diff --git a/adbc_drivers_dev/templates/dev_issues.yaml b/adbc_drivers_dev/templates/dev_issues.yaml
index 8dce90f..6513e89 100644
--- a/adbc_drivers_dev/templates/dev_issues.yaml
+++ b/adbc_drivers_dev/templates/dev_issues.yaml
@@ -38,7 +38,7 @@ jobs:
     permissions:
       issues: write
     if: github.event.comment.body == 'take'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     steps:
       - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
diff --git a/adbc_drivers_dev/templates/dev_pr.yaml b/adbc_drivers_dev/templates/dev_pr.yaml
index bb4eca2..263901a 100644
--- a/adbc_drivers_dev/templates/dev_pr.yaml
+++ b/adbc_drivers_dev/templates/dev_pr.yaml
@@ -44,7 +44,7 @@ permissions:
 jobs:
   pr_standard:
     name: "Check PR"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
diff --git a/adbc_drivers_dev/templates/test.yaml b/adbc_drivers_dev/templates/test.yaml
index 8a563dd..85e9174 100644
--- a/adbc_drivers_dev/templates/test.yaml
+++ b/adbc_drivers_dev/templates/test.yaml
@@ -273,6 +273,12 @@ jobs:
 
       - name: Validate
         if: runner.os == 'Linux'
+<% if secrets["validate"] %>
+        env:
+<% for name, val in secrets["validate"].items() %>
+          <{name}>: ${{ secrets.<{val}> }}
+<% endfor %>
+<% endif %>
         working-directory: go
         run: |
           set -a
@@ -361,9 +367,9 @@ jobs:
 
       - name: Build Library
         working-directory: go
-<% if secrets and "build" in secrets %>
+<% if secrets["build:release"] %>
         env:
-<% for name, val in secrets["build"].items() %>
+<% for name, val in secrets["build:release"].items() %>
           <{name}>: ${{ secrets.<{val}> }}
 <% endfor %>
 <% endif %>
diff --git a/adbc_drivers_dev/workflow.py b/adbc_drivers_dev/workflow.py
index 1227d6a..5374c76 100644
--- a/adbc_drivers_dev/workflow.py
+++ b/adbc_drivers_dev/workflow.py
@@ -40,7 +40,6 @@
 # TOML does not support nulls
 MORE_DEFAULTS = {
     "environment": None,
-    "secrets": {},
 }
 
 
@@ -91,6 +90,28 @@ def generate_workflows(args) -> int:
 
     workflows = args.repository / ".github/workflows"
 
+    secrets = {
+        "build:release": {},
+        "test": {},
+        "validate": {},
+    }
+
+    if "secrets" in params:
+        defined_secrets = params.pop("secrets")
+
+        for secret, secret_value in defined_secrets.items():
+            if isinstance(secret_value, str):
+                for context in secrets:
+                    secrets[context][secret] = secret_value
+            elif isinstance(secret_value, dict):
+                name = secret_value["secret"]
+                for scope in secret_value.get("contexts", secrets.keys()):
+                    secrets[scope][secret] = name
+            else:
+                raise TypeError(
+                    f"Secret {secret} must be a string or mapping, not {type(secret_value)}"
+                )
+
     if params["lang"].get("go"):
         template = env.get_template("test.yaml")
         write_workflow(
@@ -99,6 +120,7 @@ def generate_workflows(args) -> int:
             "go_test.yaml",
             {
                 **params,
+                "secrets": secrets,
                 "pull_request_trigger_paths": [".github/workflows/go_test.yaml"],
                 "release": False,
                 "workflow_name": "Test",
@@ -110,6 +132,7 @@ def generate_workflows(args) -> int:
             "go_release.yaml",
             {
                 **params,
+                "secrets": secrets,
                 "pull_request_trigger_paths": [".github/workflows/go_release.yaml"],
                 "release": True,
                 "workflow_name": "Release",