diff --git a/.gitea/workflows/test.yaml b/.gitea/workflows/test.yaml
index 93e259a..0bf32de 100644
--- a/.gitea/workflows/test.yaml
+++ b/.gitea/workflows/test.yaml
@@ -10,10 +10,10 @@ on:
 
 jobs:
   tests:
-    runs-on: ubuntu-latest
-    container:
-      image: gitea/runner-images:ubuntu-latest
-
+    strategy:
+      matrix:
+        arch: ['ubuntu-latest', 'darwin-amd64']
+    runs-on: ${{ matrix.arch }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -24,12 +24,15 @@ jobs:
           go-version-file: 'go.mod'
 
       - name: Setup Hashicorp Vault
+        if: matrix.arch == 'ubuntu-latest'
         run: |
           wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
           echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(grep -oP '(?<=UBUNTU_CODENAME=).*' /etc/os-release || lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
           apt-get update && apt-get -y install vault
 
       - name: Start Vault in background
+        env:
+          VAULT_SKIP_VERIFY: "true"
         run: |
           # Start Vault server in background
           echo "🔐 Starting Hashicorp Vault development server"
@@ -37,9 +40,6 @@ jobs:
           VAULT_PID=$!
           echo $VAULT_PID > vault.pid
 
-          # Self-signed certificate for dev server
-          export VAULT_SKIP_VERIFY=true
-
           sleep 3
           if ! vault status; then
             echo "❌ Vault failed to start. Logs ($(wc -l vault.log) lines):"
@@ -50,13 +50,15 @@ jobs:
           echo "✅ Vault started successfully with PID: $VAULT_PID"
 
       - name: Setup Vault test data
+        env:
+          TEST_VAULT_KEY: ${{ vars.TEST_VAULT_KEY }}
+          TEST_VAULT_VALUE: ${{ vars.TEST_VAULT_VALUE }}
+          VAULT_TOKEN: root
+          VAULT_SKIP_VERIFY: "true"
         run: |
-          # Self-signed certificate for dev server
-          export VAULT_SKIP_VERIFY=true
-          
           # Populate our test secrets
           echo "🔐 Populating test secrets:"
-          vault kv put ${{vars.TEST_VAULT_KEY}} data="${{vars.TEST_VAULT_VALUE}}"
+          vault kv put "${TEST_VAULT_KEY}" data="${TEST_VAULT_VALUE}"
 
           # Populate our test transit backend with key
           echo "🔐 Populating test transit backend:"
@@ -67,11 +69,12 @@ jobs:
         run: go vet -v ./...
 
       - name: Test
+        env:
+          TEST_VAULT_KEY: ${{ vars.TEST_VAULT_KEY }}
+          TEST_VAULT_VALUE: ${{ vars.TEST_VAULT_VALUE }}
+          VAULT_TOKEN: root
+          VAULT_SKIP_VERIFY: "true"
         run: |
-          VAULT_SKIP_VERIFY=${{vars.VAULT_SKIP_VERIFY}} \
-          TEST_VAULT_VALUE="${{vars.TEST_VAULT_VALUE}}" \
-          TEST_VAULT_KEY="${{vars.TEST_VAULT_KEY}}" \
-          VAULT_TOKEN="root" \
           go test -v ./...
 
       - name: Stop Vault (always run)