diff --git a/.forgejo/workflows/main.yaml b/.forgejo/workflows/main.yaml
index 9962c80..1c36362 100644
--- a/.forgejo/workflows/main.yaml
+++ b/.forgejo/workflows/main.yaml
@@ -50,11 +50,7 @@ jobs:
         with:
           name: 'ods'
       - run: |
-          umask 077
-          printf '%s' "$SSH_PRIVATE_KEY" | base64 -d > private_key
-          SSHOPTS="-i private_key -o StrictHostKeyChecking=accept-new"
-          rsync -e "ssh ${SSHOPTS}" ods ods@ods.adyxax.org:
-          ssh ${SSHOPTS} ods@ods.adyxax.org "chmod +x ods; systemctl --user restart ods"
+          make deploy
         env:
           SSH_PRIVATE_KEY: '${{ secrets.SSH_PRIVATE_KEY }}'
   publish:
diff --git a/GNUmakefile b/GNUmakefile
index 2e974e2..3695969 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -37,8 +37,17 @@ push: tidy no-dirty check ## push changes to git remote
 
 .PHONY: deploy
 deploy: build ## deploy changes to the production server
-	rsync ./ods ods@ods.adyxax.org:
-	ssh ods@ods.adyxax.org "systemctl --user restart ods"
+	umask 077
+	if [ -n "$${SSH_PRIVATE_KEY:-}" ]; then
+	    cleanup() {
+	        rm -f private_key
+	    }
+	    trap cleanup EXIT
+	    printf '%s' "$$SSH_PRIVATE_KEY" | base64 -d > private_key
+	    SSHOPTS="-i private_key -o StrictHostKeyChecking=accept-new"
+	fi
+	rsync -e "ssh $${SSHOPTS:-}" ./ods ods@ods.adyxax.org:
+	ssh $${SSHOPTS:-} ods@ods.adyxax.org "chmod +x ods; systemctl --user restart ods"
 
 ##### Utils ####################################################################
 .PHONY: confirm