diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml
index 374423a..9c96bba 100644
--- a/.github/actions/build/action.yml
+++ b/.github/actions/build/action.yml
@@ -1,16 +1,6 @@
 name: 'Docker Build'
 description: 'Builds docker image'
 inputs:
-  push:
-    required: true
-    description: "Build and push image to registry (cannot be used together with load)"
-    default: "false"
-  password:
-    required: false
-    description: "Password for the registry"
-  username:
-    required: false
-    description: "Username for the registry"
   node_env:
     required: false
     description: "Node environment"
@@ -30,9 +20,9 @@ outputs:
   image:
     description: "The Docker image"
     value: ${{ steps.image.outputs.image }}
-  image_version:
+  tag:
     description: "Combines image and version to a valid image tag"
-    value: ${{ steps.image.outputs.image }}:${{ steps.meta.outputs.version }}
+    value: ${{ steps.tag.outputs.tag }}
 
 runs:
   using: "composite"
@@ -46,28 +36,11 @@ runs:
         version: latest
         buildkitd-flags: --debug
 
-    # Login to a registry to push the image
-    - name: Login to Container Registry
-      # Only login if we are pushing the image
-      if: ${{ inputs.push == 'true' }}
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ inputs.username }}
-        password: ${{ inputs.password }}
-
     - name: Docker Image
       id: image
       shell: bash
       run: |
-        registry="ghcr.io"
-        repository="${{ github.repository }}"
-        image="$registry/$repository"
-
-        echo "registry=$registry" >> $GITHUB_OUTPUT
-        echo "repository=$repository" >> $GITHUB_OUTPUT
-        echo "image=$image" >> $GITHUB_OUTPUT
-
+        echo "image=${{ github.repository }}" >> $GITHUB_OUTPUT
         cat $GITHUB_OUTPUT
 
     - name: Docker meta
@@ -100,6 +73,12 @@ runs:
 
         cat $GITHUB_OUTPUT
 
+    - name: Tar file
+      id: tar
+      shell: bash
+      run: |
+        echo "path=/tmp/${{ steps.meta.outputs.version }}" >> $GITHUB_OUTPUT
+
     - name: Build Image
       id: build
       uses: docker/bake-action@v4
@@ -107,8 +86,22 @@ runs:
         DOCKER_TAG: ${{ steps.tag.outputs.tag }}
       with:
         targets: app
-        push: ${{ inputs.push }}
-        load: ${{ inputs.push == 'false' }}
         set: |
-          *.cache-from=type=registry,ref=${{ steps.tag.outputs.tag_cache }}
-          *.cache-to=type=registry,ref=${{ steps.tag.outputs.tag_cache }},mode=max,compression-level=9,force-compression=true,ignore-error=true
+          *.output=type=docker,dest=${{ steps.tar.outputs.path }}
+
+    - name: Get image digest
+      id: digest
+      shell: bash
+      run: |
+        echo '${{ steps.build.outputs.metadata }}' > metadata.json
+        echo "digest=$(cat metadata.json | jq -r '.app."containerimage.digest"')" >> $GITHUB_OUTPUT
+        cat $GITHUB_OUTPUT
+
+    - name: Upload artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ steps.meta.outputs.version }}
+        path: ${{ steps.tar.outputs.path }}
+        retention-days: 1
+        compression-level: 9
+        overwrite: true
diff --git a/.github/actions/push/action.yml b/.github/actions/push/action.yml
new file mode 100644
index 0000000..d2aad96
--- /dev/null
+++ b/.github/actions/push/action.yml
@@ -0,0 +1,27 @@
+name: 'Docker Push image to registry'
+description: 'Pushes build docker image to registry'
+inputs:
+  tag:
+    required: true
+    description: "The full docker tag to push"
+  password:
+    required: false
+    description: "Password for the registry"
+  username:
+    required: false
+    description: "Username for the registry"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Login to Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+
+    - name: Push Image
+      shell: bash
+      run: |
+        docker image push ${{ inputs.tag }}
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 596db8f..609791e 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -9,10 +9,17 @@ on:
 permissions:
   packages: write
 
+# TODO:
+# 1. split out the push action to separate action
+# 2. add caching based on fork behaviour, use GHA cache or registry..
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    outputs:
+      version: ${{ steps.build.outputs.version }}
+
     steps:
       - uses: actions/checkout@v4
 
@@ -20,11 +27,35 @@ jobs:
         uses: ./.github/actions/context
 
       - uses: ./.github/actions/build
+        id: build
         with:
-          push: true
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
           node_env: production
           latest: ${{ steps.context.outputs.is_release_master }}
 
+      - uses: ./.github/actions/push
+        if: steps.context.outputs.is_fork == 'false'
+        with:
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ steps.build.outputs.tag }}
+
+  download:
+      runs-on: ubuntu-latest
+      needs: [build]
+
+      steps:
+        - uses: actions/checkout@v4
+
+        - uses: actions/download-artifact@v4
+          with:
+            name: ${{ needs.build.outputs.version }}
+            path: /tmp/
+
+        - name: Load image
+          shell: bash
+          run: |
+            docker load < /tmp/${{ needs.build.outputs.version }}
+            docker image ls
+
+