Regarding GitHub, you can see the different ACL (Access Control Level) at "What are the different access permissions?"
If you are registering your private repo within an organization, then you would have the possibility to add users with Read Access Teams: that team would be able to clone/pull only, not push.
(They can fork, but the fork itself would be private, since it is a clone of a private repo).
Outside of GitHub (self-hosting repos), the usual way to add fine-grained access control levels is gitolite.
mainly I am looking to deploy my git repo on the production server by just doing git push
What you can do from a private repo is register a webhook, which will trigger a JSON payload. Your production server can listen to it, and pull only where there is a push in the GitHub repo (as in this gist).