diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 0000000..d7438cc
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,24 @@
+name: Test
+on:
+  pull_request:
+    branches:
+    - master
+  push:
+    branches:
+    - master
+jobs:
+  build:
+    name: Test
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - run: shellcheck *.sh
+    - run: shellcheck ci-deploy/*.sh
+    - uses: actions/checkout@v2
+      with:
+        repository: whatwg/html
+        fetch-depth: 2
+        path: ../html
+    - run: ./ci-deploy/outside-container.sh
+      env:
+        IS_TEST_OF_HTML_BUILD_ITSELF: true
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 51f92c8..0000000
--- a/.travis.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-language: bash
-services:
-  - docker
-
-script:
-  - shellcheck *.sh
-  - shellcheck ci-deploy/*.sh
-  - cd .. &&
-    git clone https://github.com/whatwg/html.git --depth 2 &&
-    IS_TEST_OF_HTML_BUILD_ITSELF=true bash ./html-build/ci-deploy/outside-container.sh
-
-branches:
-  only:
-    - master
-
-notifications:
-  email:
-    on_success: never
-    on_failure: always
diff --git a/ci-deploy/Dockerfile b/ci-deploy/Dockerfile
index 16bd093..f4f68c5 100644
--- a/ci-deploy/Dockerfile
+++ b/ci-deploy/Dockerfile
@@ -1,4 +1,4 @@
-# This Dockerfile is just used to run on Travis CI in an environment that can easily and repeatedly
+# This Dockerfile is just used to run in CI in an environment that can easily and repeatedly
 # install our build dependencies.
 FROM debian:stable
 
@@ -48,9 +48,7 @@ ADD html-build /whatwg/html-build
 # on Docker Hub.
 ENV HTML_SOURCE /whatwg/html
 
-ARG travis_pull_request
 ARG is_test_of_html_build_itself
-ENV TRAVIS_PULL_REQUEST=${travis_pull_request}
 ENV IS_TEST_OF_HTML_BUILD_ITSELF=${is_test_of_html_build_itself}
 
 ENV SKIP_BUILD_UPDATE_CHECK=true
diff --git a/ci-deploy/README.md b/ci-deploy/README.md
index d223f12..0919afe 100644
--- a/ci-deploy/README.md
+++ b/ci-deploy/README.md
@@ -1,6 +1,6 @@
 # HTML Standard CI Deploy
 
-This directory contains files used specifically for deploying the HTML Standard on Travis CI. They are not generally relevant to local builds.
+This directory contains files used specifically for deploying the HTML Standard in CI. They are not generally relevant to local builds.
 
 The setup is assumed to be a directory containing:
 
diff --git a/ci-deploy/deploy-key.enc b/ci-deploy/deploy-key.enc
deleted file mode 100644
index 06f68a8..0000000
Binary files a/ci-deploy/deploy-key.enc and /dev/null differ
diff --git a/ci-deploy/inside-container.sh b/ci-deploy/inside-container.sh
index 15f3e44..ead87c6 100644
--- a/ci-deploy/inside-container.sh
+++ b/ci-deploy/inside-container.sh
@@ -16,9 +16,6 @@ SERVER_PUBLIC_KEY="ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzd
 HTML_OUTPUT="$(pwd)/output"
 export HTML_OUTPUT
 
-# Note: $TRAVIS_PULL_REQUEST is either a number or false, not true or false.
-# https://docs.travis-ci.com/user/environment-variables/#Default-Environment-Variables
-TRAVIS_PULL_REQUEST=${TRAVIS_PULL_REQUEST:-false}
 IS_TEST_OF_HTML_BUILD_ITSELF=${IS_TEST_OF_HTML_BUILD_ITSELF:-false}
 
 # Build the spec into the output directory
@@ -33,7 +30,7 @@ unzip vnu.linux.zip
 ./vnu-runtime-image/bin/java -Xmx1g -m vnu/nu.validator.client.SimpleCommandLineValidator --skip-non-html "$HTML_OUTPUT"
 echo ""
 
-if [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then
+if [[ "$GITHUB_EVENT_NAME" != "push" || "$GITHUB_REF" != "refs/heads/master" ]]; then
   echo "Skipping deploy for non-master"
   exit 0
 fi
@@ -42,17 +39,14 @@ if [[ "$IS_TEST_OF_HTML_BUILD_ITSELF" == "true" ]]; then
   exit 0
 fi
 
-# Add the (decoded) deploy key to the SSH agent, so scp works
-chmod 600 html/deploy-key
-eval "$(ssh-agent -s)"
-ssh-add html/deploy-key
-echo "$SERVER $SERVER_PUBLIC_KEY" > known_hosts
+# Add the deploy key to the SSH agent, so scp works
+echo "$SERVER_DEPLOY_KEY" | ssh-add -
+mkdir -p ~/.ssh/ && echo "$SERVER $SERVER_PUBLIC_KEY" > ~/.ssh/known_hosts
 
 # Sync, including deletes, but ignoring the stuff we'll deploy below, so that we don't delete them.
 echo "Deploying build output..."
 # --chmod=D755,F644 means read-write for user, read-only for others.
-rsync --rsh="ssh -o UserKnownHostsFile=known_hosts" \
-      --archive --chmod=D755,F644 --compress --verbose \
+rsync --archive --chmod=D755,F644 --compress --verbose \
       --delete --exclude="$COMMITS_DIR" --exclude="$REVIEW_DIR" \
       --exclude=print.pdf \
       "$HTML_OUTPUT/" "deploy@$SERVER:/var/www/$WEB_ROOT"
@@ -62,8 +56,7 @@ rsync --rsh="ssh -o UserKnownHostsFile=known_hosts" \
 echo ""
 echo "Deploying Commit Snapshot and Review Drafts, if any..."
 # --chmod=D755,F644 means read-write for user, read-only for others.
-rsync --rsh="ssh -o UserKnownHostsFile=known_hosts" \
-      --archive --chmod=D755,F644 --compress --verbose \
+rsync --archive --chmod=D755,F644 --compress --verbose \
       "$HTML_OUTPUT/$COMMITS_DIR" "$HTML_OUTPUT/$REVIEW_DIR" "deploy@$SERVER:/var/www/$WEB_ROOT"
 
 echo ""
@@ -77,8 +70,7 @@ pdfsizeopt --v=40 "$PDF_TMP" "$HTML_OUTPUT/print.pdf"
 
 echo ""
 echo "Deploying PDF..."
-rsync --rsh="ssh -o UserKnownHostsFile=known_hosts" \
-      --archive --compress --verbose \
+rsync --archive --compress --verbose \
       "$HTML_OUTPUT/print.pdf" "deploy@$SERVER:/var/www/$WEB_ROOT/print.pdf"
 
 echo ""
diff --git a/ci-deploy/outside-container.sh b/ci-deploy/outside-container.sh
index 9eeaea2..62605e4 100644
--- a/ci-deploy/outside-container.sh
+++ b/ci-deploy/outside-container.sh
@@ -10,12 +10,10 @@ DOCKER_USERNAME="domenicdenicola"
 DOCKER_HUB_REPO="whatwg/html-deploy"
 
 # Set from the outside:
-TRAVIS_PULL_REQUEST=${TRAVIS_PULL_REQUEST:-false}
 IS_TEST_OF_HTML_BUILD_ITSELF=${IS_TEST_OF_HTML_BUILD_ITSELF:-false}
 
 # When not running pull request builds:
 # - DOCKER_PASSWORD is set from the outside
-# - ENCRYPTION_LABEL is set from the outside
 
 git clone --depth 1 https://github.com/pts/pdfsizeopt.git pdfsizeopt
 
@@ -27,19 +25,8 @@ cp "$HERE"/{.dockerignore,Dockerfile} .
 docker pull "$DOCKER_HUB_REPO:latest"
 docker build --cache-from "$DOCKER_HUB_REPO:latest" \
              --tag "$DOCKER_HUB_REPO:latest" \
-             --build-arg "travis_pull_request=$TRAVIS_PULL_REQUEST" \
              --build-arg "is_test_of_html_build_itself=$IS_TEST_OF_HTML_BUILD_ITSELF" \
              .
-if [[ "$TRAVIS_PULL_REQUEST" == "false" && "$IS_TEST_OF_HTML_BUILD_ITSELF" == "false" ]]; then
-  # Decrypt the deploy key from this script's location into the html/ directory, since that's the
-  # directory that will be shared with the container (but not built into the image).
-  ENCRYPTED_KEY_VAR="encrypted_${ENCRYPTION_LABEL}_key"
-  ENCRYPTED_IV_VAR="encrypted_${ENCRYPTION_LABEL}_iv"
-  ENCRYPTED_KEY=${!ENCRYPTED_KEY_VAR}
-  ENCRYPTED_IV=${!ENCRYPTED_IV_VAR}
-  openssl aes-256-cbc -K "$ENCRYPTED_KEY" -iv "$ENCRYPTED_IV" \
-          -in "$HERE/deploy-key.enc" -out html/deploy-key -d
-fi
 
 # Run the inside-container.sh script, with the html/ directory mounted inside the container.
 echo ""