Are GitHub r-w deploy keys secure for open source projects?

I have an open source project on GitHub and I want to commit to the “gh-pages” branch from the container. To do so I need (according to the CircleCI manual) to create a r-w deploy key and add the “add_ssh_keys” step. Same time the manual has a note that any code running in the container could read/steal those keys. Does this mean that forked pull requests could steal them? What other options do I have? I think it’s pretty common workflow these days.