diff --git a/.github/workflows/nighthawk-checks.yml b/.github/workflows/nighthawk-checks.yml
index dc28fc872..248036de3 100644
--- a/.github/workflows/nighthawk-checks.yml
+++ b/.github/workflows/nighthawk-checks.yml
@@ -8,6 +8,9 @@ on:
 
 jobs:
   check:
+    permissions:
+      contents: read
+      packages: read
     runs-on: envoy-x64-medium
     strategy:
       fail-fast: false
@@ -17,4 +20,9 @@ jobs:
     - uses: actions/checkout@v3
     - name: Run CI script
       run: |
-        echo "Hello github"
+        bazel run \
+            --config=remote-envoy-engflow \
+            --@envoy//tools/cat:target=//:hello \
+            @envoy//tools/cat
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
diff --git a/BUILD b/BUILD
index c0ffdec64..6e5d4b265 100644
--- a/BUILD
+++ b/BUILD
@@ -75,3 +75,11 @@ envoy_cc_binary(
         "//source/exe:output_transform_main_entry_lib",
     ],
 )
+
+genrule(
+    name = "hello",
+    outs = ["world.txt"],
+    cmd = """
+    echo HELLO > $@
+    """,
+)
diff --git a/bazel/engflow-bazel-credential-helper.sh b/bazel/engflow-bazel-credential-helper.sh
new file mode 100755
index 000000000..c6c1bd339
--- /dev/null
+++ b/bazel/engflow-bazel-credential-helper.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# Bazel expects the helper to read stdin.
+# See https://github.com/bazelbuild/bazel/pull/17666
+cat /dev/stdin > /dev/null
+
+# `GITHUB_TOKEN` is provided as a secret.
+echo "{\"headers\":{\"Authorization\":[\"Bearer ${GITHUB_TOKEN}\"]}}"