diff --git a/.Rbuildignore b/.Rbuildignore
index 2802e30..8c883d6 100644
--- a/.Rbuildignore
+++ b/.Rbuildignore
@@ -6,7 +6,7 @@
 ^LICENSE\.md$
 ^CITATION\.cff$
 ^codemeta.json$
-^.lintr$
+^\.lintr$
 ^_pkgdown\.yml$
 ^docs$
 ^pkgdown$
@@ -16,3 +16,5 @@
 ^check$
 ^artifacts$
 ^logo.png$
+^\.env$
+^\.git-crypt$
diff --git a/.env b/.env
new file mode 100644
index 0000000..1915a5b
Binary files /dev/null and b/.env differ
diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes
new file mode 100644
index 0000000..665b10e
--- /dev/null
+++ b/.git-crypt/.gitattributes
@@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary
diff --git a/.git-crypt/keys/default/0/4A1653E6FDB48C85EC4702B9E7B170AD3B19DAA4.gpg b/.git-crypt/keys/default/0/4A1653E6FDB48C85EC4702B9E7B170AD3B19DAA4.gpg
new file mode 100644
index 0000000..ad81963
Binary files /dev/null and b/.git-crypt/keys/default/0/4A1653E6FDB48C85EC4702B9E7B170AD3B19DAA4.gpg differ
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..a55d3b2
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,2 @@
+## Encrypted Files
+.env filter=git-crypt diff=git-crypt
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
index b455e94..8652933 100644
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -32,6 +32,13 @@ with S3 cloud storage, a MinIO server is run in the background to serve as an
 S3 API endpoint.  You will need the `minio` command line tool installed as well
 as the `mc` MinIO client.
 
+For testing against the GitHub API, repositories are generated and deleted.  This
+requires a fine-grained GitHub personal access token with `administration`, `contents`, and `commit statuses` scopes.
+This is set as the environment variable `RELIC_TESTING_GITHUB_PAT`, and the organization
+under which to create repositories is set as `RELIC_TESTING_GITHUB_ORG`.  In the
+absence of these, GitHub API tests will be skipped. These are available in the
+encrypted `.env` file, which is secured by [`git-crypt`](https://www.agwa.name/projects/git-crypt/)
+
 ## Lifecycle Statement
 
 `relic` is a new package and its API is still under development.
diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml
index 9d150cc..da8c5a9 100644
--- a/.github/workflows/R-CMD-check.yaml
+++ b/.github/workflows/R-CMD-check.yaml
@@ -24,11 +24,20 @@ jobs:
     env:
       GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
       R_KEEP_PKG_SOURCE: yes
+      GIT_CRYPT_KEY64: ${{ secrets.GIT_CRYPT_KEY64 }}
     steps:
       - uses: actions/checkout@v3
       - name: Do a pre-emptive apt-update
         run: sudo apt-get update -qq
         if: ${{ !env.ACT }}
+      - name: Decrypt repository using symmetric key
+        if: ${{ env.GIT_CRYPT_KEY64 }}
+        run: |
+          sudo apt-get install -y --no-install-recommends git-crypt
+          echo $GIT_CRYPT_KEY64 > git_crypt_key.key64 && base64 -di git_crypt_key.key64 > git_crypt_key.key && git-crypt unlock git_crypt_key.key
+          rm git_crypt_key.key git_crypt_key.key64
+          # Select all values in .env and print with "::add-mask::" to obfuscate
+          grep -v '^#' .env | sed -E 's/(.*)=(.*)/\2/' | xargs -I '{}' echo "::add-mask::{}"
       - uses: r-lib/actions/setup-pandoc@v2
       - uses: r-lib/actions/setup-r@v2
         with:
diff --git a/tests/testthat/helper-github.R b/tests/testthat/helper-github.R
new file mode 100644
index 0000000..6e12dcd
--- /dev/null
+++ b/tests/testthat/helper-github.R
@@ -0,0 +1,8 @@
+skip_if_no_github <- function() {
+  skip_if_offline("github.com")
+  skip_on_cran()
+
+  skip_if(!nzchar(Sys.getenv("RELIC_TESTING_GITHUB_PAT")), "No RELIC_TESTING_GITHUB_PAT env var")
+  skip_if(!nzchar(Sys.getenv("RELIC_TESTING_GITHUB_ORG")), "No RELIC_TESTING_GITHUB_ORG env var")
+
+}
diff --git a/tests/testthat/setup.R b/tests/testthat/setup.R
index 0e2fe28..98bbf1e 100644
--- a/tests/testthat/setup.R
+++ b/tests/testthat/setup.R
@@ -1,5 +1,17 @@
-withr::local_envvar(
-  "R_USER_CACHE_DIR" = tempdir()
+# Read in credentials if the file is unencrypted
+env_file <- fs::path(rprojroot::find_root(rprojroot::is_r_package), ".env")
+if (file.exists(env_file)) {
+  x <- try(readRenviron(env_file), silent = TRUE)
+  if (!inherits(x, "try-error")) {
+    Sys.setenv("GITHUB_PAT" = Sys.getenv("RELIC_TESTING_GITHUB_PAT"))
+  }
+}
+
+# Set a temporary location for the cache
+withr::local_envvar(list(
+  "R_USER_CACHE_DIR" = tempdir(),
+  "RELIC_TESTING_GITHUB_PAT" = Sys.getenv("RELIC_TESTING_GITHUB_PAT"),
+  "GITHUB_PAT" = Sys.getenv("RELIC_TESTING_GITHUB_PAT"))
 )
 
 ## Run a MinIO server in the background to test S3 object storage with `targets`
diff --git a/tests/testthat/test-github.R b/tests/testthat/test-github.R
new file mode 100644
index 0000000..51f8b51
--- /dev/null
+++ b/tests/testthat/test-github.R
@@ -0,0 +1,10 @@
+test_that("GitHub testing access works", {
+  skip_if_no_github()
+
+  #Look up the GitHub organization
+  expect_no_error(gh_response <- gh::gh("/orgs/{org}", org = Sys.getenv("RELIC_TESTING_GITHUB_ORG")))
+  token_expiry <- attr(gh_response, "response")$`github-authentication-token-expiration`
+  if (as.numeric(as.POSIXct(token_expiry) - Sys.time(), "days") < 7) {
+    warning("GitHub token expires in less than a week. Please update the token.")
+  }
+})