diff --git a/.github/workflows/build-and-push-image.yml b/.github/workflows/build-and-push-image.yml
index f2bc75b9..6d6f219b 100644
--- a/.github/workflows/build-and-push-image.yml
+++ b/.github/workflows/build-and-push-image.yml
@@ -50,12 +50,11 @@ jobs:
         with:
           environment: ${{ needs.set-env.outputs.environment }}
 
-  build:
-    name: Build
+  build-import:
+    name: Build & Import
+    runs-on: ubuntu-24.04
     needs: [ set-env, validate-packages ]
-    permissions:
-      packages: write
-    uses: DFE-Digital/deploy-azure-container-apps-action/.github/workflows/build.yml@2669c85cf877ce3161b7d0edf36690106412c70b # v4.1.0
+    environment: ${{ needs.set-env.outputs.environment }}
     strategy:
       matrix:
         stage: [
@@ -67,59 +66,55 @@ jobs:
             tag-prefix: ""
           - stage: "initcontainer"
             tag-prefix: "init-"
-    with:
-      environment: ${{ needs.set-env.outputs.environment }}
-      docker-image-name: ${{ needs.set-env.outputs.image-name }}
-      docker-build-file-name: ${{ inputs.docker-build-file-name }}
-      docker-build-context: ${{ inputs.docker-build-context }}
-      docker-build-args: CI=true
-      docker-build-target: ${{ matrix.stage }}
-      docker-tag-prefix: ${{ matrix.tag-prefix }}
-
-  import:
-    name: Import
-    needs: [ set-env, build ]
     permissions:
+      packages: write
+      attestations: write
       id-token: write
-    uses: DFE-Digital/deploy-azure-container-apps-action/.github/workflows/import.yml@2669c85cf877ce3161b7d0edf36690106412c70b # v4.1.0
-    strategy:
-      matrix:
-        stage: [
-          "final",
-          "initcontainer"
-        ]
-        include:
-          - stage: "final"
-            tag-prefix: ""
-          - stage: "initcontainer"
-            tag-prefix: "init-"
-    with:
-      environment: ${{ needs.set-env.outputs.environment }}
-      docker-image-name: ${{ needs.set-env.outputs.image-name }}
-      docker-tag-prefix: ${{ matrix.tag-prefix }}
-    secrets:
-      azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-      azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      azure-acr-client-id: ${{ secrets.ACR_CLIENT_ID }}
-      azure-acr-name: ${{ secrets.ACR_NAME }}
+    steps:
+      - uses: DFE-Digital/deploy-azure-container-apps-action/.github/actions/build@v5.2.1
+        with:
+          image-name: ${{ needs.set-env.outputs.image-name }}
+          build-args: CI=true
+          build-target: ${{ matrix.stage }}
+          tag-prefix: ${{ matrix.tag-prefix }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: DFE-Digital/deploy-azure-container-apps-action/.github/actions/import@v5.2.1
+        with:
+          image-name: ${{ needs.set-env.outputs.image-name }}
+          tag-prefix: ${{ matrix.tag-prefix }}
+          azure-acr-name: ${{ secrets.ACR_NAME }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          azure-acr-client-id: ${{ secrets.ACR_CLIENT_ID }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID || '' }}
+          AZURE_SUBSCRIPTION: ${{ secrets.AZURE_SUBSCRIPTION_ID || '' }}
+          AZURE_ACR_CLIENT_ID: ${{ secrets.ACR_CLIENT_ID || '' }}
 
   deploy:
-    name: Deploy
-    needs: [ set-env, import ]
+    name: Deploy to ${{ needs.set-env.outputs.environment }}
+    needs: [ set-env, build-import ]
+    runs-on: ubuntu-24.04
+    environment: ${{ needs.set-env.outputs.environment }}
     permissions:
       id-token: write
-    uses: DFE-Digital/deploy-azure-container-apps-action/.github/workflows/deploy.yml@2669c85cf877ce3161b7d0edf36690106412c70b # v4.1.0
-    with:
-      environment: ${{ needs.set-env.outputs.environment }}
-      docker-image-name: ${{ needs.set-env.outputs.image-name }}
-      annotate-release: true
-    secrets:
-      azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-      azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      azure-aca-client-id: ${{ secrets.ACA_CLIENT_ID }}
-      azure-aca-name: ${{ secrets.ACA_CONTAINERAPP_NAME }}
-      azure-aca-resource-group: ${{ secrets.ACA_RESOURCE_GROUP }}
-      azure-acr-name: ${{ secrets.ACR_NAME }}
+    steps:
+      - uses: DFE-Digital/deploy-azure-container-apps-action/.github/actions/deploy@v5.2.1
+        with:
+          image-name: ${{ needs.set-env.outputs.image-name }}
+          annotate-release: 'yes'
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          azure-acr-name: ${{ secrets.ACR_NAME }}
+          azure-aca-client-id: ${{ secrets.ACA_CLIENT_ID }}
+          azure-aca-name: ${{ secrets.ACA_CONTAINERAPP_NAME }}
+          azure-aca-resource-group: ${{ secrets.ACA_RESOURCE_GROUP }}
+        env:
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID || '' }}
+          AZURE_SUBSCRIPTION: ${{ secrets.AZURE_SUBSCRIPTION_ID || '' }}
+          AZURE_ACA_CLIENT_ID: ${{ secrets.ACA_CLIENT_ID || '' }}
 
   create-tag:
     name: Tag and release