diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7ff045b3..b507c4ac 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,16 +1,16 @@
 stages:
   - test
   - build
+  - staging
 
 build:
   stage: build
   image: node:14.5.0
   variables:
-    NODE_OPTIONS: '--max_old_space_size=2048'
+    NODE_OPTIONS: "--max_old_space_size=2048"
   script:
     - cd ./src
-    - npm ci
-    - npm run-script build
+    - make build
   artifacts:
     paths:
       - ./src/dist/dynamicbible
@@ -19,9 +19,19 @@ test:
   stage: test
   image: walljm/node-chrome-headless:14.8.0
   variables:
-    NODE_OPTIONS: '--max_old_space_size=2048'
+    NODE_OPTIONS: "--max_old_space_size=2048"
   script:
     - cd ./src
-    - npm ci
-    - npm run-script lint
-    - npm run-script test-headless
+    - make test
+
+deploy-staging:
+  stage: staging
+  variables:
+    - gcloud_service_account_email
+    - gcloud_service_account_key
+  script:
+    - make deploy-staging
+  rules:
+    - if: '$CI_COMMIT_BRANCH == "master"'
+      when: on_success
+      allow_failure: false
diff --git a/src/Makefile b/src/Makefile
index 6f12376e..27648e66 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -1,17 +1,21 @@
 output := dist/dynamicbible/
 
 test:
+	npm ci
+	npm run-script lint
 	npm run-script test-headless
 
-# For some reason karma is unable to connect to the browser here.
-# I don't want to debug so not using test as a dependency.
-build: test
+build:
+	npm ci
 	npm run-script build
 
-deploy-prod: build
+authorize-service-account:
+	gcloud auth activate-service-account ${gcloud_service_account_email} --key-file=${gcloud_service_account_key} | tee authorize.log
+
+deploy-prod: build authorize-service-account
 	gsutil -m rsync -d -r ${output} gs://dynamicbible.com
 
-deploy-staging: build
+deploy-staging: build authorize-service-account
 	gsutil -m rsync -d -r ${output} gs://staging.dynamicbible.com
 
 update-bucket-configs: gcloud/buckets.yaml
diff --git a/src/gcloud/buckets.yaml b/src/gcloud/buckets.yaml
index 9b6c9ce3..9ac499af 100644
--- a/src/gcloud/buckets.yaml
+++ b/src/gcloud/buckets.yaml
@@ -35,15 +35,11 @@ resources:
           role: WRITER
         - entity: "project-viewers-dynamicbible-7c6cf"
           role: READER
+        - entity: "user-$(ref.gitlab-service-account.email)"
+          role: WRITER
       defaultObjectAcl:
         - entity: allUsers
           role: READER
-      accessControl:
-        gcpIamPolicy:
-          bindings:
-            - role: roles/dynamicbible_publish
-              members:
-                - "serviceAccount:$(ref.gitlab-service-account.email)"
   - name: gitlab-service-account
     type: iam.v1.serviceAccount
     properties: