API access is a lot more permissive. A deploy key only have access to 1 repo, but there's no way to limit API tokens to a single repo (and by default they have access to all repos in all organizations the issuer of a token have access to).

Yes, I didn't realize how bad github's security model of this stuff was.

Yeah, it's terrible.

You can't give read only Oauth access to private repos....it has to be read/write. Which means if you want to use online CI tools with those private repos....you've got to hope they don't either turn malicious, or they get hacked and have their keys copied.

Can you limit the user permissions to only affect tags? Otherwise, I'm not seeing the advantage.

From what I can tell, there's no write:tags scope: https://developer.github.com/v3/oauth/#scopes

Ugh. You are right, it looks like they screwed this up.