How is an app's SSH key loaded on to the VM before the cloning process starts?

We store the encrypted SSH key in the website database using AES256-GCM. Whenever a build is triggered, the website backend decrypts the SSH key (the key for this is stored as an Environment Variable) and sends it to the service that is responsible for starting the build jobs on a VM (using TLSv1.2 )