diff --git a/.github/secrets/hcloud_cli.p12.gpg b/.github/secrets/hcloud_cli.p12.gpg
deleted file mode 100644
index b812c05a..00000000
Binary files a/.github/secrets/hcloud_cli.p12.gpg and /dev/null differ
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 00c8940e..b7b1b847 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -30,12 +30,9 @@ jobs:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
 
-      - name: Decrypt Secrets
-        env:
-          SECRETS_PASSWORD: ${{ secrets.SECRETS_PASSWORD }}
+      - name: Extract Apple certificate
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$SECRETS_PASSWORD" \
-              --output .github/secrets/hcloud_cli.p12 .github/secrets/hcloud_cli.p12.gpg
+          echo "${{ secrets.APPLE_P12_FILE }}" | base64 -d > certificate.p12
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
@@ -46,7 +43,6 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           APPLE_P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
 
-      - uses: actions/upload-artifact@v4
-        with:
-          name: Preview Binaries
-          path: dist/hcloud-*/hcloud
+      - name: Delete Apple certificate
+        if: always()
+        run: rm -f certificate.p12
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 838270c2..b7973e19 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -43,7 +43,7 @@ builds:
       post:
         - cmd: >
             rcodesign sign
-              --p12-file .github/secrets/hcloud_cli.p12
+              --p12-file certificate.p12
               --p12-password "{{ .Env.APPLE_P12_PASSWORD }}"
               --code-signature-flags runtime
               "{{ .Path }}"