diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
index e055fcd085..6bf3476cdb 100644
--- a/.github/workflows/build-and-publish.yml
+++ b/.github/workflows/build-and-publish.yml
@@ -7,6 +7,9 @@ on:
       version:
         description: 'The version of the published package'
         value: '${{ jobs.publish-bundle.outputs.version }}'
+      image-uri:
+        description: 'The URI of the built sandbox image.'
+        value: '${{ jobs.build-and-publish-sandbox.outputs.image-uri }}'
 
 jobs:
   publish-bundle:
@@ -61,3 +64,51 @@ jobs:
           else
             npm publish --tag="ci"
           fi
+
+  build-and-publish-sandbox:
+    name: 'Build and Publish Sandbox'
+    runs-on: 'ubuntu-latest'
+    needs: 'publish-bundle'
+    outputs:
+      image-uri: '${{ steps.docker_build.outputs.uri }}'
+    permissions:
+      contents: 'read'
+      packages: 'write'
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
+        with:
+          ref: '${{ github.event.inputs.branch_ref || github.ref }}'
+          fetch-depth: 0
+
+      - name: 'Set up Node.js'
+        uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4.4.0
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'npm'
+
+      - name: 'Setup NPMRC'
+        uses: './.github/actions/setup-npmrc'
+        with:
+          github-token: '${{ secrets.GITHUB_TOKEN }}'
+
+      - name: 'Install Published CLI'
+        run: 'npm install @google/gemini-cli@${{ needs.publish-bundle.outputs.version }}'
+
+      - name: 'Log in to GitHub Container Registry'
+        uses: 'docker/login-action@v3'
+        with:
+          registry: 'ghcr.io'
+          username: '${{ github.repository_owner }}'
+          password: '${{ secrets.GITHUB_TOKEN }}'
+
+      - name: 'Set up Docker Buildx'
+        uses: 'docker/setup-buildx-action@v3'
+
+      - name: 'Build and Push Sandbox Image'
+        id: 'docker_build'
+        shell: 'bash'
+        run: |
+          IMAGE_TAG="ghcr.io/${{ github.repository }}/sandbox:${{ needs.publish-bundle.outputs.version }}"
+          node scripts/build_sandbox.js --image "${IMAGE_TAG}"
+          docker push "${IMAGE_TAG}"
diff --git a/.github/workflows/build-sandbox.yml b/.github/workflows/build-sandbox.yml
deleted file mode 100644
index 1fbc5197a4..0000000000
--- a/.github/workflows/build-sandbox.yml
+++ /dev/null
@@ -1,115 +0,0 @@
-name: 'Build Sandbox Image'
-
-on:
-  workflow_call:
-    inputs:
-      github-actor:
-        description: 'Github actor'
-        required: true
-        type: 'string'
-      github-secret:
-        description: 'Github secret'
-        required: true
-        type: 'string'
-      github-sha:
-        description: 'Github Commit SHA Hash'
-        required: true
-        type: 'string'
-      github-ref-name:
-        description: 'Github ref name'
-        required: true
-        type: 'string'
-      dry-run:
-        description: 'Whether this is a dry run.'
-        required: true
-        type: 'boolean'
-      npm-registry-scope:
-        description: 'NPM registry scope'
-        required: true
-        type: 'string'
-      npm-registry-url:
-        description: 'NPM registry URL'
-        required: true
-        type: 'string'
-      cli-package-name:
-        description: 'The name of the cli package.'
-        required: true
-        type: 'string'
-    outputs:
-      image-uri:
-        description: 'The URI of the built sandbox image.'
-        value: '${{ jobs.build-and-push.outputs.image-uri }}'
-
-jobs:
-  build-and-push:
-    runs-on: 'ubuntu-latest'
-    outputs:
-      image-uri: '${{ steps.docker_build.outputs.uri }}'
-    steps:
-      - name: '📝 Print Inputs'
-        shell: 'bash'
-        env:
-          JSON_INPUTS: '${{ toJSON(inputs) }}'
-        run: 'echo "$JSON_INPUTS"'
-      - name: 'Checkout'
-        uses: 'actions/checkout@v4'
-        with:
-          ref: '${{ inputs.github-sha }}'
-          fetch-depth: 0
-      - name: 'Install Dependencies'
-        shell: 'bash'
-        run: 'npm install'
-      - name: 'Set up Docker Buildx'
-        uses: 'docker/setup-buildx-action@v3'
-      - name: 'Log in to GitHub Container Registry'
-        uses: 'docker/login-action@v3'
-        with:
-          registry: 'ghcr.io'
-          username: '${{ inputs.github-actor }}'
-          password: '${{ inputs.github-secret }}'
-      - name: 'determine image tag'
-        id: 'image_tag'
-        shell: 'bash'
-        run: |-
-          SHELL_TAG_NAME="${{ inputs.github-ref-name }}"
-          FINAL_TAG="${{ inputs.github-sha }}"
-          if [[ "$SHELL_TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
-            echo "Release detected."
-            FINAL_TAG="${SHELL_TAG_NAME#v}"
-          else
-            echo "Development release detected. Using commit SHA as tag."
-          fi
-          echo "Determined image tag: $FINAL_TAG"
-          echo "FINAL_TAG=$FINAL_TAG" >> "$GITHUB_OUTPUT"
-      - name: 'build'
-        id: 'docker_build'
-        shell: 'bash'
-        env:
-          GEMINI_SANDBOX_IMAGE_TAG: '${{ steps.image_tag.outputs.FINAL_TAG }}'
-          GEMINI_SANDBOX: 'docker'
-          NPM_REGISTRY_SCOPE: '${{ inputs.npm-registry-scope }}'
-          NPM_REGISTRY_URL: '${{ inputs.npm-registry-url }}'
-          CLI_PACKAGE_NAME: '${{ inputs.cli-package-name }}'
-          GITHUB_TOKEN: '${{ inputs.github-secret }}'
-        run: |-
-          node scripts/build_sandbox.js \
-            --image ghcr.io/${{ github.repository }}/cli-sandbox:${{ steps.image_tag.outputs.FINAL_TAG }} \
-            --output-file final_image_uri.txt
-          echo "uri=$(cat final_image_uri.txt)" >> "$GITHUB_OUTPUT"
-      - name: 'publish'
-        shell: 'bash'
-        if: "${{ inputs.dry-run != 'true' }}"
-        run: |-
-          docker push "${{ steps.docker_build.outputs.uri }}"
-      - name: 'Create issue on failure'
-        if: |-
-          ${{ failure() }}
-        shell: 'bash'
-        env:
-          GITHUB_TOKEN: '${{ inputs.github-secret }}'
-          DETAILS_URL: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
-        run: |-
-          gh issue create \
-            --title "Docker build failed" \
-            --body "The docker build failed. See the full run for details: ${DETAILS_URL}" \
-            --label "kind/bug,release-failure"
diff --git a/.github/workflows/orchestrator.yml b/.github/workflows/orchestrator.yml
index 1c5741eeae..cb0c9f9a55 100644
--- a/.github/workflows/orchestrator.yml
+++ b/.github/workflows/orchestrator.yml
@@ -53,28 +53,14 @@ jobs:
       - id: 'get-vars'
         run: 'echo ''cli-package-name=''''${{ vars.CLI_PACKAGE_NAME }}'''''' >> "$GITHUB_OUTPUT"'
 
-  build-sandbox:
-    name: 'Build Sandbox Image'
-    needs: 'lint'
-    uses: './.github/workflows/build-sandbox.yml'
-    with:
-      github-actor: '${{ github.actor }}'
-      github-secret: '${{ github.token }}'
-      github-sha: '${{ github.sha }}'
-      github-ref-name: '${{ github.ref_name }}'
-      dry-run: false
-      npm-registry-scope: '${{ vars.NPM_REGISTRY_SCOPE }}'
-      npm-registry-url: '${{ vars.NPM_REGISTRY_URL }}'
-      cli-package-name: '${{ vars.CLI_PACKAGE_NAME }}'
-
   e2e:
     name: 'E2E Checks'
-    needs: ['build-and-publish', 'get-vars', 'build-sandbox']
+    needs: ['build-and-publish', 'get-vars']
     uses: './.github/workflows/e2e.yml'
     with:
       version: '${{ needs.build-and-publish.outputs.version }}'
       cli-package-name: '${{ needs.get-vars.outputs.cli-package-name }}'
-      image-uri: '${{ needs.build-sandbox.outputs.image-uri }}'
+      image-uri: '${{ needs.build-and-publish.outputs.image-uri }}'
     secrets:
       GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
 
diff --git a/.github/workflows/release-sandbox.yml b/.github/workflows/release-sandbox.yml
deleted file mode 100644
index 4d35ee10dd..0000000000
--- a/.github/workflows/release-sandbox.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-name: 'Release Sandbox'
-
-on:
-  workflow_dispatch:
-    inputs:
-      ref:
-        description: 'The branch, tag, or SHA to release from.'
-        required: false
-        type: 'string'
-        default: 'main'
-      dry-run:
-        description: 'Whether this is a dry run.'
-        required: false
-        type: 'boolean'
-        default: true
-
-jobs:
-  build:
-    runs-on: 'ubuntu-latest'
-    permissions:
-      contents: 'read'
-      packages: 'write'
-      issues: 'write'
-    steps:
-      - name: 'Checkout'
-        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8'
-        with:
-          ref: '${{ github.event.inputs.ref || github.sha }}'
-          fetch-depth: 0
-      - name: 'Push'
-        uses: './.github/actions/push-docker'
-        with:
-          github-actor: '${{ github.actor }}'
-          github-secret: '${{ secrets.GITHUB_TOKEN }}'
-          github-sha: '${{ github.sha }}'
-          ref-name: '${{github.event.inputs.ref}}'
-      - name: 'Create Issue on Failure'
-        if: '${{ failure() && github.event.inputs.dry-run == false }}'
-        env:
-          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          DETAILS_URL: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
-        run: |
-          gh issue create \
-            --title 'Sandbox Release Failed on $(date +'%Y-%m-%d')' \
-            --body 'The sandbox-release workflow failed. See the full run for details: ${DETAILS_URL}' \
-            --label 'kind/bug,release-failure,priority/p0'