diff --git a/.changeset/provisioner-poor-news-reflect.md b/.changeset/provisioner-poor-news-reflect.md
new file mode 100644
index 000000000..195a987f7
--- /dev/null
+++ b/.changeset/provisioner-poor-news-reflect.md
@@ -0,0 +1,5 @@
+---
+"provisioner": patch
+---
+
+fix: Improve CI caching and fix remote tags loading
diff --git a/.github/actions/setup-bazel/action.yml b/.github/actions/setup-bazel/action.yml
index 1e7f357fa..b74bfa935 100644
--- a/.github/actions/setup-bazel/action.yml
+++ b/.github/actions/setup-bazel/action.yml
@@ -1,5 +1,9 @@
 name: "Setup Bazel"
 description: "Setup the CI to work properly with Bazel"
+inputs:
+  OP_SERVICE_ACCOUNT_TOKEN:
+    description: "Service Account Token for 1Password"
+    required: true
 runs:
   using: "composite"
   steps:
@@ -8,9 +12,19 @@ runs:
       with:
         path: |
           tmp/output_base/external
+          /nix/store
         key: bazel-cache-${{ runner.os }}-${{ github.job }}-${{ github.sha }}
         restore-keys: bazel-cache-${{ runner.os }}-${{ github.job }}-
 
+    - name: Load secret
+      uses: 1password/load-secrets-action@v1
+      with:
+        # Export loaded secrets as environment variables
+        export-env: true
+      env:
+        OP_SERVICE_ACCOUNT_TOKEN: ${{ inputs.OP_SERVICE_ACCOUNT_TOKEN }}
+        BUILDBUDDY_API_KEY: op://vgijssel-prod/buildbuddy-api-key/password
+
     - name: Install nix package manager
       uses: cachix/install-nix-action@v22
       with:
@@ -19,5 +33,6 @@ runs:
     - name: Create local.bazelrc file
       shell: bash
       run: |
+        echo "build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY" > local.bazelrc
         echo "startup --output_base=$(pwd)/tmp/output_base" >> local.bazelrc
         cat local.bazelrc
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 111f095fd..b1c561600 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -18,6 +18,6 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - uses: ./.github/actions/setup-bazel
-      - run: bazel run //provisioner:deploy
-        env:
-          ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD: ${{ secrets.ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD }}
+        with:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD }}
+      - run: bazel run  --config buildbuddy --config buildbuddy_rbe //provisioner:deploy
diff --git a/.github/workflows/schedule.yml b/.github/workflows/schedule.yml
index 96f175ba6..c80fa8234 100644
--- a/.github/workflows/schedule.yml
+++ b/.github/workflows/schedule.yml
@@ -12,6 +12,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - uses: ./.github/actions/setup-bazel
-      - run: bazel run //provisioner:deploy_validate
+        with:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD }}
+      - run: bazel run --config buildbuddy --config buildbuddy_rbe //provisioner:deploy_validate
         env:
           ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD: ${{ secrets.ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD }}
diff --git a/provisioner/BUILD.bazel b/provisioner/BUILD.bazel
index 6d578636d..1a557d399 100644
--- a/provisioner/BUILD.bazel
+++ b/provisioner/BUILD.bazel
@@ -138,7 +138,6 @@ task(
         cmd.executable(":deploy_provision"),
         cmd.executable(":deploy_validate"),
     ],
-    cwd = "$BUILD_WORKSPACE_DIRECTORY",
     # Add in all the .github files to the data attribute,
     # so if the github workflows change then we re-run the deployment
     data = glob([".github/**"]),
diff --git a/tools/onepassword/lib.py b/tools/onepassword/lib.py
index 969ea9dac..4646459e3 100644
--- a/tools/onepassword/lib.py
+++ b/tools/onepassword/lib.py
@@ -5,21 +5,12 @@
 from pathlib import Path
 
 
-def _get_onepassword_service_account_token(env_key, tmp_file):
+def _get_onepassword_service_account_token(env_key):
     if env_key in os.environ:
         return os.environ[env_key]
 
-    file = os.path.join(
-        os.environ.get("BUILD_WORKSPACE_DIRECTORY", ""),
-        "tmp",
-        tmp_file,
-    )
-
-    if os.path.exists(file):
-        return Path(file).read_text()
-
     else:
-        raise ValueError(f"Either set env variable '{env_key}' or create file '{file}'")
+        raise ValueError(f"Set env variable '{env_key}'.")
 
 
 def get_item_path(path):
@@ -37,13 +28,11 @@ def get_item_path(path):
         onepassword_vault_id = "vgijssel-prod"
         onepassword_service_account_token = _get_onepassword_service_account_token(
             "ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD",
-            "1password-service-account-token-prod",
         )
     else:
         onepassword_vault_id = "vgijssel-dev"
         onepassword_service_account_token = _get_onepassword_service_account_token(
             "ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_DEV",
-            "1password-service-account-token-dev",
         )
 
     op_binary = os.environ["OP_BINARY"]