I am building front-end only app using Github pages. There I want to use Github API to retrieve data - https://developer.github.com/v4/guides/forming-calls/#communicating-with-graphql
To enable that one should obtain a token but I'm not sure how to secure it - since if I am only have a front end part of the app.
Is there a way to pass through secret deployment key or some environment key - like it's done at Heroku?
There isn't a secure way to do this. A token is a shared secret. In order to use a token securely, others must not have access to it (hence the "secret" part), but there's no way to avoid that with a frontend-only app.
GitHub Pages has no backend storage whatever; it provides only static hosting. Your problem would occur with any other static hosting provider as well, which Heroku is not.
You can try using the REST API, which has a limited amount of anonymous queries, but if you want to securely use the GraphQL API, then you'll need to have a backend service and host it somewhere other than GitHub Pages.