diff --git a/.github/actions/oci-build-push/action.yml b/.github/actions/oci-build-push/action.yml
index 31ef993e5..004565039 100644
--- a/.github/actions/oci-build-push/action.yml
+++ b/.github/actions/oci-build-push/action.yml
@@ -1,14 +1,23 @@
+name: oci-build-push
+description: Builds and pushes OCI images from the workspace context
 
 inputs:
-  ref:
+  cache-from:
     required: false
-  tags:
+  cache-to:
     required: false
   features:
     required: false
-  vendor:
+  outputs:
     required: false
-  version:
+  profile:
+    required: false
+    default: release
+    description: Build profile
+  platforms:
+    required: false
+    default: linux/amd64,linux/arm64
+  push:
     required: false
   rustflags:
     required: false
@@ -16,41 +25,55 @@ inputs:
   target:
     required: false
     default: bin
-  platforms:
+  vendor:
     required: false
-    default: linux/amd64,linux/arm64
-  cache-scope:
-    required: false
-  outputs:
+  version:
     required: false
 
 outputs:
-  imageid: ${{ steps.build.outputs.imageid }}
-  digest: ${{ steps.build.outputs.digest }}
-  metadata: ${{ steps.build.outputs.metadata }}
+  imageid:
+    description: The ID of the built image
+    value: ${{ steps.build.outputs.imageid }}
+  digest:
+    description: The digest of the built image
+    value: ${{ steps.build.outputs.digest }}
+  metadata:
+    description: The metadata of the built image
+    value: ${{ steps.build.outputs.metadata }}
 
 runs:
   using: composite
   steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+    - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f
+      id: meta
       with:
-        ref: ${{ inputs.ref || github.ref }}
-    - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+        images: |
+          ghcr.io/${{ github.repository_owner }}/proxy
+        tags: |
+          type=raw,value=${{ inputs.version }}
+        flavor: |
+          latest=false
+          prefix=bin-
+    - if: inputs.platforms != 'linux/amd64'
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
     - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
     - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
       id: build
       with:
-        context: .
         build-args: |
-          PROFILE=release
-          RUSTFLAGS=${{ inputs.rustflags }}
           LINKERD2_PROXY_VENDOR=${{ inputs.vendor }}
           LINKERD2_PROXY_VERSION=${{ inputs.version }}
+          PROFILE=${{ inputs.profile }}
           PROXY_FEATURES=${{ inputs.features }}
+          RUSTFLAGS=${{ inputs.rustflags }}
+        cache-from: type=gha,scope=${{ inputs.cache-from }}
+        cache-to: type=gha,scope=${{ inputs.cache-to }},mode=max
+        context: .
         outputs: ${{ inputs.outputs }}
-        tags: ${{ inputs.tags }}
-        target: ${{ inputs.target }}
         platforms: ${{ inputs.platforms }}
-        cache-from: type=gha,scope=${{ inputs.cache-scope || github.head_ref }}
-        cache-to: type=gha,scope=${{ inputs.cache-scope || github.head_ref }},mode=max
+        push: ${{ inputs.push }}
+        target: ${{ inputs.target }}
+        annotations: ${{ steps.meta.outputs.annotations }}
+        labels: ${{ steps.meta.outputs.labels }}
+        tags: ${{ steps.meta.outputs.tags }}
 
diff --git a/.github/workflows/cache-oci.yml b/.github/workflows/cache-oci.yml
deleted file mode 100644
index 47b78c9a8..000000000
--- a/.github/workflows/cache-oci.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-on:
-  pull_request: {}
-  push:
-    branches:
-      - main
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
-      - id: meta
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
-        with:
-          files: |
-            .github/workflows/cache-oci.yml
-            .github/workflows/oci-build-push.yml
-
-      - if: steps.meta.outputs.any_changed == 'true' || github.event_name == 'push'
-        uses: ./.github/actions/oci-build-push
-        with:
-          outputs: type=local,dest=out
-
-      - if: steps.meta.outputs.any_changed == 'true' || github.event_name == 'push'
-        run: find out -type f -ls
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ea0a980fa..539dc7ab0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,7 +6,7 @@ on:
     inputs:
       version:
         description: "Version in the form v1.2.3-prerelease+buildinfo"
-        required: true
+        required: false
         type: string
       tag-prefix:
         description: "Tag prefix"
@@ -29,6 +29,11 @@ on:
         required: false
         type: string
         default: ""
+      do-oci-push:
+        description: "Push the Docker image to the OCI registry?"
+        required: false
+        type: boolean
+        default: false
       prerelease:
         description: "Is this a prerelease?"
         required: false
@@ -84,8 +89,8 @@ jobs:
         run: |
           set -euo pipefail
           shopt -s extglob
-          if [[ "$GITHUB_EVENT_NAME" == pull_request ]]; then
-            echo version="0.0.0-test.${GITHUB_SHA:0:7}" >> "$GITHUB_OUTPUT"
+          if [[ -z "$VERSION" ]]; then
+            echo version="0.0.0-sha-${GITHUB_SHA:0:7}" >> "$GITHUB_OUTPUT"
             exit 0
           fi
           if ! [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z-]+)?(\+[0-9A-Za-z-]+)?$ ]]; then
@@ -101,7 +106,8 @@ jobs:
         run: |
           if [[ "$GITHUB_EVENT_NAME" == pull_request && "$WORKFLOW_CHANGED" != 'true' ]]; then
             ( echo archs='["amd64"]'
-              echo oses='["linux"]' ) >> "$GITHUB_OUTPUT"
+              echo oses='["linux"]'
+            ) >> "$GITHUB_OUTPUT"
             exit 0
           fi
           ( echo archs='["amd64", "arm64"]'
@@ -137,13 +143,6 @@ jobs:
           ${{ toJson(needs.meta.outputs) }}
           EOF
 
-  # oci:
-  #   needs: meta
-  #   if: needs.meta.outputs.package == 'true'
-  #   uses: ./.github/workflows/oci-build-push.yml
-  #   with:
-  #     outputs: type=oci,dest=linkerd2-proxy.tar
-
   package:
     needs: meta
     if: needs.meta.outputs.package == 'true'
@@ -192,6 +191,31 @@ jobs:
           name: ${{ matrix.arch }}-${{ matrix.os }}-artifacts
           path: target/package/*
 
+  # TODO(ver) Drop `package` in favor of build-push-image.
+  build-push-image:
+    needs: meta
+    if: needs.meta.outputs.package == 'true'
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    permissions:
+      contents: write
+    steps:
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        if: inputs.do-oci-push
+        with:
+          registry: ghcr.io
+          username: ${{ vars.LINKERD2_PROXY_GITHUB_USERNAME || github.actor }}
+          password: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN || github.token }}
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          ref: ${{ needs.meta.outputs.ref }}
+      - uses: ./.github/actions/oci-build-push
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: ${{ inputs.do-oci-push }}
+          rustflags: '-D warnings -A deprecated --cfg tokio_unstable'
+          vendor: ${{ github.repository_owner }}
+          version: ${{ needs.meta.outputs.version }}
+
   publish:
     needs: [meta, package]
     runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}