diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 714865b7b2bad6e513c8a32e41711f0ff3534aef..a67090d1a25ff60bcccb88e4f56106eeb3854eca 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,9 +4,9 @@ variables:
   TEMPLATES_SHA: *templates_sha
   FDO_UPSTREAM_REPO: gfx-ci/linux
   DEBIAN_DISTRO: bookworm
+  S3_JWT_FILE: /s3_jwt
   S3_HOST: s3.freedesktop.org
 
-
 include:
   - project: 'freedesktop/ci-templates'
     ref: *templates_sha
@@ -44,17 +44,23 @@ build-kernel:
     - .debian-image
   tags:
     - packet.net
+  id_tokens:
+    S3_JWT:
+      aud: https://s3.freedesktop.org
   before_script:
+    - echo -n "${S3_JWT}" > "${S3_JWT_FILE}" && unset CI_JOB_JWT S3_JWT  # Unsetting vulnerable env variables
     - export PATH="/usr/lib/ccache:$PATH"
     - export CCACHE_BASEDIR="$PWD"
     - export CCACHE_DIR="$PWD/ccache"
     - export CCACHE_COMPILERCHECK=content
     - ccache --show-stats || true
+  script:
+    - .gitlab-ci/build.sh
   after_script:
+    - set +x
+    - test -e "${S3_JWT_FILE}" && export S3_JWT="$(<${S3_JWT_FILE})" && rm "${S3_JWT_FILE}"
     - export CCACHE_DIR="$PWD/ccache"
     - ccache --show-stats
-  script:
-    - .gitlab-ci/build.sh
   artifacts:
     name: $CI_JOB_NAME
     paths:
diff --git a/.gitlab-ci/build.sh b/.gitlab-ci/build.sh
index 485f7176a4f69cbf4a4b79e83b0c86818a0284fc..b1ed73f24d27d5646954e26c774e248e4d5792ac 100755
--- a/.gitlab-ci/build.sh
+++ b/.gitlab-ci/build.sh
@@ -121,7 +121,7 @@ if [ "${KERNEL_ARCH}" != "x86_64" ]; then
 fi
 
 for f in "${FILES_TO_UPLOAD[@]}"; do
-  ci-fairy s3cp --token "${CI_JOB_JWT:?}" "$f" "https://${S3_PATH}/$(basename -a "$f")"
+  ci-fairy s3cp --token-file "${S3_JWT_FILE}" "$f" "https://${S3_PATH}/$(basename -a "$f")"
 done
 
 git clean --quiet -fdx -e 'ccache/' -e '.config' -e 'defconfig' -e 'modules.tar.zst' -e 'kernels/' -e 'dtbs/'