diff --git a/.github/workflows/deploy-to-staging.yaml b/.github/workflows/deploy-to-staging.yaml
index b2ef46eab..6084b2a97 100644
--- a/.github/workflows/deploy-to-staging.yaml
+++ b/.github/workflows/deploy-to-staging.yaml
@@ -63,10 +63,18 @@ jobs:
         if: ${{ env.DEPLOY }}
         run: |
           mkdir -p ${HOME}/bin
-          curl -sSL https://github.com/mozilla/sops/releases/download/v3.7.0/sops-v3.7.0.linux -o ${HOME}/bin/sops
+          curl -sSL https://github.com/mozilla/sops/releases/download/v3.9.0/sops-v3.9.0.linux -o ${HOME}/bin/sops
           chmod 755 ${HOME}/bin/sops
           echo "${HOME}/bin" >> $GITHUB_PATH
 
+      - name: Store SOPS secret in a file
+        if: ${{ env.DEPLOY }}
+        run: |
+          cat << EOF > ${HOME}/sops.key
+          ${{ secrets.SOPS_KEY }}
+          EOF
+          echo "GOOGLE_APPLICATION_CREDENTIALS=${HOME}/sops.key" >> $GITHUB_ENV
+
       - name: Install Helm
         if: ${{ env.DEPLOY }}
         run: |
@@ -78,8 +86,6 @@ jobs:
       - name: Deploy hubs to staging
         if: ${{ env.DEPLOY }}
         run: |
-          echo ${{ secrets.SOPS_KEY }} > ${HOME}/sops.key
-          export GOOGLE_APPLICATION_CREDENTIALS="${HOME}/sops.key"
           for hub in $(echo -e "${{ env.DEPLOY_HUBS }}"); do
             echo "Deploying $hub to staging"
             hubploy --verbose deploy $hub hub staging