diff --git a/.github/workflows/_build_image.yml b/.github/workflows/_build_image.yml
index dc2c523d..d0bbc758 100644
--- a/.github/workflows/_build_image.yml
+++ b/.github/workflows/_build_image.yml
@@ -25,6 +25,9 @@ on:
       test_toolchain:
         type: boolean
         default: false
+      upload_ubuntu_image:
+        type: boolean
+        default: false
 
       host_platform:
         type: string
@@ -51,6 +54,10 @@ jobs:
       if: ${{ inputs.os_family != 'windows' }}
     - name: 'Checkout repository'
       uses: actions/checkout@v3
+    - uses: envoyproxy/toolshed/gh-actions/docker/registry@actions-v0.0.18
+      if: ${{ inputs.os_family != 'windows' }}
+      # (inputs.test_toolchain || inputs.upload_ubuntu_image) &&
+      name: 'Start Docker registry'
     - run: |
         CONTAINER_TAG=$(git log -1 --pretty=format:"%H" "./docker")
         echo "tag=${CONTAINER_TAG}" >> "$GITHUB_OUTPUT"
@@ -71,6 +78,7 @@ jobs:
         if [[ "${{inputs.os_family }}" == "windows" ]]; then
             export PATH="${PROGRAMFILES}/google-cloud-sdk/bin:${PATH}"
         fi
+        docker ps -a
         cd docker
         ./push.sh
       name: Build (${{ inputs.image_prefix }}${{ inputs.distro }}@${{ steps.container.outputs.tag }})
@@ -92,11 +100,6 @@ jobs:
       with:
         go-version: ${{ inputs.go_version }}
         cache: false
-    - uses: envoyproxy/toolshed/gh-actions/docker/registry@actions-v0.0.18
-      if: ${{ inputs.test_toolchain && inputs.os_family != 'windows' }}
-      name: 'Start and load Docker registry'
-      with:
-        load: envoyproxy/envoy-build-ubuntu:${{ steps.container.outputs.tag }}
     - uses: envoyproxy/toolshed/gh-actions/docker/registry@actions-v0.0.18
       if: ${{ inputs.test_toolchain && inputs.os_family == 'windows' }}
       name: 'Start and load Docker registry (Windows)'
@@ -112,3 +115,15 @@ jobs:
         SOURCE_BRANCH: ${{ github.ref }}
         NO_PULL_IMAGE: true
         DOCKER_IMAGE: localhost:5000/envoy-build-${{ inputs.distro }}
+    - run: |
+        sudo mkdir -p /mnt/cache
+        sudo mount -t tmpfs none /mnt/cache
+        docker save envoyproxy/envoy-build-ubuntu:${{ steps.container.outputs.tag }}-multi \
+            | zstd - -q -T0 -o /mnt/cache/envoy-build-ubuntu-${{ steps.container.outputs.tag }}.tar.zst
+      if: ${{ inputs.upload_ubuntu_image }}
+      shell: bash
+    - uses: actions/upload-artifact@v3
+      if: ${{ inputs.upload_ubuntu_image }}
+      with:
+        name: envoy-build-ubuntu-${{ steps.container.outputs.tag }}
+        path: /mnt/cache/envoy-build-ubuntu-${{ steps.container.outputs.tag }}.tar.zst
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5573a4d1..d7ba87c8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,6 +46,7 @@ jobs:
       os_family: ${{ matrix.os_family != '' && matrix.os_family || 'linux' }}
       host_platform: ${{ matrix.host_platform != '' && matrix.host_platform || 'ubuntu-22.04' }}
       test_toolchain: ${{ github.event_name == 'pull_request' && matrix.target != 'centos' }}
+      upload_ubuntu_image: ${{ github.event_name == 'pull_request' && matrix.target == 'ubuntu' }}
     secrets:
       dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
       dockerhub_password: ${{ secrets.DOCKERHUB_PASSWORD }}
diff --git a/docker/linux/build.sh b/docker/linux/build.sh
index 1d9f0f2c..a3d5d9e1 100755
--- a/docker/linux/build.sh
+++ b/docker/linux/build.sh
@@ -12,7 +12,11 @@ config_env() {
 
     # Remove older build instance
     docker buildx rm envoy-build-tools-builder &> /dev/null || :
-    docker buildx create --use --name envoy-build-tools-builder --platform "${BUILD_TOOLS_PLATFORMS}"
+    docker buildx create \
+           --use \
+           --name envoy-build-tools-builder \
+           --driver-opt network=host \
+           --platform "${BUILD_TOOLS_PLATFORMS}"
 }
 
 [[ -z "${OS_DISTRO}" ]] && OS_DISTRO="ubuntu"
@@ -26,8 +30,6 @@ if [[ -z "${BUILD_TOOLS_PLATFORMS}" ]]; then
     fi
 fi
 
-ci_log_run config_env
-
 # TODO(phlax): add (json) build images config
 build_and_push_variants () {
     if [[ "${OS_DISTRO}" != "ubuntu" ]]; then
@@ -57,8 +59,12 @@ build_and_push_variants () {
     done
 }
 
+ci_log_run config_env
+
 ci_log_run docker buildx build . -f "${OS_DISTRO}/Dockerfile" -t "${IMAGE_NAME}:${CONTAINER_TAG}" --target full --platform "${BUILD_TOOLS_PLATFORMS}"
 
+docker ps -a
+
 if [[ -z "${NO_BUILD_VARIANTS}" ]]; then
     # variants are only pushed for the dockerhub image (not other `IMAGE_TAGS`)
     build_and_push_variants
@@ -70,6 +76,22 @@ if [[ -n "${IMAGE_TAGS}" ]]; then
 fi
 
 if [[ "$LOAD_IMAGE" == "true" ]]; then
-    # Testing after push to save CI time because this invalidates arm64 cache
-    ci_log_run docker buildx build . -f "${OS_DISTRO}/Dockerfile" -t "${IMAGE_NAME}:${CONTAINER_TAG}" --platform "linux/amd64" --load
+
+    docker ps -a
+
+    ci_log_run docker buildx build . \
+               --push \
+               -f "${OS_DISTRO}/Dockerfile" \
+               -t "localhost:5000/${IMAGE_NAME}:${CONTAINER_TAG}" \
+               --platform "linux/amd64"
+    ci_log_run docker buildx build . \
+               --push \
+               -f "${OS_DISTRO}/Dockerfile" \
+               -t "localhost:5000/${IMAGE_NAME}:${CONTAINER_TAG}-arm64" \
+               --platform "linux/arm64"
+    ci_log_run docker manifest create \
+               "envoyproxy/envoy-build-ubuntu:${CONTAINER_TAG}-multi" \
+               "envoyproxy/envoy-build-ubuntu:${CONTAINER_TAG}" \
+               "envoyproxy/envoy-build-ubuntu:${CONTAINER_TAG}-arm64"
+
 fi