The GitHub Actions team has done lots of work to improve the performance and resource consumption of Actions on GHES in the past year.
You can now create deploy keys with read-only access. A deploy key is an SSH key that is stored on your server and grants access to a single GitHub repository. They are often used to clone repositories during deploys or continuous integration runs. Deploys sometimes involve merging branches and pushing code, so deploy keys have always allowed both read and write access. Because write access is undesirable in many cases, you now have the ability to create deploy keys with read-only access.
New deploy keys created through GitHub.com will be read-only by default and can be given write access by selecting “Allow write access” during creation. Access level can be specified when creating deploy keys from the API as well.