diff --git a/scripts/deploy/01_deploy_bigbang.sh b/scripts/deploy/01_deploy_bigbang.sh
index aa124ba052a8a7e6ca2e24215ec5c100b5157204..42cd80b23b583a9cba74647c771c888e87ec81fe 100755
--- a/scripts/deploy/01_deploy_bigbang.sh
+++ b/scripts/deploy/01_deploy_bigbang.sh
@@ -37,19 +37,27 @@ helm upgrade -i bigbang chart -n bigbang --create-namespace \
 # otherwise use *.bigbang.dev
 if [ "$(yq e ".addons.keycloak.enabled" "tests/ci/k3d/values.yaml")" == "true" ]; then
   # apply secrets kustomization pointing to current branch
-  echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
-  if [ -z "$CI_COMMIT_TAG" ]; then
+  if [[ $(git branch --show-current) == "${CI_DEFAULT_BRANCH}" ]]; then
+    echo "Deploying secrets from the ${CI_DEFAULT_BRANCH} branch"
+    kubectl apply -f tests/ci/keycloak.yaml
+  elif [ -z "$CI_COMMIT_TAG" ]; then
+    echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
     cat tests/ci/keycloak.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
   else
+    echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} tag"
     # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
     cat tests/ci/keycloak.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
   fi
 else
-  # apply secrets kustomization pointing to current branch
-  echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
-  if [ -z "$CI_COMMIT_TAG" ]; then
+  # apply secrets kustomization pointing to current branch or master if an upgrade job
+  if [[ $(git branch --show-current) == "${CI_DEFAULT_BRANCH}" ]]; then
+    echo "Deploying secrets from the ${CI_DEFAULT_BRANCH} branch"
+    kubectl apply -f tests/ci/shared-secrets.yaml
+  elif [ -z "$CI_COMMIT_TAG" ]; then
+    echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
     cat tests/ci/shared-secrets.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
   else
+    echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} tag"
     # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
     cat tests/ci/shared-secrets.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
   fi