diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d43429d..fdb1cd6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,7 +46,10 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.TF_GH_TOKEN }}
           DNSIMPLE_ACCOUNT: ${{ secrets.TF_DNSIMPLE_ACCOUNT }}
           DNSIMPLE_TOKEN: ${{ secrets.TF_DNSIMPLE_TOKEN }}
-        run: tofu plan -no-color -var-file .tfvars -detailed-exitcode
+        run: |
+          tofu plan -no-color -detailed-exitcode \
+                    -var-file .tfvars \
+                    -var='email_overrides=${{ secrets.email_overrides }}'
 
   trivy:
     name: Trivy
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index f032b50..2ed4cf2 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -23,27 +23,6 @@ provider "registry.opentofu.org/hashicorp/dnsimple" {
   ]
 }
 
-provider "registry.opentofu.org/hashicorp/github" {
-  version = "6.2.1"
-  hashes = [
-    "h1:uDerb9YJo3vAO+wKw+Z064InX5aXom+nKLDry2eGf14=",
-    "zh:172aa5141c525174f38504a0d2e69d0d16c0a0b941191b7170fe6ae4d7282e30",
-    "zh:1a098b731fa658c808b591d030cc17cc7dfca1bf001c3c32e596f8c1bf980e9f",
-    "zh:245d6a1c7e632d8ae4bdd2da2516610c50051e81505cf420a140aa5fa076ea90",
-    "zh:43c61c230fb4ed26ff1b04b857778e65be3d8f80292759abbe2a9eb3c95f6d97",
-    "zh:59bb7dd509004921e4322a196be476a2f70471b462802f09d03d6ce96f959860",
-    "zh:5cb2ab8035d015c0732107c109210243650b6eb115e872091b0f7b98c2763777",
-    "zh:69d2a6acfcd686f7e859673d1c8a07fc1fc1598a881493f19d0401eb74c0f325",
-    "zh:77f36d3f46911ace5c50dee892076fddfd64a289999a5099f8d524c0143456d1",
-    "zh:87df41097dfcde72a1fbe89caca882af257a4763c2e1af669c74dcb8530f9932",
-    "zh:899dbe621f32d58cb7c6674073a6db8328a9db66eecfb0cc3fc13299fd4e62e7",
-    "zh:ad2eb7987f02f7dd002076f65a685730705d04435313b5cf44d3a6923629fb29",
-    "zh:b2145ae7134dba893c7f74ad7dfdc65fdddf6c7b1d0ce7e2f3baa96212322fd8",
-    "zh:bd6bae3ac5c3f96ad9219d3404aa006ef1480e9041d4c95df1808737e37d911b",
-    "zh:e89758b20ae59f1b9a6d32c107b17846ddca9634b868cf8f5c927cbb894b1b1f",
-  ]
-}
-
 provider "registry.opentofu.org/hashicorp/google" {
   version     = "5.37.0"
   constraints = "~> 5.0"
diff --git a/.tfvars b/.tfvars
index 6cd9364..e3f2bab 100644
--- a/.tfvars
+++ b/.tfvars
@@ -115,6 +115,7 @@ teams = {
       "fxcoudert",
       "nandahkrishna",
       "p-linnane",
+      "SMillerDev"
     ],
     tsc = [
       "Bo98",
@@ -123,6 +124,11 @@ teams = {
       "fxcoudert",
       "iMichka",
     ],
+    analytics = [
+      "SMillerDev",
+      "Bo98",
+      "MikeMcQuaid",
+    ]
   },
   taps = {
     bundle = [
diff --git a/README.md b/README.md
index 4ea3128..3c2629b 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,16 @@ User management for the Homebrew organisation using OpenTofu
 - `tofu init`
 - `tofu plan -var-file .tfvars`
 
+### Secrets
+
+CI requires the following secrets:
+
+- `amazon_role`: The ARN of the AWS role to use for OIDC auth.
+- `email_overrides`: Map of GitHub usernames with emails for people who want a different email for tools from their GH email
+- `TF_GH_TOKEN`: GitHub token with permissions to manage org teams, users and repo permissions
+- `TF_DNSIMPLE_ACCOUNT`: Account ID for DNSimple
+- `TF_DNSIMPLE_TOKEN`: Token to authenticate to DNSimple
+
 ## TODO
 
 - Google workspace management for brew.sh
diff --git a/github/membership.tf b/github/membership.tf
index 9886c08..5c46f25 100644
--- a/github/membership.tf
+++ b/github/membership.tf
@@ -21,7 +21,7 @@ data "github_organization" "homebrew" {
 }
 
 locals {
-  member_emails = tomap({ for key, value in data.github_organization.homebrew.users : key => value.email })
+  member_emails = tomap({ for key, value in data.github_organization.homebrew.users : value.login => sensitive(value.email) })
 }
 
 output "member_emails" {
diff --git a/github/vars.tf b/github/vars.tf
index 1d2b7ac..1f68dbe 100644
--- a/github/vars.tf
+++ b/github/vars.tf
@@ -12,6 +12,7 @@ variable "teams" {
       ops              = list(string)
       formulae_brew_sh = list(string)
       ci-orchestrator  = list(string)
+      analytics        = list(string)
     })
     taps = object({
       bundle               = list(string)
diff --git a/main.tf b/main.tf
index b46069c..1a806ec 100644
--- a/main.tf
+++ b/main.tf
@@ -16,7 +16,7 @@ terraform {
 }
 
 locals {
-  # these people can't have their membership managed by OpenTofu becuase they are Billing Managers in GitHub
+  # these people can't have their membership managed by OpenTofu because they are Billing Managers in GitHub
   unmanagable_members = ["p-linnane", "issyl0", "colindean", "MikeMcQuaid", "BrewSponsorsBot"]
 }
 
diff --git a/vars.tf b/vars.tf
index b1ce445..35363e0 100644
--- a/vars.tf
+++ b/vars.tf
@@ -12,6 +12,7 @@ variable "teams" {
       ops              = list(string)
       formulae_brew_sh = list(string)
       ci-orchestrator  = list(string)
+      analytics        = list(string)
     })
     taps = object({
       bundle               = list(string)
@@ -27,6 +28,7 @@ variable "github_admins" {
 }
 
 variable "email_overrides" {
-  type    = map(string)
-  default = {}
+  type      = map(string)
+  sensitive = true
+  default   = {}
 }
\ No newline at end of file