diff --git a/.circleci/config.yml b/.circleci/config.yml
index 889a36ec..1fa03f74 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -13,10 +13,10 @@ commands:
   install_goreleaser_dependencies:
     description: Installs dependencies for CI scripts
     steps:
-    - run: apk update
-    # Register other docker platforms, to build arm64.
-    # This shouldn't be needed, why TBD.
-    - run: docker run --privileged --rm tonistiigi/binfmt --install all
+      - run: apk update
+      # Register other docker platforms, to build arm64.
+      # This shouldn't be needed, why TBD.
+      - run: docker run --privileged --rm tonistiigi/binfmt --install all
 
 references:
   set_environment_variables: &set_environment_variables
@@ -105,6 +105,26 @@ references:
         sha256sum vault_1.13.2_linux_amd64.zip | grep f7930279de8381de7c532164b4a4408895d9606c0d24e2e9d2f9acb5dfe99b3c
         unzip vault_1.13.2_linux_amd64.zip
         mv vault /usr/bin/vault
+  setup_qemu_binfmt: &setup_qemu_binfmt
+    run:
+      name: Setup QEMU for multi-arch Docker builds
+      command: |
+        sudo apt-get update -y
+        sudo apt-get install -y qemu-user-static binfmt-support
+        docker buildx create --use || true
+        docker buildx inspect --bootstrap
+  load_polaris_image_into_kind: &load_polaris_image_into_kind
+    run:
+      name: Load Polaris snapshot image into Kind
+      command: |
+        TAR="/tmp/workspace/docker_save/polaris_${CIRCLE_SHA1}.tar"
+        if [ -f "$TAR" ]; then
+          echo "Loading snapshot image from $TAR"
+          docker load -i "$TAR"
+          kind load docker-image "us-docker.pkg.dev/fairwinds-ops/oss/polaris:${CIRCLE_SHA1}"
+        else
+          echo "No snapshot tar (tag workflow); tests will pull the image from the registry."
+        fi
 jobs:
   test_k8s:
     working_directory: ~/polaris
@@ -113,7 +133,10 @@ jobs:
     steps:
       - checkout
       - *set_environment_variables
+      - attach_workspace:
+          at: /tmp/workspace
       - *install_k8s
+      - *load_polaris_image_into_kind
       - *test_k8s
 
   test:
@@ -126,7 +149,7 @@ jobs:
       - run: go test ./... -coverprofile=coverage.txt -covermode=count
       - *test_binary_dashboard
 
-  build_and_push:
+  release:
     working_directory: /go/src/github.com/fairwindsops/polaris/
     resource_class: large
     shell: /bin/bash
@@ -144,39 +167,112 @@ jobs:
       - rok8s/get_vault_env:
           vault_path: repo/polaris/env
       - *set_environment_variables
-      - run: docker login quay.io -u="${FAIRWINDS_QUAY_USER}" -p="${FAIRWINDS_QUAY_TOKEN}"
       - run:
           name: docker login Google Artifact Registry
           command: |
             docker login -u _json_key -p "$(echo $GCP_ARTIFACTREADWRITE_JSON_KEY | base64 -d)" us-docker.pkg.dev
       - install_goreleaser_dependencies
-      - run: scripts/goreleaser.sh
+      - run: echo 'export GORELEASER_CURRENT_TAG="${CIRCLE_TAG}"' >> $BASH_ENV
+      - run: goreleaser release --clean
+      - run: mkdir -p /tmp/workspace/docker_save && touch /tmp/workspace/docker_save/.release-workspace-marker
+      - persist_to_workspace:
+          root: /tmp/workspace
+          paths:
+            - docker_save
+
+  snapshot:
+    working_directory: /home/circleci/project
+    machine:
+      image: ubuntu-2204:current
+    resource_class: large
+    shell: /bin/bash
+    steps:
+      - checkout
+      - *setup_qemu_binfmt
+      - run:
+          name: goreleaser release (snapshot, local only)
+          environment:
+            GORELEASER_SKIP_RELEASE: "true"
+          command: |
+            set -euo pipefail
+            REPO_ROOT="${HOME}/project"
+            docker run --rm \
+              -v /var/run/docker.sock:/var/run/docker.sock \
+              -v "${REPO_ROOT}:/workspace" -w /workspace \
+              -e GORELEASER_SKIP_RELEASE=true \
+              -e CIRCLE_SHA1 \
+              -e CIRCLE_BRANCH \
+              -e CIRCLE_TAG \
+              --entrypoint sh \
+              goreleaser/goreleaser:v2.15.4 \
+              -c 'git config --global --add safe.directory /workspace && cd /workspace && goreleaser release --snapshot --clean --skip=sign,homebrew'
+      - run: mkdir -p /tmp/workspace/docker_save/
+      - run:
+          name: Tag and save amd64 image for Kind
+          command: |
+            set -euo pipefail
+            docker tag "us-docker.pkg.dev/fairwinds-ops/oss/polaris:${CIRCLE_SHA1}-amd64" "us-docker.pkg.dev/fairwinds-ops/oss/polaris:${CIRCLE_SHA1}"
+            docker save "us-docker.pkg.dev/fairwinds-ops/oss/polaris:${CIRCLE_SHA1}" -o "/tmp/workspace/docker_save/polaris_${CIRCLE_SHA1}.tar"
+      - persist_to_workspace:
+          root: /tmp/workspace
+          paths:
+            - docker_save
+      - store_artifacts:
+          path: dist
+          destination: snapshot
 
 workflows:
   version: 2
 
-  release:
+  branch:
+    jobs:
+      - test:
+          filters:
+            tags:
+              ignore: /.*/
+      - snapshot:
+          filters:
+            branches:
+              ignore: /pull\/[0-9]+/
+            tags:
+              ignore: /.*/
+      - test_k8s:
+          requires:
+            - snapshot
+          filters:
+            branches:
+              ignore: /pull\/[0-9]+/
+            tags:
+              ignore: /.*/
+
+  tag_release:
     jobs:
       - test:
           filters:
             tags:
               only: /.*/
-      - build_and_push:
+            branches:
+              ignore: /.*/
+      - release:
+          requires:
+            - test
           context: org-global
           filters:
             branches:
-              ignore: /pull\/[0-9]+/
+              ignore: /.*/
             tags:
               ignore: /^testing-.*/
       - test_k8s:
           requires:
-            - build_and_push
+            - release
           filters:
             branches:
-              ignore: /pull\/[0-9]+/
+              ignore: /.*/
             tags:
               ignore: /^testing-.*/
       - oss-docs/publish-docs:
+          requires:
+            - test_k8s
           repository: polaris
           filters:
             branches:
diff --git a/scripts/goreleaser.sh b/scripts/goreleaser.sh
deleted file mode 100755
index 078b0eaa..00000000
--- a/scripts/goreleaser.sh
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/env sh
-# Wrap goreleaser with branch/tag-specific env (see .goreleaser.yml templates)
-# and, on non-tag CI runs, a temporary git tag.
-
-cleanup() {
-  if [ "${CIRCLE_TAG}" == "" ] ; then
-    echo "${this_script} deleting git tag ${temporary_git_tag} for goreleaser"
-    unset GORELEASER_CURRENT_TAG
-    git tag -d ${temporary_git_tag}
-  fi
-}
-
-set -eE # errexit and errtrace
-trap 'cleanup' ERR
-this_script="$(basename $0)"
-hash goreleaser
-if [ "${TMPDIR}" == "" ] ; then
-  export TMPDIR="/tmp"
-  echo "${this_script} temporarily set the TMPDIR environment variable to ${TMPDIR}, used for a temporary GOBIN environment variable"
-fi
-
-export GORELEASER_SKIP_FEATURE_DOCKER_TAGS=false
-export GORELEASER_SKIP_RELEASE=true
-if [ "${CIRCLE_TAG}" == "" ] ; then
-  # Create a temporary tag for goreleaser, incrementing the last tag.
-  last_git_tag="$(git describe --tags --abbrev=0 2>/dev/null)"
-  if [ "${last_git_tag}" == "" ] ; then
-    echo "${this_script} is unable to determine the last git tag so a temporary tag can be created, using: git describe --tags --abbrev=0"
-    exit 1
-  fi
-  if [ "$(git config user.email)" == "" ] ; then
-    # git will use this env var as its user.email.
-    # git tag -m is used in case tags are manually pushed by accident,
-    # however git tag -m requires an email.
-    export EMAIL='goreleaser_ci@fairwinds.com'
-    echo "${this_script} using ${EMAIL} temporarily as the git user.email"
-  fi
-  temporary_git_tag=$(echo "${last_git_tag}" | awk -F. '{$NF = $NF + 1;} 1' | sed 's/ /./g')-rc
-  echo "${this_script} creating temporary git tag ${temporary_git_tag} for goreleaser, the last real tag is ${last_git_tag}"
-  # The -f is included to overwrite existing tags, perhaps from previous CI jobs.
-  git tag -f -m "temporary local tag for goreleaser" ${temporary_git_tag}
-  export GORELEASER_CURRENT_TAG=${temporary_git_tag}
-  # Use an adjusted git feature branch name as a docker tag; export so goreleaser receives .Env.FEATURE_DOCKER_TAG.
-  export FEATURE_DOCKER_TAG=$(echo "${CIRCLE_BRANCH:0:26}" | sed 's/[^a-zA-Z0-9]/-/g' | sed 's/-\+$//')
-  echo "${this_script} also using docker tag ${FEATURE_DOCKER_TAG} since ${CIRCLE_BRANCH} is a feature branch"
-else
-  export GORELEASER_CURRENT_TAG=${CIRCLE_TAG}
-  echo "${this_script} setting GORELEASER_SKIP_RELEASE to false, and GORELEASER_SKIP_FEATURE_DOCKER_TAGS to true, because CIRCLE_TAG is set"
-  export GORELEASER_SKIP_FEATURE_DOCKER_TAGS=true
-  export GORELEASER_SKIP_RELEASE=false
-fi
-
-echo "${this_script} using git tag ${GORELEASER_CURRENT_TAG}"
-goreleaser --skip=sign "$@"
-cleanup
diff --git a/test/kube_dashboard_test.sh b/test/kube_dashboard_test.sh
index 4b94401f..0d7c6b01 100755
--- a/test/kube_dashboard_test.sh
+++ b/test/kube_dashboard_test.sh
@@ -22,7 +22,9 @@ function check_timeout() {
 
 helm repo add fairwinds-stable https://charts.fairwinds.com/stable
 helm install polaris fairwinds-stable/polaris --namespace polaris --create-namespace \
-  --set image.tag=$CI_SHA1
+  --set image.repository=us-docker.pkg.dev/fairwinds-ops/oss/polaris \
+  --set image.tag=$CI_SHA1 \
+  --set image.pullPolicy=IfNotPresent
 
 check_dashboard_is_ready
 
diff --git a/test/webhook_test.sh b/test/webhook_test.sh
index 0e99f91f..e75639c2 100755
--- a/test/webhook_test.sh
+++ b/test/webhook_test.sh
@@ -88,7 +88,9 @@ helm install polaris fairwinds-stable/polaris --namespace polaris --create-names
   --set dashboard.enable=false \
   --set webhook.enable=true \
   --set webhook.mutate=true \
-  --set image.tag=$CI_SHA1
+  --set image.repository=us-docker.pkg.dev/fairwinds-ops/oss/polaris \
+  --set image.tag=$CI_SHA1 \
+  --set image.pullPolicy=IfNotPresent
 
 echo "Waiting for the webhook to come online"
 check_webhook_is_ready