We are using rhodecode for deployment and synchronisation, but we don't want to use passwords in any of our scripts.
The solution that we are using before was to have a special URL for readonly (for example http://server/readonly/repository). This URL was protected by Apache or Nginx to prevent any access from an non-authorize IP. With this URL, our script can pull their changes without any problem (or security problem).
Another solution can be to have a system of whitelist IP for readonly... but, in my point of view, this isn't the job of rhodecode.
PS : I let it as "major" because it's blocking for us in our daily job with rhodecode.