diff --git a/.github/scripts/acquire-build-image b/.github/scripts/acquire-build-image
index ec2ed027b1120d010a3046136ec917cd2c362fdd..4c18b90ca1aa58cd699a21772eea0366233e31f6 100755
--- a/.github/scripts/acquire-build-image
+++ b/.github/scripts/acquire-build-image
@@ -64,8 +64,8 @@ class Context:
         image_tag = get_cmd_output("./docker-image-hash", cwd=script_path)[1]
         allow_local_build = os.getenv("ALLOW_LOCAL_BUILD") != "false"
         github_actions = os.getenv("GITHUB_ACTIONS") == "true"
-        encrypted_docker_password = os.getenv("ENCRYPTED_DOCKER_PASSWORD")
-        docker_passphrase = os.getenv("DOCKER_LOGIN_TOKEN_PASSPHRASE")
+        encrypted_docker_password = os.getenv("ENCRYPTED_DOCKER_PASSWORD") or None
+        docker_passphrase = os.getenv("DOCKER_LOGIN_TOKEN_PASSPHRASE") or None
 
         print(f"Start path: {start_path}")
         print(f"Script path: {script_path}")
diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
index 196c7544ee3924d6f0cd6a059746d0d054fa7103..cfc90420826ca378d8466fb1b6a9787f91439061 100644
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -19,40 +19,51 @@ env:
   ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci
 
 jobs:
-  # Rebuild and upload the Docker build image
-  rebuild-docker-build-image:
+  # Build and upload the Docker build image if necessary
+  acquire-base-image:
     runs-on: smithy_ubuntu-latest_8-core
-    name: Rebuild image
+    name: Acquire Base Image
+    outputs:
+      docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
     permissions:
       id-token: write
       contents: read
     steps:
     - name: Checkout
       uses: actions/checkout@v3
-    - name: Build image
-      run: |
-        IMAGE_TAG="$(./.github/scripts/docker-image-hash)"
-        cd tools/ci-build
-        docker build \
-          -t "${{ env.ecr_repository }}:${IMAGE_TAG}" \
-          -t "${{ env.ecr_repository }}:main" \
-          .
     - name: Acquire credentials
       uses: aws-actions/configure-aws-credentials@v1-node16
       with:
         role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}
         role-session-name: GitHubActions
         aws-region: us-west-2
-    - name: Upload image
+    - name: Save the docker login password to the output
+      id: set-token
+      run: |
+        ENCRYPTED_PAYLOAD=$(
+          gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0
+        )
+        echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT
+    - name: Acquire base image
+      id: acquire
+      env:
+        DOCKER_BUILDKIT: 1
+        ENCRYPTED_DOCKER_PASSWORD: ${{ steps.set-token.outputs.docker-login-password }}
+        DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      run: ./.github/scripts/acquire-build-image
+    - name: Tag and upload image
       run: |
         IMAGE_TAG="$(./.github/scripts/docker-image-hash)"
-        aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+        docker tag "${{ env.ecr_repository }}:${IMAGE_TAG}" "${{ env.ecr_repository }}:main"
         docker push "${{ env.ecr_repository }}:${IMAGE_TAG}"
         docker push "${{ env.ecr_repository }}:main"
 
   # Run the shared CI after a Docker build image has been uploaded to ECR
   ci:
-    needs: rebuild-docker-build-image
+    needs: acquire-base-image
     uses: ./.github/workflows/ci.yml
     with:
       run_sdk_examples: true
+    secrets:
+      ENCRYPTED_DOCKER_PASSWORD: ${{ needs.acquire-base-image.outputs.docker-login-password }}
+      DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
diff --git a/.github/workflows/ci-pr.yml b/.github/workflows/ci-pr.yml
index c1b55a2584290f5ddac8a55bc364a14e47d7fa80..374d23a9b4a3fdd8c9ee60cf431d35c99dafea01 100644
--- a/.github/workflows/ci-pr.yml
+++ b/.github/workflows/ci-pr.yml
@@ -20,13 +20,14 @@ jobs:
   # be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.
   # The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
   save-docker-login-token:
+    name: Save a docker login token
+    if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' }}
     outputs:
       docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
     permissions:
       id-token: write
       contents: read
     continue-on-error: true
-    name: Save a docker login token
     runs-on: ubuntu-latest
     steps:
     - name: Attempt to load a docker login password