diff --git a/environment/pipeline.go b/environment/pipeline.go
index ceea712f..ff947a0b 100644
--- a/environment/pipeline.go
+++ b/environment/pipeline.go
@@ -494,17 +494,11 @@ func (p *Pipeline) mount(ctx context.Context, dest string, mnt *compiler.Value)
 	}
 	// eg. mount: "/foo": secret: mysecret
 	if secret := mnt.Lookup("secret"); secret.Exists() {
-		if !secret.HasAttr("secret") {
-			return nil, fmt.Errorf("invalid secret %q: not a secret", secret.Path().String())
-		}
-		idValue := secret.Lookup("id")
-		if !idValue.Exists() {
-			return nil, fmt.Errorf("invalid secret %q: no id field", secret.Path().String())
-		}
-		id, err := idValue.String()
+		id, err := getSecretID(secret)
 		if err != nil {
-			return nil, fmt.Errorf("invalid secret id: %w", err)
+			return nil, err
 		}
+
 		return llb.AddSecret(dest,
 			llb.SecretID(id),
 			llb.SecretFileOpt(0, 0, 0400), // uid, gid, mask)
@@ -779,6 +773,21 @@ func (p *Pipeline) PushContainer(ctx context.Context, op *compiler.Value, st llb
 	return st, err
 }
 
+func getSecretID(secretField *compiler.Value) (string, error) {
+	if !secretField.HasAttr("secret") {
+		return "", fmt.Errorf("invalid secret %q: not a secret", secretField.Path().String())
+	}
+	idValue := secretField.Lookup("id")
+	if !idValue.Exists() {
+		return "", fmt.Errorf("invalid secret %q: no id field", secretField.Path().String())
+	}
+	id, err := idValue.String()
+	if err != nil {
+		return "", fmt.Errorf("invalid secret id: %w", err)
+	}
+	return id, nil
+}
+
 func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.State) (llb.State, error) {
 	remote, err := op.Lookup("remote").String()
 	if err != nil {
@@ -796,9 +805,7 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat
 
 	gitOpts := []llb.GitOption{}
 	var opts struct {
-		AuthTokenSecret  string
-		AuthHeaderSecret string
-		KeepGitDir       bool
+		KeepGitDir bool
 	}
 
 	if err := op.Decode(&opts); err != nil {
@@ -808,11 +815,20 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat
 	if opts.KeepGitDir {
 		gitOpts = append(gitOpts, llb.KeepGitDir())
 	}
-	if opts.AuthTokenSecret != "" {
-		gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthTokenSecret))
+	// Secret
+	if authTokenSecret := op.Lookup("authTokenSecret"); authTokenSecret.Exists() {
+		id, err := getSecretID(authTokenSecret)
+		if err != nil {
+			return st, err
+		}
+		gitOpts = append(gitOpts, llb.AuthTokenSecret(id))
 	}
-	if opts.AuthHeaderSecret != "" {
-		gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthHeaderSecret))
+	if authHeaderSecret := op.Lookup("authHeaderSecret"); authHeaderSecret.Exists() {
+		id, err := getSecretID(authHeaderSecret)
+		if err != nil {
+			return st, err
+		}
+		gitOpts = append(gitOpts, llb.AuthHeaderSecret(id))
 	}
 
 	gitOpts = append(gitOpts, llb.WithCustomName(p.vertexNamef("FetchGit %s@%s", remoteRedacted, ref)))
diff --git a/stdlib/dagger/op/op.cue b/stdlib/dagger/op/op.cue
index 44c2f7dd..3ca37b04 100644
--- a/stdlib/dagger/op/op.cue
+++ b/stdlib/dagger/op/op.cue
@@ -87,8 +87,8 @@ package op
 	ref:         string
 	keepGitDir?: bool
 	// FIXME: the two options are currently ignored until we support buildkit secrets
-	authTokenSecret?:  string | bytes
-	authHeaderSecret?: string | bytes
+	authTokenSecret?:  _ @dagger(secret)
+	authHeaderSecret?: _ @dagger(secret)
 }
 
 #FetchHTTP: {