diff --git a/ci-tools/update-nixpkgs b/ci-tools/update-nixpkgs
index baac52846cc300c9dc85f27134d35e44693a5d67..6b4438ac259671ba0278d4e4f9c5cb129e8d6306 100755
--- a/ci-tools/update-nixpkgs
+++ b/ci-tools/update-nixpkgs
@@ -12,12 +12,21 @@ set -eux -o pipefail
 
 HOST="whetstone.private.storage"
 
-setup_ssh() {
-    export HOME="${PWD}"
+__cleanup_ssh () {
+    ssh-agent -k
+}
 
+setup_ssh() {
     # -s makes the output sh compatible, in case it can't detect this for
     # itself.
-    eval $(ssh-agent -s)
+    #
+    # -t sets a limit on how long the key will be kept in memory.  we try to
+    # kill the agent when we're done but we can't be sure we'll always
+    # succeed.  The value is a number of seconds.
+    eval $(ssh-agent -s -t 300)
+
+    # On shell exit, run a function to kill the agent.
+    trap __cleanup_ssh EXIT
 
     # A GitLab CI/CD variable set for us to use.
     echo "${UPDATE_NIXPKGS_PRIVATE_SSHKEY_BASE64}" | base64 -d | ssh-add -