diff --git a/renovate/renovate-cronjob.yaml b/renovate/renovate-cronjob.yaml
index fdf8ee8..ac1dc35 100644
--- a/renovate/renovate-cronjob.yaml
+++ b/renovate/renovate-cronjob.yaml
@@ -27,6 +27,11 @@ spec:
                     secretKeyRef:
                       key: github-com-pat
                       name: renovate-github-com-token
+                - name: RENOVATE_GIT_PRIVATE_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      key: ssh-key
+                      name: renovate-ssh-key
                 - name: RENOVATE_AUTODISCOVER
                   value: 'false'
                 - name: RENOVATE_BASE_DIR
diff --git a/renovate/renovate-ssh-key.yaml b/renovate/renovate-ssh-key.yaml
new file mode 100644
index 0000000..419ccdd
--- /dev/null
+++ b/renovate/renovate-ssh-key.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: renovate-ssh-key
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: renovate-ssh-key
+    creationPolicy: Owner
+  data:
+    - secretKey: ssh-key
+      remoteRef:
+        key: renovate
+        property: ssh-key
\ No newline at end of file