diff --git a/tools/deploy.bash b/tools/deploy.bash
new file mode 100755
index 0000000..a72089d
--- /dev/null
+++ b/tools/deploy.bash
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if (( $# != 1 )); then
+    echo "usage: deploy.bash IMAGE" >&2
+    exit 1
+fi
+
+image="$1"
+
+if [[ -z "${DEPLOY_SSH_PRIVATE_KEY:-}" ]]; then
+    DEPLOY_SSH_PRIVATE_KEY="$(base64 < "${DEPLOY_SSH_PUBLIC_KEY_FILE%.pub}")"
+fi
+
+: ${DOCKER_REPO}
+: ${DOMAIN}
+
+tmpdir="$(mktemp -d)"
+
+function cleanup {
+    rm -rf "${tmpdir}"
+}
+
+trap cleanup EXIT
+
+base64 -d <<< "${DEPLOY_SSH_PRIVATE_KEY}" > "${tmpdir}/id"
+chmod go-rwx "${tmpdir}/id"
+
+ssh -o IdentitiesOnly=yes \
+    -o StrictHostKeyChecking=no \
+    -o UserKnownHostsFile=/dev/null \
+    -i "${tmpdir}/id" "deploy@${DOMAIN}" "${image}"
diff --git a/tools/publish.bash b/tools/publish.bash
index ba196af..6137750 100755
--- a/tools/publish.bash
+++ b/tools/publish.bash
@@ -7,6 +7,7 @@ set -euo pipefail
 : ${S3_BUCKET}
 
 if [[ -z "${DEPLOY_SSH_PRIVATE_KEY:-}" ]]; then
+    : ${DEPLOY_SSH_PUBLIC_KEY_FILE}
     DEPLOY_SSH_PRIVATE_KEY="$(base64 < "${DEPLOY_SSH_PUBLIC_KEY_FILE%.pub}")"
 fi
 
@@ -35,10 +36,4 @@ image="${DOCKER_REPO}:app-${sha}"
 docker tag "${DOCKER_REPO}:app" "${image}"
 docker push "${image}"
 
-base64 -d <<< "${DEPLOY_SSH_PRIVATE_KEY}" > "${tmpdir}/id"
-chmod go-rwx "${tmpdir}/id"
-
-ssh -o IdentitiesOnly=yes \
-    -o StrictHostKeyChecking=no \
-    -o UserKnownHostsFile=/dev/null \
-    -i "${tmpdir}/id" "deploy@${DOMAIN}" "${image}"
+exec tools/deploy.bash "${image}"