diff --git a/.gcp/release-docker.yaml b/.gcp/release-docker.yaml
new file mode 100644
index 0000000000..0d7ba07f24
--- /dev/null
+++ b/.gcp/release-docker.yaml
@@ -0,0 +1,36 @@
+steps:
+  # Step 1: Install root dependencies (includes workspaces)
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Install Dependencies'
+    entrypoint: 'npm'
+    args: ['install']
+
+  # Step 4: Authenticate for Docker (so we can push images to the artifact registry)
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Authenticate docker'
+    entrypoint: 'npm'
+    args: ['run', 'auth']
+
+  # Step 5: Build workspace packages
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Build packages'
+    entrypoint: 'npm'
+    args: ['run', 'build:packages']
+
+  # Step 6: Build sandbox container image
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Build sandbox Docker image'
+    entrypoint: 'npm'
+    args: ['run', 'build:sandbox:fast']
+
+  # Step 7: Publish sandbox container image
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Publish sandbox Docker image'
+    entrypoint: 'npm'
+    args: ['run', 'publish:sandbox']
+    env:
+      - 'GEMINI_SANDBOX_IMAGE_TAG=$SHORT_SHA'
+
+options:
+  defaultLogsBucketBehavior: REGIONAL_USER_OWNED_BUCKET
+  dynamicSubstitutions: true
\ No newline at end of file
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f62a3f1259..4fc1abd389 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -58,11 +58,11 @@ jobs:
           workload_identity_provider: 'projects/48735766119/locations/global/workloadIdentityPools/github/providers/github-actions-provider'
           service_account: 'gh-actions-service-account@gemini-code-dev.iam.gserviceaccount.com'
 
-      - name: Configure Docker
-        run: gcloud auth configure-docker us-west1-docker.pkg.dev
+      # - name: Configure Docker
+      #   run: gcloud auth configure-docker us-west1-docker.pkg.dev
 
-      - name: Login to Artifact Registry
-        run: docker login -u oauth2accesstoken -p "$(gcloud auth print-access-token)" https://us-west1-docker.pkg.dev
+      # - name: Login to Artifact Registry
+      #   run: docker login -u oauth2accesstoken -p "$(gcloud auth print-access-token)" https://us-west1-docker.pkg.dev
 
       - name: Set Release Version and Tag
         id: version
diff --git a/scripts/publish-sandbox.js b/scripts/publish-sandbox.js
index 1c2976a071..079874cec1 100644
--- a/scripts/publish-sandbox.js
+++ b/scripts/publish-sandbox.js
@@ -19,7 +19,11 @@
 
 import { execSync } from 'child_process';
 
-const { npm_package_config_sandboxImageUri, DOCKER_DRY_RUN } = process.env;
+const {
+  npm_package_config_sandboxImageUri,
+  DOCKER_DRY_RUN,
+  GEMINI_SANDBOX_IMAGE_TAG,
+} = process.env;
 
 if (!npm_package_config_sandboxImageUri) {
   console.error(
@@ -28,7 +32,12 @@ if (!npm_package_config_sandboxImageUri) {
   process.exit(1);
 }
 
-const imageUri = npm_package_config_sandboxImageUri;
+let imageUri = npm_package_config_sandboxImageUri;
+
+if (GEMINI_SANDBOX_IMAGE_TAG) {
+  const [baseUri] = imageUri.split(':');
+  imageUri = `${baseUri}:${GEMINI_SANDBOX_IMAGE_TAG}`;
+}
 
 if (DOCKER_DRY_RUN) {
   console.log(`DRY RUN: Would execute: docker push "${imageUri}"`);