diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 898dee93aa69505eb349d293523a7298c1d9c25c..d30190fb6dfa996ccabdd2fdf11a2e3f091dae74 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -87,18 +87,20 @@ deploy-to-staging:
     - |
       # The environment variable is configured with GitLab using Terraform so
       # we can retain some bare minimum level of confidentiality.
-      base64 --decode "${PRIVATESTORAGEIO_STAGING_SSH_DEPLOY_KEY}" > "${PWD}"/deploy_key
+      KEY_DIR="$(mktemp -d -p "${XDG_RUNTIME_DIR}-deploy_key")"
+      KEY_PATH="${KEY_DIR}/deploy_key"
+      base64 --decode "${PRIVATESTORAGEIO_STAGING_SSH_DEPLOY_KEY}" > "${KEY_PATH}"
 
     # Update the deployment
     - |
-      ./ci-tools/deploy-to-staging "${PWD}"/deploy_key ${name}
+      ./ci-tools/deploy-to-staging "${KEY_PATH}" ${name}
 
     # Remove the key from the filesystem to reduce the chance of unintentional
     # disclosure.  Overall our handling of this key is still not *particulary*
     # safe or secure but that's why the key is only authorized to perform a
     # single very specific operation.
     - |
-      rm -v "${PWD}"/deploy_key
+      rm -v "${KEY_PATH}"
 
 deploy-to-production:
   stage: "deploy"