diff --git a/.github/workflows/acceptance-test.yml b/.github/workflows/acceptance-test.yml
index be8202e..9fc76a0 100644
--- a/.github/workflows/acceptance-test.yml
+++ b/.github/workflows/acceptance-test.yml
@@ -15,17 +15,21 @@ on:
       export-env:
         required: true
         type: boolean
+      version:
+        required: false
+        type: string
+        default: "latest"
+      os:
+        required: true
+        type: string
+        default: "ubuntu-latest"
+      auth:
+        required: true
+        type: string
 
 jobs:
   acceptance-test:
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest]
-        auth: [connect, service-account]
-        exclude:
-          - os: macos-latest
-            auth: connect
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ inputs.os }}
     steps:
       - name: Base checkout
         uses: actions/checkout@v4
@@ -50,32 +54,50 @@ jobs:
             github.event.client_payload.slash_command.args.named.sha
           )
       - name: Launch 1Password Connect instance
-        if: ${{ matrix.auth == 'connect' }}
+        if: ${{ inputs.auth == 'connect' }}
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
           docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
       - name: Configure Service account
-        if: ${{ matrix.auth == 'service-account' }}
+        if: ${{ inputs.auth == 'service-account' }}
         uses: ./configure
         with:
           service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Verify Service Account env var is set
+        if: ${{ inputs.auth == 'service-account' }}
+        shell: bash
+        run: |
+          if [ -z "${OP_SERVICE_ACCOUNT_TOKEN}" ]; then
+            echo "OP_SERVICE_ACCOUNT_TOKEN environment variable is not set" >&2
+            exit 1
+          fi
       - name: Configure 1Password Connect
-        if: ${{ matrix.auth == 'connect' }}
+        if: ${{ inputs.auth == 'connect' }}
         uses: ./configure # 1password/load-secrets-action/configure@<version>
         with:
           connect-host: http://localhost:8080
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+      - name: Verify Connect env vars are set
+        if: ${{ inputs.auth == 'connect' }}
+        run: |
+          if [ -z "$OP_CONNECT_HOST" ] || [ -z "$OP_CONNECT_TOKEN" ]; then
+            echo "OP_CONNECT_HOST or OP_CONNECT_TOKEN environment variables are not set" >&2
+            exit 1
+          fi
       - name: Load secrets
         id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
         with:
+          version: ${{ inputs.version }}
           export-env: ${{ inputs.export-env }}
         env:
           SECRET: ${{ inputs.secret }}
           SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
           MULTILINE_SECRET: ${{ inputs.multiline-secret }}
+      - name: Verify installed op cli version
+        run: ./tests/assert-cli-version.sh ${{ inputs.version }}
       - name: Assert test secret values [step output]
         if: ${{ !inputs.export-env }}
         env:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3a93472..5ad43bc 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,6 +14,7 @@ jobs:
           node-version: 20
       - run: npm ci
       - run: npm test
+
   test-with-output-secrets:
     if: |
       github.ref == 'refs/heads/main' ||
@@ -21,13 +22,27 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/use-op-cli-installer #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/use-op-cli-installer')
     secrets: inherit
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
+        auth: [connect, service-account]
+        exclude:
+          - os: macos-latest
+            auth: connect
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
       secret: op://acceptance-tests/test-secret/password
       secret-in-section: op://acceptance-tests/test-secret/test-section/password
       multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
       export-env: false
+
   test-with-export-env:
     if: |
       github.ref == 'refs/heads/main' ||
@@ -35,13 +50,27 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/use-op-cli-installer #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/use-op-cli-installer')
     secrets: inherit
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
+        auth: [connect, service-account]
+        exclude:
+          - os: macos-latest
+            auth: connect
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
       secret: op://acceptance-tests/test-secret/password
       secret-in-section: op://acceptance-tests/test-secret/test-section/password
       multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
       export-env: true
+
   test-references-with-ids:
     if: |
       github.ref == 'refs/heads/main' ||
@@ -49,9 +78,22 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/use-op-cli-installer #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/use-op-cli-installer')
     secrets: inherit
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
+        auth: [connect, service-account]
+        exclude:
+          - os: macos-latest
+            auth: connect
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
       secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
       secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
       multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
diff --git a/tests/assert-cli-version.sh b/tests/assert-cli-version.sh
new file mode 100755
index 0000000..8610bc1
--- /dev/null
+++ b/tests/assert-cli-version.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+
+OP_CLI_VERSION="$1"
+CLI_URL="https://app-updates.agilebits.com/product_history/CLI2"
+
+get_latest_cli_version() {
+    conditional_path="/beta/"
+    if [ "$1" == "non_beta" ]; then
+        conditional_path="!/beta/"
+    fi
+    # This long command parses the HTML page at "CLI_URL" and finds the latest CLI version
+    # based on the release channel we're looking for (stable or beta).
+    #
+    # The ideal call (i.e. 'curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/Y -s | jq -r .version')
+    # doesn't retrieve the latest CLI version on a channel basis.
+    # If the latest release is stable and we want the latest beta, this command will return the stable still.
+    OP_CLI_VERSION="$(curl -s $CLI_URL | awk -v RS='<h3>|</h3>' 'NR % 2 == 0 {gsub(/[[:blank:]]+/, ""); gsub(/<span[^>]*>|<\/span>|[\r\n]+/, ""); gsub(/&nbsp;.*$/, ""); if (!'"$1"' && '"$conditional_path"'){print; '"$1"'=1;}}')"
+}
+
+if [ "$OP_CLI_VERSION" == "latest" ]; then
+    get_latest_cli_version non_beta
+elif [ "$OP_CLI_VERSION" == "latest-beta" ]; then
+    get_latest_cli_version beta
+fi
+
+if [ "$(op --version)" != "$OP_CLI_VERSION" ]; then
+    echo -e "Expected CLI version to be:\n$OP_CLI_VERSION\nBut got:\n$(op --version)"
+    exit 1
+fi