diff --git a/.github/workflows/ta-ci.yaml b/.github/workflows/ta-ci.yaml
index a7df82ba..d25821df 100644
--- a/.github/workflows/ta-ci.yaml
+++ b/.github/workflows/ta-ci.yaml
@@ -16,11 +16,14 @@ permissions:
 jobs:
   build:
     name: Rust CI
-    uses: worldcoin/orb-rustzone/.github/workflows/ta.yaml@main
+    uses: worldcoin/orb-rustzone/.github/workflows/ta.yaml@ryanbutler-orbs-1219-ta-signing-in-ci
     with:
       target_env: stage
       source: ${{ github.sha }}
       cargo_profile: artifact
-    secrets:
+    permissions: write-all
+    secrets: 
       GIT_HUB_TOKEN: ${{ secrets.ORB_GIT_HUB_TOKEN }}
       CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      YEET_TEST: ${{ secrets.YEET_TEST }}
+      AWS_ROLE: ${{ secrets.AWS_ROLE }}
diff --git a/.gitignore b/.gitignore
index 3674eaa1..79b6b093 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,9 @@ result
 result-devkit
 .envrc
 
+# Python stuff
+__pycache__
+
 # Used by build.rs
 /git_version
 
diff --git a/xtask/optee/src/lib.rs b/xtask/optee/src/lib.rs
index 039efb94..8187c54a 100644
--- a/xtask/optee/src/lib.rs
+++ b/xtask/optee/src/lib.rs
@@ -121,7 +121,7 @@ impl SignArgs {
             format!("failed to read requried arg: {ENV_OPTEE_OS_PATH}")
         })?;
 
-        run_cmd!(AWS_PROFILE=$aws_profile uv run $optee_os_path/scripts/sign_encrypt.py sign-enc --uuid $inspected_uuid --in $file_to_sign --out $out_dir/$inspected_uuid.ta --key $key_id)?;
+        run_cmd!(AWS_PROFILE=$aws_profile uv run --all-packages $optee_os_path/scripts/sign_encrypt.py sign-enc --uuid $inspected_uuid --in $file_to_sign --out $out_dir/$inspected_uuid.ta --key $key_id)?;
 
         Ok(())
     }