diff --git a/.forgejo/workflows/main.yaml b/.forgejo/workflows/main.yaml
index 9df970d..c1bd655 100644
--- a/.forgejo/workflows/main.yaml
+++ b/.forgejo/workflows/main.yaml
@@ -26,11 +26,6 @@ jobs:
           make check no-dirty
       - name: 'deploy'
         run: |
-          umask 077
-          printf '%s' "$SSH_PRIVATE_KEY" | base64 -d > private_key
-          SSHOPTS="-i private_key -o StrictHostKeyChecking=accept-new"
-          rsync -a --delete -e "ssh ${SSHOPTS}" public/ www@www.adyxax.org:/srv/www/public/
-          rsync -e "ssh ${SSHOPTS}" search/search www@www.adyxax.org:/srv/www/
-          ssh ${SSHOPTS} www@www.adyxax.org "chmod +x search; systemctl --user restart www-search"
+          make deploy
         env:
           SSH_PRIVATE_KEY: '${{ secrets.SSH_PRIVATE_KEY }}'
diff --git a/GNUmakefile b/GNUmakefile
index 6fd2823..16e6ae0 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -36,9 +36,18 @@ serve: ## make serve		# hugo web server development mode
 ##### Operations ###############################################################
 .PHONY: deploy
 deploy: ## make deploy
-	rsync -a --delete public/ www@www.adyxax.org:/srv/www/public/
-	rsync search/search www@www.adyxax.org:/srv/www/
-	ssh www@www.adyxax.org "systemctl --user restart www-search"
+	umask 077
+	if [ -n "${SSH_PRIVATE_KEY:-}" ]; then
+	    cleanup() {
+	        rm -f private_key
+	    }
+	    trap cleanup EXIT
+	    printf '%s' "$SSH_PRIVATE_KEY" | base64 -d > private_key
+	    SSHOPTS="-i private_key -o StrictHostKeyChecking=accept-new"
+	fi
+	rsync -a --delete -e "ssh ${SSHOPTS:-}" public/ www@www.adyxax.org:/srv/www/public/
+	rsync -e "ssh ${SSHOPTS:-}" search/search www@www.adyxax.org:/srv/www/
+	ssh ${SSHOPTS:-} www@www.adyxax.org "chmod +x search; systemctl --user restart www-search"
 
 ##### Quality ##################################################################
 .PHONY: check