secure read-only self hosted git repository for scripts
You can use gitlab and the deploy key feature for CI. This feature is available for the community edition (ce), too.
Global Shared Deploy keys allow read-only or read-write (if enabled) access to be configured on any repository in the entire GitLab installation.
This is really useful for integrating repositories to secured, shared Continuous Integration (CI) services or other shared services. GitLab administrators can set up the Global Shared Deploy key in GitLab and add the private key to any shared systems. Individual repositories opt into exposing their repository using these keys when a project maintainers (or higher) authorizes a Global Shared Deploy key to be used with their project.
Global Shared Keys can provide greater security compared to Per-Project Deploy Keys since an administrator of the target integrated system is the only one who needs to know and configure the private key.
GitLab administrators set up Global Deploy keys in the Admin area under the section Deploy Keys. Ensure keys have a meaningful title as that will be the primary way for project maintainers and owners to identify the correct Global Deploy key to add. For instance, if the key gives access to a SaaS CI instance, use the name of that service in the key name if that is all it is used for. When creating Global Shared Deploy keys, give some thought to the granularity of keys - they could be of very narrow usage such as just a specific service or of broader usage for something like “Anywhere you need to give read access to your repository”.
Once a GitLab administrator adds the Global Deployment key, project maintainers and owners can add it in project’s Settings > Repository page by expanding the Deploy Keys section and clicking Enable next to the appropriate key listed under Public deploy keys available to any project.
https://docs.gitlab.com/ee/ssh/#deploy-keys
EDIT:
gitea is a more lightweighted selfhosted git service compared to gitlab. It has just a static single binary file without any dependencies - programmed with go (you need to add config files and a systemd service or similar of course). The website has a nice overview of it's features:
https://docs.gitea.io/en-us/