diff --git a/.changeset/provisioner-thirty-nails-drop.md b/.changeset/provisioner-thirty-nails-drop.md
new file mode 100644
index 000000000..ecab74e0a
--- /dev/null
+++ b/.changeset/provisioner-thirty-nails-drop.md
@@ -0,0 +1,5 @@
+---
+"provisioner": patch
+---
+
+fix: Inject 1Password secret for provisioner deploy
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 32215a082..111f095fd 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -19,3 +19,5 @@ jobs:
         uses: actions/checkout@v4
       - uses: ./.github/actions/setup-bazel
       - run: bazel run //provisioner:deploy
+        env:
+          ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD: ${{ secrets.ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ea1a77de1..91dc8392f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,7 +22,7 @@ jobs:
 
   lint:
     name: Lint
-    timeout-minutes: 10
+    timeout-minutes: 20
     runs-on: macos-latest
     steps:
       # # https://docs.github.com/en/actions/learn-github-actions/contexts
diff --git a/provisioner/BUILD.bazel b/provisioner/BUILD.bazel
index 9d0685b1e..6d578636d 100644
--- a/provisioner/BUILD.bazel
+++ b/provisioner/BUILD.bazel
@@ -141,9 +141,7 @@ task(
     cwd = "$BUILD_WORKSPACE_DIRECTORY",
     # Add in all the .github files to the data attribute,
     # so if the github workflows change then we re-run the deployment
-    data = [
-        "//:.github",
-    ],
+    data = glob([".github/**"]),
     env = {
         "SETUP_ENV": "prod",
     },