diff --git a/.github/workflows/_build_artifacts.yml b/.github/workflows/_build_artifacts.yml
index b345d71bb..633c7e625 100644
--- a/.github/workflows/_build_artifacts.yml
+++ b/.github/workflows/_build_artifacts.yml
@@ -4,14 +4,19 @@ on:
   workflow_call:
     inputs:
       image_suffix:
+        description: "The suffix to append to the image name to prevent SHA conflicts"
         required: false
         type: string
-        default: null
       sha:
         required: false
         type: string
         default: ${{ github.sha }}
       profile:
+        description: "The Rust profile to build data plane components with"
+        required: true
+        type: string
+      stage:
+        description: "The stage of the data plane component images to build"
         required: true
         type: string
 
@@ -28,7 +33,7 @@ permissions:
 
 jobs:
   update-release-draft:
-    if: inputs.profile == 'release'
+    if: inputs.profile == 'release' && inputs.stage == 'release'
     runs-on: ubuntu-22.04
     concurrency:
       group: "staging-draft-release-${{ github.workflow }}-${{ github.ref }}"
@@ -96,7 +101,7 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images:
-            ${{ steps.login.outputs.registry }}/firezone/${{matrix.image_name }}${{ inputs.image_suffix }}
+            ${{ steps.login.outputs.registry }}/firezone/${{matrix.image_name }}
           tags: |
             type=raw,value=${{ inputs.sha }}
             type=raw,value=${{ env.VERSION }}-${{ inputs.sha }}
@@ -114,16 +119,16 @@ jobs:
           target: ${{ matrix.target }}
           context: elixir
           cache-from: |
-            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.image_name }}${{ inputs.image_suffix }}:${{ env.CACHE_TAG }}
-            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.image_name }}${{ inputs.image_suffix }}:main
+            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.image_name }}:${{ env.CACHE_TAG }}
+            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.image_name }}:main
           cache-to: |
-            type=registry,ref=${{steps.login.outputs.registry}}/cache/${{ matrix.image_name}}${{ inputs.image_suffix }}:${{ env.CACHE_TAG }},mode=max
+            type=registry,ref=${{steps.login.outputs.registry}}/cache/${{ matrix.image_name}}:${{ env.CACHE_TAG }},mode=max
           push: true
           tags: |
-            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}${{ inputs.image_suffix }}:${{ inputs.sha }}
-            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}${{ inputs.image_suffix }}:${{ env.VERSION }}-${{ inputs.sha }}
-            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}${{ inputs.image_suffix }}:${{ env.VERSION }}
-            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}${{ inputs.image_suffix }}:${{ env.CACHE_TAG }}
+            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ inputs.sha }}
+            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ env.VERSION }}-${{ inputs.sha }}
+            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ env.VERSION }}
+            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ env.CACHE_TAG }}
 
   data-plane:
     # Runs the job after update-release-draft, regardless of the outcome
@@ -192,7 +197,7 @@ jobs:
           # Used for Docker images
           cp target/${{ matrix.arch.target }}/${{ inputs.profile }}/${{ matrix.name.package }} ${{ matrix.name.package }}
       - name: Upload Release Assets
-        if: ${{ inputs.profile == 'release' && (matrix.name.image_name == 'gateway' || matrix.name.image_name == 'client') }}
+        if: ${{ inputs.profile == 'release' && inputs.stage == 'release' && (matrix.name.image_name == 'gateway' || matrix.name.image_name == 'client') }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -255,11 +260,11 @@ jobs:
             TARGET=${{ matrix.arch.target }}
           context: rust
           cache-from: |
-            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.name.image_name }}${{ inputs.image_suffix }}:${{ env.CACHE_TAG }}
-            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.name.image_name }}${{ inputs.image_suffix }}:main
+            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.name.image_name }}:${{ env.CACHE_TAG }}
+            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.name.image_name }}:main
           cache-to: |
-            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.name.image_name }}${{ inputs.image_suffix }}:${{ env.CACHE_TAG }},mode=max
-          target: ${{ inputs.profile }}
+            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.name.image_name }}:${{ env.CACHE_TAG }},mode=max
+          target: ${{ inputs.stage }}
           outputs:
             type=image,name=${{ steps.login.outputs.registry }}/firezone/${{ matrix.name.image_name }}${{ inputs.image_suffix }},push-by-digest=true,name-canonical=true,push=true
       - name: Export digest
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 79ef706fc..577e9e10b 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -24,6 +24,7 @@ jobs:
     secrets: inherit
     with:
       profile: "release"
+      stage: "release"
 
   deploy-staging:
     if: ${{ github.event_name == 'workflow_dispatch' && inputs.deploy-staging }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 336863ad6..18cfa3ea6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,9 +5,11 @@ on:
     types: [checks_requested]
   workflow_call:
     inputs:
+      stage:
+        required: true
+        type: string
       profile:
-        required: false
-        default: 'debug'
+        required: true
         type: string
 
 # Cancel old workflow runs if new code is pushed
@@ -44,6 +46,27 @@ jobs:
     secrets: inherit
     with:
       profile: ${{ inputs.profile || 'debug' }}
+      stage: ${{ inputs.stage || 'debug' }}
+
+  build-base-perf-artifacts:
+    if: ${{ github.event_name == 'pull_request' }}
+    uses: ./.github/workflows/_build_artifacts.yml
+    secrets: inherit
+    with:
+      sha: ${{ github.event.pull_request.base.sha }}
+      image_suffix: '-perf'
+      profile: 'release'
+      stage: 'debug'
+
+  build-head-perf-artifacts:
+    if: ${{ github.event_name == 'pull_request' }}
+    uses: ./.github/workflows/_build_artifacts.yml
+    secrets: inherit
+    with:
+      sha: ${{ github.sha }}
+      image_suffix: '-perf'
+      profile: 'release'
+      stage: 'debug'
 
   integration-tests:
     uses: ./.github/workflows/_integration_tests.yml
@@ -95,24 +118,6 @@ jobs:
       # client will be published then.
       # client_tag: "latest"
 
-  build-base-perf-artifacts:
-    if: ${{ github.event_name == 'pull_request' }}
-    uses: ./.github/workflows/_build_artifacts.yml
-    secrets: inherit
-    with:
-      sha: ${{ github.event.pull_request.base.sha }}
-      image_suffix: '-perf'
-      profile: 'debug'
-
-  build-head-perf-artifacts:
-    if: ${{ github.event_name == 'pull_request' }}
-    uses: ./.github/workflows/_build_artifacts.yml
-    secrets: inherit
-    with:
-      sha: ${{ github.sha }}
-      image_suffix: '-perf'
-      profile: 'debug'
-
   perf-tests:
     # Only the debug images have perf tooling
     if: ${{ github.event_name == 'pull_request' }}