diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5afa9cba14..ddbce9b4d0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,7 +1,8 @@
 name: build-ublue
 on:
-  pull_request_target:
-    types: [labeled]
+  pull_request:
+    types:
+      - labeled
     branches:
       - main
     paths-ignore:
@@ -23,7 +24,7 @@ jobs:
   push-ghcr:
     name: Build and push image
     runs-on: ubuntu-22.04
-    if: contains(github.event.pull_request.labels.*.name, 'ok-to-build')
+    if: contains(github.event.pull_request.labels.*.name, 'ok-to-build') || github.event_name != 'pull_request'
     permissions:
       contents: read
       packages: write
@@ -103,6 +104,7 @@ jobs:
       - name: Push To GHCR
         uses: redhat-actions/push-to-registry@v2
         id: push
+        if: github.event_name != 'pull_request'
         env:
           REGISTRY_USER: ${{ github.actor }}
           REGISTRY_PASSWORD: ${{ github.token }}
@@ -117,9 +119,11 @@ jobs:
 
       # Sign container
       - uses: sigstore/cosign-installer@main
+        if: github.event_name != 'pull_request'
 
       # Only needed when running `cosign sign` using a key
       - name: Write signing key to disk
+        if: github.event_name != 'pull_request'
         run: |
           echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
           # DEBUG: get character count of key
@@ -129,12 +133,14 @@ jobs:
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
+        if: github.event_name != 'pull_request'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Sign container image
+        if: github.event_name != 'pull_request'
         run: |
           cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
         env:
@@ -142,5 +148,22 @@ jobs:
           COSIGN_EXPERIMENTAL: false
 
       - name: Echo outputs
+        if: github.event_name != 'pull_request'
         run: |
           echo "${{ toJSON(steps.push.outputs) }}"
+
+      - name: Upload Container Export
+        if: github.event_name == 'pull_request'
+        run: |
+          mkdir -p output
+          podman save -o output/image.tar ${{ steps.build_image.outputs.image }}
+          echo "image=${{ steps.build_image.outputs.image }}" >> output/meta
+          echo "tags=${{ steps.build_image.outputs.tags }}" >> output/meta
+      
+      - name: Publish Artifact
+        uses: actions/upload-artifact@v2
+        if: github.event_name == 'pull_request'
+        with:
+          name: output
+          path: output
+
diff --git a/.github/workflows/pr-publish.yml b/.github/workflows/pr-publish.yml
new file mode 100644
index 0000000000..ebc4b55d06
--- /dev/null
+++ b/.github/workflows/pr-publish.yml
@@ -0,0 +1,69 @@
+name: Publish PR builds
+
+on:
+  workflow_run:
+    workflows: ["build-ublue"]
+    types:
+      - completed
+
+env:
+    IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@v3.1.0
+        with:
+          script: |
+            var artifacts = await github.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "output"
+            })[0];
+            var download = await github.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/output.zip', Buffer.from(download.data));
+      - run: unzip output.zip
+
+      - name: Load Container Image
+        id: load_image
+        run: |
+          podman load -i image.tar
+          cat meta >> $GITHUB_OUTPUT
+
+      - name: Lowercase Registry
+        id: registry_case
+        uses: ASzc/change-string-case-action@v5
+        with:
+          string: ${{ env.IMAGE_REGISTRY }}
+
+      - name: Push To GHCR
+        uses: redhat-actions/push-to-registry@v2
+        id: push
+        if: github.event_name != 'pull_request'
+        env:
+          REGISTRY_USER: ${{ github.actor }}
+          REGISTRY_PASSWORD: ${{ github.token }}
+        with:
+          image: ${{ steps.load_image.outputs.image }}
+          tags: ${{ steps.load_image.outputs.tags }}
+          registry: ${{ steps.registry_case.outputs.lowercase }}
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          extra-args: |
+            --disable-content-trust
+