diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4897367..fc48b36 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,6 +7,9 @@ on:
   workflow_dispatch:
 jobs:
   golang:
+    permissions:
+      contents: read
+      id-token: write
     strategy:
       matrix:
         go-version: [1.21.x]
@@ -21,11 +24,27 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
+      - name: Login to Docker Hub
+        if: matrix.os == 'ubuntu-latest' && github.actor != 'dependabot[bot]'
+        uses: docker/login-action@v3
+        with:
+          username: dockerpublicbot
+          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
+      - name: Authenticate to AWS
+        if: matrix.os == 'ubuntu-latest' && github.actor != 'dependabot[bot]'
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2
+        with:
+          aws-region: "us-east-1"
+          role-to-assume: arn:aws:iam::175142243308:role/doi-github-actions-signing
       - name: Setup Testcontainers Cloud Client
         uses: atomicjar/testcontainers-cloud-setup-action@v1
         with:
           token: ${{ secrets.TC_CLOUD_TOKEN }}
-      - name: go test
+      - name: go test ubuntu e2e
+        if: matrix.os == 'ubuntu-latest' && github.actor != 'dependabot[bot]'
+        run: go test -tags=e2e -v ./... -coverprofile=coverage.out -covermode=atomic
+      - name: go test osx
+        if: matrix.os == 'macos-latest' || github.actor == 'dependabot[bot]'
         run: go test -v ./... -coverprofile=coverage.out -covermode=atomic
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v4
diff --git a/pkg/mirror/authn_test.go b/pkg/mirror/authn_test.go
new file mode 100644
index 0000000..ce4374d
--- /dev/null
+++ b/pkg/mirror/authn_test.go
@@ -0,0 +1,34 @@
+//go:build e2e
+
+package mirror_test
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/attest/pkg/mirror"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRegistryAuth(t *testing.T) {
+	UnsignedTestImage := filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
+
+	attIdx, err := oci.SubjectIndexFromPath(UnsignedTestImage)
+	require.NoError(t, err)
+	// test cases for ecr, gcr and dockerhub
+	testCases := []struct {
+		Image string
+	}{
+		{Image: "175142243308.dkr.ecr.us-east-1.amazonaws.com/e2e-test-image:latest"},
+		{Image: "docker/image-signer-verifier-test:latest"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.Image, func(t *testing.T) {
+			err := mirror.PushIndexToRegistry(attIdx.Index, tc.Image)
+			require.NoError(t, err)
+			_, err = oci.SubjectIndexFromRemote(tc.Image)
+			require.NoError(t, err)
+		})
+	}
+}