diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 0000000..50cff2f
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,36 @@
+on: push
+
+jobs:
+  secret-generator:
+    runs-on: ubuntu-latest
+    outputs:
+      handle: ${{ steps.generate-secret.outputs.handle }}
+    steps:
+    - uses: some/secret-store@27b31702a0e7fc50959f5ad993c78deac1bdfc29
+      with:
+        credentials: ${{ secrets.SECRET_STORE_CREDENTIALS }}
+        instance: ${{ secrets.SECRET_STORE_INSTANCE }}
+    - name: generate secret
+      id: generate-secret
+      shell: bash
+      run: |
+        GENERATED_SECRET=$((RANDOM))
+        echo "::add-mask::$GENERATED_SECRET"
+        SECRET_HANDLE=$(secret-store store-secret "$GENERATED_SECRET")
+        echo "handle=$SECRET_HANDLE" >> "$GITHUB_OUTPUT"
+  secret-consumer:
+    runs-on: macos-latest
+    needs: secret-generator
+    steps:
+    - uses: some/secret-store@27b31702a0e7fc50959f5ad993c78deac1bdfc29
+      with:
+        credentials: ${{ secrets.SECRET_STORE_CREDENTIALS }}
+        instance: ${{ secrets.SECRET_STORE_INSTANCE }}
+    - name: use secret
+      shell: bash
+      run: |
+        SECRET_HANDLE="${{ needs.secret-generator.outputs.handle }}"
+        RETRIEVED_SECRET=$(secret-store retrieve-secret "$SECRET_HANDLE")
+        echo "::add-mask::$RETRIEVED_SECRET"
+        echo "We retrieved our masked secret: $RETRIEVED_SECRET"
+concurrency: