diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 7cabe43..4d65774 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -24,6 +24,11 @@ jobs:
     - name: build
       run: NIXPKGS_ALLOW_UNFREE=1 nix build --impure
 
+    - name: set up test secret
+      run: |
+        mv ./tests/test-secret ./tests/test-secret.bak
+        echo -n "${{ secrets.NABALU_ENROLL_SECRET }}" | tee ./tests/test-secret
+
     - name: check flake (runs tests)
       run: NIXPKGS_ALLOW_UNFREE=1 nix flake check --impure --log-format internal-json
       timeout-minutes: 15
@@ -54,3 +59,7 @@ jobs:
 
     - name: osqueryd version
       run: ./result/bin/osqueryd --version
+
+    - name: cleanup
+      if: always()
+      run: mv ./tests/test-secret.bak ./tests/test-secret
diff --git a/tests/kolide-launcher.nix b/tests/kolide-launcher.nix
index 044d7ea..f4d6132 100644
--- a/tests/kolide-launcher.nix
+++ b/tests/kolide-launcher.nix
@@ -47,17 +47,15 @@ pkgs.nixosTest {
     ''
       machine.start()
 
-      # TODO: currently launcher will shut itself down if its secret file doesn't exist,
-      # so we don't get all the way through setup and launcher doesn't stay running.
-      # In the future, we'll want to validate setup and that the service is running.
-
-      with subtest("kolide-launcher service starts"):
-        machine.wait_for_unit("kolide-launcher.service")
-        machine.sleep(10)
+      with subtest("set up secret file"):
         machine.systemctl("stop kolide-launcher.service")
+        machine.copy_from_host("${./test-secret}", "/etc/kolide-k2/secret")
+        machine.systemctl("start kolide-launcher.service")
 
-      with subtest("launcher set up correctly"):
+      with subtest("launcher service runs and is set up correctly"):
+        machine.wait_for_unit("kolide-launcher.service")
         machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/debug.json")
+        machine.sleep(20)
 
       with subtest("get a screenshot"):
         machine.wait_for_unit("display-manager.service")
diff --git a/tests/test-secret b/tests/test-secret
new file mode 100644
index 0000000..3263943
--- /dev/null
+++ b/tests/test-secret
@@ -0,0 +1 @@
+test-secret
\ No newline at end of file