diff --git a/.cirrus.yml b/.cirrus.yml
index 7d84a7702d..1625a120b6 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -48,9 +48,9 @@ env:
   ZEEK_CI_CPUS: *CPUS
   ZEEK_CI_BTEST_JOBS: *BTEST_JOBS
   ZEEK_CI_CONFIGURE_FLAGS: *CONFIG
-  # This is a single-use, read-only GitHub deploy key (SSH private key) for the
-  # zeek-testing-private repository.
-  ZEEK_TESTING_PRIVATE_SSH_KEY: ENCRYPTED[4d924499a9b7428fc5c2faf72c86315c9dd8685561f597a009b935ca8dc102af8fc7e397eacc91bc224315d79cc09158]
+  # This is a single-purpose, read-only GitHub deploy key (SSH private key) for
+  # the zeek-testing-private repository.
+  ZEEK_TESTING_PRIVATE_SSH_KEY: ENCRYPTED[6631d7bf11e6553c531222953fb6de4d4a48a86a5dbc21a97604d5ca1791845718c985d9086f125cead6908e1b5f2b23]
 
 # Linux EOL timelines: https://linuxlifecycle.com/
 # Fedora (~13 months): https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle
diff --git a/CHANGES b/CHANGES
index a9e2fe9c06..9fa35de472 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+3.1.0-dev.313 | 2019-12-18 13:23:51 -0800
+
+  * Add Cirrus CI config (Jon Siwek, Corelight)
+
 3.1.0-dev.309 | 2019-12-16 09:40:01 -0800
 
   * GHI-599: avoid memory leak with default pattern matching and json formatting (Tim Wojtulewicz, Corelight)
diff --git a/VERSION b/VERSION
index 6ec62eaf8b..293be0e778 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.1.0-dev.309
+3.1.0-dev.313
diff --git a/ci/README b/ci/README
new file mode 100644
index 0000000000..c8e89af49c
--- /dev/null
+++ b/ci/README
@@ -0,0 +1,32 @@
+=========================================
+Continuous Integration Configuration Info
+=========================================
+
+The following pointers are aimed at maintainers to help describe a few points
+about the Cirrus CI setup that may not be obvious/intuitive.
+
+Private Test Suite
+------------------
+
+Access to the private test suite is available in CI tasks except in Pull
+Requests from people that do not otherwise have write access to the zeek
+repository on GitHub.  To configure this access for the
+``zeek-testing-private`` repository, it uses a "deploy key" which is a single
+purpose SSH key with read-only permissions.  Here's how it can be set up:
+
+1. ``ssh-keygen -f cirrus-key``
+
+2. Add contents of ``cirrus-key.pub`` as a new key on GitHub:
+   https://github.com/zeek/zeek-testing-private/settings/keys
+
+3. Generate a new Cirrus CI secured variable in the repository settings at
+   https://cirrus-ci.com/github/zeek/zeek.  The value of the secured variable
+   is the base64-encoded private key, and can be obtained from the output of
+   the command: ``base64 cirrus-key``.
+
+4. Take the ``ENCRYPTED[...]``` string generated by Cirrus and use that as the
+   value of ``ZEEK_TESTING_PRIVATE_SSH_KEY`` in ``.cirrus.yml``
+
+5. Delete the local key: ``rm cirrus-key*``
+
+6. Commit/push the changes.