diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 00000000..00b39fdf
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,3 @@
+*.secret filter=git-crypt diff=git-crypt
+*.key filter=git-crypt diff=git-crypt
+*.secret.* filter=git-crypt diff=git-crypt
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 351e2572..8b6209f9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,19 +11,13 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - name: Set up Go
-        uses: actions/setup-go@v1
-        with:
-          go-version: 1.16
-        id: go
-
       - name: Check out
         uses: actions/checkout@v2
 
       - name: Install Dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y --no-install-recommends shellcheck
+          sudo apt-get install -y --no-install-recommends shellcheck git-crypt
 
           export CUE_VERSION="$(grep cue ./go.mod | cut -d' ' -f2)"
           export CUE_TARBALL="cue_${CUE_VERSION}_linux_amd64.tar.gz"
@@ -32,9 +26,26 @@ jobs:
           curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sudo sh -s -- -b /usr/local/bin v1.23.8
 
           curl -L https://github.com/cuelang/cue/releases/download/${CUE_VERSION}/${CUE_TARBALL} | sudo tar zxf - -C /usr/local/bin
-      - name: Build
+
+      - name: Unlock secrets
+        env:
+          GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY }}
         run: |
-          make
+          echo "$GIT_CRYPT_KEY" | base64  -d > /tmp/git-crypt-key
+          git-crypt unlock /tmp/git-crypt-key
+          rm -f /tmp/git-crypt-key
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.16
+        id: go
 
       - name: Lint
         run: |
diff --git a/tests/push-container/main.cue b/tests/push-container/main.cue
new file mode 100644
index 00000000..cb54bdf4
--- /dev/null
+++ b/tests/push-container/main.cue
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"dagger.io/dagger"
+	"dagger.io/alpine"
+)
+
+TestPushContainer: {
+	// Generate a random number
+	random: {
+		string
+		#compute: [
+			dagger.#Load & {from: alpine.#Image},
+			dagger.#Exec & {
+				args: ["sh", "-c", "echo -n $RANDOM > /rand"]
+			},
+			dagger.#Export & {
+				source: "/rand"
+			},
+		]
+	}
+
+	// Push an image with a random tag
+	push: {
+		ref: "daggerio/ci-test:\(random)"
+		#compute: [
+			dagger.#WriteFile & {
+				content: random
+				dest:    "/rand"
+			},
+			dagger.#PushContainer & {
+				"ref": ref
+			},
+		]
+	}
+
+	// Pull the image back
+	pull: #compute: [
+		dagger.#FetchContainer & {
+			ref: push.ref
+		},
+	]
+
+	// Check the content
+	check: #compute: [
+		dagger.#Load & {from: alpine.#Image},
+		dagger.#Exec & {
+			args: [
+				"sh", "-c", #"""
+                test "$(cat /src/rand)" = "\#(random)"
+                """#,
+			]
+			mount: "/src": from: pull
+		},
+	]
+}
diff --git a/tests/test-lib.sh b/tests/test-lib.sh
index 34f5780e..242ee92f 100644
--- a/tests/test-lib.sh
+++ b/tests/test-lib.sh
@@ -130,3 +130,11 @@ test::one(){
 disable(){
   logger::warning "Test \"$2\" has been disabled."
 }
+
+secret(){
+  if [ -z "${DAGGER_SECRETS_LOADED+x}" ] || [ "$DAGGER_SECRETS_LOADED" != "1" ]; then
+    logger::warning "Skip \"$2\": secrets not available"
+  else
+    "$@"
+  fi
+}
diff --git a/tests/test.secret b/tests/test.secret
new file mode 100644
index 00000000..17fca195
Binary files /dev/null and b/tests/test.secret differ
diff --git a/tests/test.sh b/tests/test.sh
index 1b15ae76..8a156e54 100755
--- a/tests/test.sh
+++ b/tests/test.sh
@@ -6,6 +6,11 @@ readonly d=$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)
 # shellcheck source=/dev/null
 . "$d/test-lib.sh"
 
+# shellcheck source=/dev/null
+if grep -q "DAGGER_SECRETS" "$d/test.secret"; then
+    source "$d/test.secret"
+fi
+
 # Point this to your dagger binary
 readonly DAGGER_BINARY="${DAGGER_BINARY:-$d/../cmd/dagger/dagger}"
 # The default arguments are a no-op, but having "anything" is a little cheat necessary for "${DAGGER_BINARY_ARGS[@]}" to not be empty down there
@@ -79,6 +84,13 @@ test::fetchcontainer(){
       "$dagger" "${DAGGER_BINARY_ARGS[@]}" compute "$d"/fetch-container/nonexistent/image-with-valid-digest
 }
 
+test::pushcontainer(){
+  local dagger="$1"
+
+  secret test::one "PushContainer: simple"       --exit=0 \
+      "$dagger" "${DAGGER_BINARY_ARGS[@]}" compute "$d"/push-container
+}
+
 test::fetchgit(){
   local dagger="$1"
 
@@ -194,7 +206,6 @@ test::local(){
   disable "" "There are no local tests right now (the feature is possibly not functioning at all: see https://github.com/blocklayerhq/dagger/issues/41)"
 }
 
-
 test::mount(){
   test::one "Mount: tmpfs" --exit=0 \
       "$dagger" "${DAGGER_BINARY_ARGS[@]}" compute "$d"/mounts/valid/tmpfs
@@ -244,6 +255,7 @@ test::all(){
   test::local "$dagger"
   test::compute "$dagger"
   test::fetchcontainer "$dagger"
+  test::pushcontainer "$dagger"
   test::fetchgit "$dagger"
   test::exec "$dagger"
   test::export "$dagger"