the tokens expire, SSH does not.

Because SSH keys are associated with an external user ID (and not the ID that owns the repo) read-only access may be granted to an entire team to that generic user ID. This is by far the least problematic when dealing with “innersource” GitHub Enterprise Cloud architectures. Even better, the secret key for that user can be added as an organization key that is associated with all the repos to which that generic ID should be granted read-only access.