diff --git a/.github/workflows/build-publish-develop.yml b/.github/workflows/build-publish-develop.yml
new file mode 100644
index 0000000000..6e8e5ba3f5
--- /dev/null
+++ b/.github/workflows/build-publish-develop.yml
@@ -0,0 +1,68 @@
+name: "Push develop to private ECR"
+
+on:
+  push:
+    branches:
+      - ccip-develop
+  workflow_dispatch:
+    inputs:
+      git_ref:
+        description: "Git ref (commit SHA, branch name, tag name, etc.) to checkout"
+        required: true
+env:
+  GIT_REF: ${{ github.event.inputs.git_ref || github.ref }}
+
+jobs:
+  push-ccip-develop:
+    runs-on: ubuntu-20.04
+    environment: build-develop
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      matrix:
+        image:
+          - name: ""
+            dockerfile: core/chainlink.Dockerfile
+            tag-suffix: ""
+          - name: (plugins)
+            dockerfile: plugins/chainlink.Dockerfile
+            tag-suffix: -plugins
+    name: push-ccip-develop ${{ matrix.image.name }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ env.GIT_REF }}
+      # When this is ran from manual workflow_dispatch, the github.sha may be
+      # different than the checked out commit sha. The core build uses this
+      # commit sha as build metadata, so we need to make sure it's correct.
+      - name: Get checked out git ref
+        if: github.event.inputs.git_ref
+        id: git-ref
+        run: echo "checked-out=$(git rev-parse HEAD)" | tee -a "${GITHUB_OUTPUT}"
+      - name: Build, sign and publish ccip image
+        uses: ./.github/actions/build-sign-publish-chainlink
+        with:
+          publish: true
+          aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
+          aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          ecr-hostname: ${{ secrets.AWS_DEVELOP_ECR_HOSTNAME }}
+          ecr-image-name: ccip-develop
+          ecr-tag-suffix: ${{ matrix.image.tag-suffix }}
+          dockerfile: ${{ matrix.image.dockerfile }}
+          dockerhub_username: ${{ secrets.DOCKER_READONLY_USERNAME }}
+          dockerhub_password: ${{ secrets.DOCKER_READONLY_PASSWORD }}
+          git-commit-sha: ${{ steps.git-ref.outputs.checked-out || github.sha }}
+
+      - name: Collect Metrics
+        if: always()
+        id: collect-gha-metrics
+        uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
+        with:
+          org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
+          basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
+          hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
+          this-job-name: push-ccip-develop ${{ matrix.image.name }}
+        continue-on-error: true
diff --git a/.github/workflows/build-publish-pr.yml b/.github/workflows/build-publish-pr.yml
new file mode 100644
index 0000000000..fd62739376
--- /dev/null
+++ b/.github/workflows/build-publish-pr.yml
@@ -0,0 +1,66 @@
+name: "Build and Publish from PR"
+
+##
+# This workflow builds and publishes a Docker image for Chainlink from a PR.
+# It has its own special IAM role, does not sign the image, and publishes to
+# a special ECR repo.
+##
+
+on:
+  pull_request:
+
+jobs:
+  build-publish-untrusted:
+    if: ${{ ! startsWith(github.ref_name, 'release/') || (! startsWith(github.head_ref, 'release/') && ! startsWith(github.ref_name, 'chore/'))}}
+    runs-on: ubuntu-20.04
+    environment: sdlc
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      ECR_IMAGE_NAME: crib-ccip-untrusted
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+      - name: Git Short SHA
+        shell: bash
+        env:
+          GIT_PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          echo "GIT_SHORT_SHA=${GIT_PR_HEAD_SHA:0:7}" | tee -a "$GITHUB_ENV"
+
+      - name: Check if image exists
+        id: check-image
+        uses: smartcontractkit/chainlink-github-actions/docker/image-exists@75a9005952a9e905649cfb5a6971fd9429436acd # v2.3.25
+        with:
+          repository: ${{ env.ECR_IMAGE_NAME}}
+          tag: sha-${{ env.GIT_SHORT_SHA }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_OIDC_IAM_ROLE_PUBLISH_PR_ARN }}
+
+      - name: Build and publish chainlink image
+        if: steps.check-image.outputs.exists == 'false'
+        uses: ./.github/actions/build-sign-publish-chainlink
+        with:
+          publish: true
+          aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_PUBLISH_PR_ARN }}
+          aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS_DEFAULT }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          sign-images: false
+          ecr-hostname: ${{ secrets.AWS_SDLC_ECR_HOSTNAME }}
+          ecr-image-name: ${{ env.ECR_IMAGE_NAME }}
+          dockerhub_username: ${{ secrets.DOCKER_READONLY_USERNAME }}
+          dockerhub_password: ${{ secrets.DOCKER_READONLY_PASSWORD }}
+
+      - name: Collect Metrics
+        if: always()
+        id: collect-gha-metrics
+        uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
+        with:
+          id: build-chainlink-pr
+          org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
+          basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
+          hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
+          this-job-name: build-publish-untrusted
+        continue-on-error: true
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000000..b82b5a8203
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,52 @@
+name: "Build Chainlink"
+
+on:
+  pull_request:
+
+jobs:
+  build-chainlink:
+    runs-on: ubuntu-20.04
+    if: ${{ ! startsWith(github.head_ref, 'release/') && ! startsWith(github.ref_name, 'chore/') }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: change
+        with:
+          predicate-quantifier: every
+          filters: |
+            changelog-only:
+              - 'CHANGELOG.md'
+              - '!common/**'
+              - '!contracts/**'
+              - '!core/**'
+              - '!crib/**'
+              - '!dashboard-lib/**'
+              - '!fuzz/**'
+              - '!integration-tests/**'
+              - '!internal/**'
+              - '!operator_ui/**'
+              - '!plugins/**'
+              - '!tools/**'
+
+      - name: Build chainlink image
+        if: ${{ steps.change.outputs.changelog-only == 'false' }}
+        uses: ./.github/actions/build-sign-publish-chainlink
+        with:
+          dockerhub_username: ${{ secrets.DOCKER_READONLY_USERNAME }}
+          dockerhub_password: ${{ secrets.DOCKER_READONLY_PASSWORD }}
+          publish: false
+          sign-images: false
+
+      - name: Collect Metrics
+        if: always()
+        id: collect-gha-metrics
+        uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
+        with:
+          id: build-chainlink
+          org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
+          basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
+          hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
+          this-job-name: build-chainlink
+        continue-on-error: true