diff --git a/.semaphore/push_images.yml b/.semaphore/push_images.yml
index 7299c93cae..bc9b62308d 100644
--- a/.semaphore/push_images.yml
+++ b/.semaphore/push_images.yml
@@ -10,22 +10,29 @@ global_job_config:
     - name: oss-release-secrets
     # Mount the github SSH secret for pulling private repositories.
     - name: private-repo
+    - name: secret-manager-gcloud-credentials
   prologue:
     commands:
-      - echo $DOCKERHUB_PASSWORD | docker login --username "$DOCKERHUB_USERNAME" --password-stdin
       # Correct permissions since they are too open by default:
       - chmod 0600 ~/.keys/*
       # Add the key to the ssh agent:
       - ssh-add ~/.keys/*
-      # Free up some space
-      - sudo rm -rf ~/.kiex ~/.phpbrew ~/.rbenv ~/.nvm ~/.kerl
-      # Semaphore mounts a copy-on-write FS as /var/lib/docker in order to provide a pre-loaded cache of
-      # some images. However, the cache is not useful to us and the copy-on-write FS is a big problem given
-      # how much we churn docker containers during testing.  Disable it.
-      - sudo systemctl stop docker
-      - sudo umount /var/lib/docker && sudo killall qemu-nbd || true
-      - sudo systemctl start docker
+
+      # Clone our secret tool from Github and install it
+      - git config --global url."ssh://git@github.com/".insteadOf "https://github.com/"
+      - export GOPRIVATE="github.com/tigera/*,github.com/danudey/*"
+      - git clone -b add-secret-tool-properly git@github.com:danudey/go-tools.git go-tools
+      - cd go-tools && go install -v ./cmd/secret-tool
+
+      # Add default GOBIN to our path
+      - export PATH=$HOME/go/bin:$PATH
+
+      # Log into docker hub (we log into quay.io later for some reason)
+      - secret-tool fetch-secret DOCKERHUB_PASSWORD | docker login --username $(secret-tool fetch-secret DOCKERHUB_USERNAME) --password-stdin
+
+      # Checkout our code
       - checkout
+
       # Restore all the build specific caches
       - 'cache restore bin-amd64-${SEMAPHORE_GIT_SHA}'
       - 'cache restore go-pkg-cache-amd64-${SEMAPHORE_GIT_SHA}'
@@ -48,7 +55,8 @@ blocks:
         - name: operator-redhat-connect
       prologue:
         commands:
-          - docker login -u="$QUAY_USERNAME" -p="$QUAY_TOKEN" quay.io;
+          # Sign in to quay.io using fetched secrets
+          - secret-tool fetch-secret QUAY_TOKEN | docker login --username $(secret-tool fetch-secret QUAY_USERNAME) --password-stdin quay.io
           - export BRANCH_NAME=$SEMAPHORE_GIT_BRANCH
       jobs:
         - name: Build
diff --git a/Makefile b/Makefile
index 03b8ce174d..a10452a0cd 100644
--- a/Makefile
+++ b/Makefile
@@ -11,6 +11,13 @@ define yq_cmd
 endef
 YQ_V4 = $(call yq_cmd,4)
 
+define get-secret
+$(shell echo "[secret] Fetching secret $1" > /dev/stderr; secret-tool fetch-secret $1)
+endef
+
+# These secrets should be lazily-loaded when accessed
+GITHUB_TOKEN = $(call get-secret,GITHUB_TOKEN)
+
 GIT_CMD   = git
 CURL_CMD  = curl -fL
 
@@ -480,9 +487,9 @@ endif
 maybe-build-release:
 	./hack/maybe-build-release.sh
 
-release-notes: var-require-all-VERSION-GITHUB_TOKEN clean
+release-notes: var-require-all-VERSION clean
 	@docker build -t tigera/release-notes -f build/Dockerfile.release-notes .
-	@docker run --rm -v $(CURDIR):/workdir -e	GITHUB_TOKEN=$(GITHUB_TOKEN) -e VERSION=$(VERSION) tigera/release-notes
+	@docker run --rm -v $(CURDIR):/workdir -e GITHUB_TOKEN=$(GITHUB_TOKEN) -e VERSION=$(VERSION) tigera/release-notes
 
 ## Tags and builds a release from start to finish.
 release: release-prereqs