diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index 5077a05e5..e1ac81667 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -29,8 +29,8 @@ jobs:
 
       - name: Import PGP Private Key
         run: |
-          echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
-          echo "${{ secrets.PGP_KEY_PASSPHRASE }}" > passphrase-file.txt
+          echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --dearmor --output /tmp/keyring.gpg
+          echo "${{ secrets.PGP_KEY_PASSPHRASE }}" > /tmp/passphrase-file.txt
 
       - name: Set up Helm
         uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f # v4.0.0
@@ -42,13 +42,17 @@ jobs:
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_KEY: helm-charts+no-reply@cloudnative-pg.io
-          CR_KEYRING: keyring.gpg
-          CR_PASSPHRASE_FILE: passphrase-file.txt
+          CR_KEYRING: /tmp/keyring.gpg
+          CR_PASSPHRASE_FILE: /tmp/passphrase-file.txt
           CR_SIGN: true
           CR_SKIP_EXISTING: true
           CR_GENERATE_RELEASE_NOTES: true
           CR_RELEASE_NAME_TEMPLATE: "{{ .Name }}-v{{ .Version }}"
 
+      - name: Securely delete the PGP key and passphrase
+        if: always()
+        run: shred --remove=wipesync /tmp/keyring.gpg /tmp/passphrase-file.txt
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with: