Hi Mani. Have you looked into a machine user? https://circleci.com/docs/2.0/gh-bb-integration/#creating-a-machine-user
I believe that is what you are looking for. You are correct that a read-only key won’t be able to push out, but a machine key can be set to allow access to pull from one repo and push to another.