diff --git a/.github/post-job-template.yml.j2 b/.github/post-job-template.yml.j2
index e3bff70dd7..e0b322a082 100644
--- a/.github/post-job-template.yml.j2
+++ b/.github/post-job-template.yml.j2
@@ -6,11 +6,16 @@ update_manifest:
       - name: Checkout code
         uses: actions/checkout@v2
         with:
-          ref: {{ "${{ github.event.after }}" }}  # for PR avoids checking out merge commit
           fetch-depth: 0  # include all history
 
+      - name: "Set GITHUB_BRANCH"
+        run: |
+          GITHUB_BRANCH=`sed 's/^refs\/heads\///' <<< $GITHUB_REF`
+          echo "GITHUB_BRANCH=${GITHUB_BRANCH}" >> $GITHUB_ENV
+
       - name: Update Manifest for Ansible Hub UI
         env:
-          {{ set_env_vars() | indent(10) }}
+          GITHUB_PULL_REQUEST: {{ "${{ github.event.number }}" }}
+          MANIFEST_PASSPHRASE: {{ "${{ secrets.MANIFEST_PASSPHRASE }}" }}
         run: .github/workflows/scripts/update_manifest.sh
         shell: bash
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 71a2ceab4a..202419b58d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -198,18 +198,16 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v2
         with:
-          ref: ${{ github.event.after }}  # for PR avoids checking out merge commit
           fetch-depth: 0  # include all history
 
+      - name: "Set GITHUB_BRANCH"
+        run: |
+          GITHUB_BRANCH=`sed 's/^refs\/heads\///' <<< $GITHUB_REF`
+          echo "GITHUB_BRANCH=${GITHUB_BRANCH}" >> $GITHUB_ENV
+
       - name: Update Manifest for Ansible Hub UI
         env:
-          PY_COLORS: '1'
-          ANSIBLE_FORCE_COLOR: '1'
           GITHUB_PULL_REQUEST: ${{ github.event.number }}
-          GITHUB_PULL_REQUEST_BODY: ${{ github.event.pull_request.body }}
-          GITHUB_BRANCH: ${{ github.head_ref }}
-          GITHUB_REPO_SLUG: ${{ github.repository }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_CONTEXT: ${{ github.event.pull_request.commits_url }}
+          MANIFEST_PASSPHRASE: ${{ secrets.MANIFEST_PASSPHRASE }}
         run: .github/workflows/scripts/update_manifest.sh
         shell: bash
diff --git a/.github/workflows/scripts/deploy_manifest.gpg b/.github/workflows/scripts/deploy_manifest.gpg
new file mode 100644
index 0000000000..fea7fb7c48
Binary files /dev/null and b/.github/workflows/scripts/deploy_manifest.gpg differ
diff --git a/.github/workflows/scripts/update_manifest.sh b/.github/workflows/scripts/update_manifest.sh
index 20ae3b5e10..cbd097f0c3 100755
--- a/.github/workflows/scripts/update_manifest.sh
+++ b/.github/workflows/scripts/update_manifest.sh
@@ -10,8 +10,7 @@ readonly GITHUB_BRANCH="${GITHUB_BRANCH:-}"
 
 readonly MANIFESTS_GIT_USER="${MANIFESTS_GIT_USER:-}"
 readonly MANIFESTS_GIT_EMAIL="${MANIFESTS_GIT_EMAIL:-}"
-readonly MANIFESTS_GIT_TOKEN="${MANIFESTS_GIT_TOKEN:-}"
-readonly MANIFESTS_GIT_URL="https://${MANIFESTS_GIT_USER}:${MANIFESTS_GIT_TOKEN}@github.com/RedHatInsights/manifests.git"
+readonly MANIFESTS_GIT_URL="git@github.com:RedHatInsights/manifests.git"
 
 readonly MANIFESTS_DIR='/tmp/manifests'
 readonly MANIFEST_FILE="${MANIFESTS_DIR}/automation-hub/automation-hub-api.txt"
@@ -37,7 +36,7 @@ generate_docker_manifest() {
     echo "${PREFIX}/Dockerfile-FROM-${base_image}"
 }
 
-if [[ "$GITHUB_PULL_REQUEST" != 'false' ]]; then
+if [[ -n "$GITHUB_PULL_REQUEST" ]]; then
     log_message 'Ignoring manifest update for pull request.'
     exit 0
 fi
@@ -49,6 +48,14 @@ else
     exit 0
 fi
 
+# decrypt deploy key and use
+gpg --quiet --batch --yes --decrypt --passphrase="$MANIFEST_PASSPHRASE" --output .github/workflows/scripts/deploy_manifest .github/workflows/scripts/deploy_manifest.gpg
+
+chmod 600 .github/workflows/scripts/deploy_manifest
+eval `ssh-agent -s`
+ssh-add .github/workflows/scripts/deploy_manifest
+
+
 git clone --depth=10 --branch="${manifests_branch}" \
     "${MANIFESTS_GIT_URL}" "${MANIFESTS_DIR}" &>/dev/null