diff --git a/.github/workflows/mark-stable.yml b/.github/workflows/mark-stable.yml
index 5f4130e..34573c2 100644
--- a/.github/workflows/mark-stable.yml
+++ b/.github/workflows/mark-stable.yml
@@ -26,14 +26,14 @@ jobs:
 
       - name: Check whether tagged commit is on main
         id: branch-check
-        run: bash scripts/github/check-tagged-commit-on-main.sh
+        run: bash scripts/github/common/check-tagged-commit-on-main.sh
 
       - name: Wait for CI success on main for this commit
         if: steps.branch-check.outputs.is_on_main == 'true'
         env:
           GH_TOKEN: ${{ github.token }}
-        run: bash scripts/github/wait-for-main-ci-success.sh
+        run: bash scripts/github/mark-stable/wait-for-main-ci-success.sh
 
       - name: Move 'stable' tag only if this version is the highest
         if: steps.branch-check.outputs.is_on_main == 'true'
-        run: bash scripts/github/mark-stable-if-highest-version.sh
+        run: bash scripts/github/mark-stable/mark-stable-if-highest-version.sh
diff --git a/.github/workflows/publish-containers.yml b/.github/workflows/publish-containers.yml
index 09761a0..b7e34c5 100644
--- a/.github/workflows/publish-containers.yml
+++ b/.github/workflows/publish-containers.yml
@@ -21,34 +21,20 @@ jobs:
           fetch-depth: 0
 
       - name: Checkout workflow_run commit and refresh tags
-        run: |
-          set -euo pipefail
-          git checkout -f "${{ github.event.workflow_run.head_sha }}"
-          git fetch --tags --force
-          git tag --list 'stable' 'v*' --sort=version:refname | tail -n 20
+        env:
+          WORKFLOW_RUN_SHA: ${{ github.event.workflow_run.head_sha }}
+        run: bash scripts/github/publish-containers/checkout-workflow-run-commit.sh
+
+      - name: Check whether tagged commit is on main
+        id: branch-check
+        env:
+          TARGET_SHA: ${{ github.event.workflow_run.head_sha }}
+        run: bash scripts/github/common/check-tagged-commit-on-main.sh
 
       - name: Compute version and stable flag
         id: info
-        run: |
-          set -euo pipefail
-          SHA="$(git rev-parse HEAD)"
-
-          V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)"
-          if [[ -z "${V_TAG}" ]]; then
-            echo "No version tag found for ${SHA}. Skipping publish."
-            echo "should_publish=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          VERSION="${V_TAG#v}"
-
-          STABLE_SHA="$(git rev-parse -q --verify refs/tags/stable^{commit} 2>/dev/null || true)"
-          IS_STABLE=false
-          [[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true
-
-          echo "should_publish=true" >> "$GITHUB_OUTPUT"
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "is_stable=${IS_STABLE}" >> "$GITHUB_OUTPUT"
+        if: steps.branch-check.outputs.is_on_main == 'true'
+        run: bash scripts/github/publish-containers/compute-publish-container-info.sh
 
       - name: Set up Docker Buildx
         if: ${{ steps.info.outputs.should_publish == 'true' }}
@@ -66,9 +52,8 @@ jobs:
 
       - name: Publish all images
         if: ${{ steps.info.outputs.should_publish == 'true' }}
-        run: |
-          set -euo pipefail
-          OWNER="${{ github.repository_owner }}" \
-          VERSION="${{ steps.info.outputs.version }}" \
-          IS_STABLE="${{ steps.info.outputs.is_stable }}" \
-          bash scripts/build/publish.sh
+        env:
+          OWNER: ${{ github.repository_owner }}
+          VERSION: ${{ steps.info.outputs.version }}
+          IS_STABLE: ${{ steps.info.outputs.is_stable }}
+        run: bash scripts/github/publish-containers/publish-container-images.sh
diff --git a/scripts/github/check-tagged-commit-on-main.sh b/scripts/github/check-tagged-commit-on-main.sh
deleted file mode 100755
index cd6fce0..0000000
--- a/scripts/github/check-tagged-commit-on-main.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-git fetch --no-tags origin main
-
-if git merge-base --is-ancestor "${GITHUB_SHA}" "origin/main"; then
-  echo "is_on_main=true" >> "$GITHUB_OUTPUT"
-  echo "Tagged commit ${GITHUB_SHA} is contained in origin/main."
-else
-  echo "is_on_main=false" >> "$GITHUB_OUTPUT"
-  echo "Tagged commit ${GITHUB_SHA} is not contained in origin/main. Skipping stable update."
-fi
diff --git a/scripts/github/common/check-tagged-commit-on-main.sh b/scripts/github/common/check-tagged-commit-on-main.sh
new file mode 100644
index 0000000..b3e7fbf
--- /dev/null
+++ b/scripts/github/common/check-tagged-commit-on-main.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+TARGET_SHA="${TARGET_SHA:-${GITHUB_SHA:?GITHUB_SHA must be set}}"
+
+git fetch --no-tags origin main
+
+if git merge-base --is-ancestor "${TARGET_SHA}" "origin/main"; then
+  echo "is_on_main=true" >> "$GITHUB_OUTPUT"
+  echo "Target commit ${TARGET_SHA} is contained in origin/main."
+else
+  echo "is_on_main=false" >> "$GITHUB_OUTPUT"
+  echo "Target commit ${TARGET_SHA} is not contained in origin/main. Skipping main-only action."
+fi
diff --git a/scripts/github/mark-stable-if-highest-version.sh b/scripts/github/mark-stable/mark-stable-if-highest-version.sh
old mode 100755
new mode 100644
similarity index 100%
rename from scripts/github/mark-stable-if-highest-version.sh
rename to scripts/github/mark-stable/mark-stable-if-highest-version.sh
diff --git a/scripts/github/wait-for-main-ci-success.sh b/scripts/github/mark-stable/wait-for-main-ci-success.sh
old mode 100755
new mode 100644
similarity index 100%
rename from scripts/github/wait-for-main-ci-success.sh
rename to scripts/github/mark-stable/wait-for-main-ci-success.sh
diff --git a/scripts/github/publish-containers/checkout-workflow-run-commit.sh b/scripts/github/publish-containers/checkout-workflow-run-commit.sh
new file mode 100644
index 0000000..3ae914a
--- /dev/null
+++ b/scripts/github/publish-containers/checkout-workflow-run-commit.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+WORKFLOW_RUN_SHA="${WORKFLOW_RUN_SHA:?WORKFLOW_RUN_SHA must be set}"
+
+git checkout -f "${WORKFLOW_RUN_SHA}"
+git fetch --tags --force
+git tag --list 'stable' 'v*' --sort=version:refname | tail -n 20
diff --git a/scripts/github/publish-containers/compute-publish-container-info.sh b/scripts/github/publish-containers/compute-publish-container-info.sh
new file mode 100644
index 0000000..eabb673
--- /dev/null
+++ b/scripts/github/publish-containers/compute-publish-container-info.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SHA="$(git rev-parse HEAD)"
+
+V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)"
+if [[ -z "${V_TAG}" ]]; then
+  echo "No version tag found for ${SHA}. Skipping publish."
+  echo "should_publish=false" >> "$GITHUB_OUTPUT"
+  exit 0
+fi
+
+VERSION="${V_TAG#v}"
+
+STABLE_SHA="$(git rev-parse -q --verify 'refs/tags/stable^{commit}' 2>/dev/null || true)"
+IS_STABLE=false
+[[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true
+
+{
+  echo "should_publish=true"
+  echo "version=${VERSION}"
+  echo "is_stable=${IS_STABLE}"
+} >> "$GITHUB_OUTPUT"
diff --git a/scripts/github/publish-containers/publish-container-images.sh b/scripts/github/publish-containers/publish-container-images.sh
new file mode 100644
index 0000000..d78d56e
--- /dev/null
+++ b/scripts/github/publish-containers/publish-container-images.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${OWNER:?OWNER must be set}"
+: "${VERSION:?VERSION must be set}"
+: "${IS_STABLE:?IS_STABLE must be set}"
+
+bash scripts/build/publish.sh