diff --git a/.gitea/workflows/build-release.yml b/.gitea/workflows/build-release.yml
index 45407e4..ba8587d 100644
--- a/.gitea/workflows/build-release.yml
+++ b/.gitea/workflows/build-release.yml
@@ -136,10 +136,7 @@ jobs:
       - name: Import signing key
         run: |
           echo "${{ secrets.RPM_SIGNING_KEY }}" | gpg --batch --import
-          cat > ~/.rpmmacros << 'RPMMACROS'
-%_gpg_name ${{ secrets.RPM_SIGNING_KEY_ID }}
-%__gpg_sign_cmd %{__gpg} --batch --no-armor --no-tty --pinentry-mode loopback --passphrase '' %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
-RPMMACROS
+          sed "s/@GPG_NAME@/${{ secrets.RPM_SIGNING_KEY_ID }}/" rpm/rpmmacros > ~/.rpmmacros
 
       - name: Sign and publish
         run: ./script/publish-repo.sh rpms/
diff --git a/rpm/rpmmacros b/rpm/rpmmacros
new file mode 100644
index 0000000..6b23b9a
--- /dev/null
+++ b/rpm/rpmmacros
@@ -0,0 +1,2 @@
+%_gpg_name @GPG_NAME@
+%__gpg_sign_cmd %{__gpg} --batch --no-armor --no-tty --pinentry-mode loopback --passphrase '' %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}