diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 93fdb3553..87ac3c240 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -91,7 +91,5 @@ jobs:
         run: make run-flask &
         env:
           NOTIFY_ENVIRONMENT: scanning
-      - name: Install pa11y-ci
-        run: npm install -g pa11y-ci
       - name: Run pa11y-ci
-        run: pa11y-ci
+        run: make a11y-scan
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index ce95e98d4..3c7f90d9b 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -35,11 +35,11 @@ jobs:
       - name: Deploy to cloud.gov
         uses: 18f/cg-deploy-action@main
         env:
-          DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
-          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+          DANGEROUS_SALT: ${{ secrets.PROD_DANGEROUS_SALT }}
+          SECRET_KEY: ${{ secrets.PROD_SECRET_KEY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
+          ADMIN_CLIENT_SECRET: ${{ secrets.PROD_ADMIN_CLIENT_SECRET }}
           BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
           REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }}
         with:
diff --git a/Makefile b/Makefile
index 5e0975132..9a0de687f 100644
--- a/Makefile
+++ b/Makefile
@@ -88,8 +88,8 @@ static-scan:
 
 .PHONY: a11y-scan
 a11y-scan:
-	npm install -g pa11y-ci
-	pa11y-ci
+	source $(NVMSH) && npm install -g pa11y-ci
+	source $(NVMSH) && pa11y-ci
 
 .PHONY: clean
 clean: