diff --git a/test-infra/image-builder/Makefile b/test-infra/image-builder/Makefile
index 7a0d6a23f..ef20e4485 100644
--- a/test-infra/image-builder/Makefile
+++ b/test-infra/image-builder/Makefile
@@ -1,5 +1,47 @@
+docker_host ?= quay.io
+docker_login ?= true
+docker_user ?= kubespray+buildvmimages
+registry ?= quay.io/kubespray
+staging_registry ?= us-central1-docker.pkg.dev/k8s-staging-images/kubespray
+
 deploy:
-	ansible-playbook -i hosts.ini -e docker_password=$(docker_password) cluster.yml
+	ansible-playbook -i hosts.ini \
+		-e docker_host=$(docker_host) \
+		-e docker_login=$(docker_login) \
+		-e docker_user=$(docker_user) \
+		-e docker_password=$(docker_password) \
+		-e registry=$(registry) \
+		cluster.yml
+
+push-docker:
+	ansible-playbook -i localhost, -c local \
+		-e images_dir=$(CURDIR)/.image-builder \
+		-e docker_host=$(docker_host) \
+		-e docker_login=$(docker_login) \
+		-e docker_user=$(docker_user) \
+		-e docker_password=$(docker_password) \
+		-e registry=$(registry) \
+		-e '{"kubevirt_images_push": true, "kubevirt_container_builder": "docker", "kubevirt_images_target_host": "localhost"}' \
+		cluster.yml
+
+push-single-docker:
+	ansible-playbook -i localhost, -c local \
+		-e images_dir=$(CURDIR)/.image-builder \
+		-e docker_host=$(docker_host) \
+		-e docker_login=$(docker_login) \
+		-e docker_user=$(docker_user) \
+		-e docker_password=$(docker_password) \
+		-e registry=$(registry) \
+		-e '{"kubevirt_images_push": true, "kubevirt_container_builder": "docker", "kubevirt_images_target_host": "localhost", "kubevirt_images_selected": ["$(image_name)"]}' \
+		cluster.yml
+
+push-single-staging:
+	ansible-playbook -i localhost, -c local \
+		-e images_dir=$(CURDIR)/.image-builder \
+		-e docker_host=us-central1-docker.pkg.dev \
+		-e registry=$(staging_registry) \
+		-e '{"docker_login": false, "kubevirt_images_push": true, "kubevirt_container_builder": "docker", "kubevirt_images_target_host": "localhost", "kubevirt_images_selected": ["$(image_name)"]}' \
+		cluster.yml
 
 validate:
 	ansible-playbook -i localhost, -c local \
diff --git a/test-infra/image-builder/README.md b/test-infra/image-builder/README.md
index dd7cd69d1..b881f70b9 100644
--- a/test-infra/image-builder/README.md
+++ b/test-infra/image-builder/README.md
@@ -4,7 +4,13 @@ Build and push KubeVirt VM disk images to quay.io for Kubespray CI testing.
 
 ## How It Works
 
-The Ansible playbook downloads upstream cloud images, converts them to qcow2, resizes (+8G), wraps each in a Docker image based on `kubevirt/registry-disk-v1alpha`, and pushes to `quay.io/kubespray/vm-<os-name>:<tag>`.
+The Ansible playbook downloads upstream cloud images, converts them to qcow2, resizes (+8G), wraps each in a Docker image based on `kubevirt/registry-disk-v1alpha`, and pushes to `quay.io/kubespray/vm-<os-name>:<tag>` by default. Trusted CI jobs can override the target registry for staged image publishing.
+
+The trusted staging publish path uses Cloud Build authentication and skips `docker login`:
+
+```bash
+make push-single-staging image_name=ubuntu-2404
+```
 
 ## Prerequisites
 
diff --git a/test-infra/image-builder/cloudbuild-staging.yaml b/test-infra/image-builder/cloudbuild-staging.yaml
new file mode 100644
index 000000000..7fd390068
--- /dev/null
+++ b/test-infra/image-builder/cloudbuild-staging.yaml
@@ -0,0 +1,20 @@
+---
+
+timeout: 7200s
+options:
+  substitution_option: ALLOW_LOOSE
+steps:
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20260205-38cfa9523f
+    args:
+      - bash
+      - -ceu
+      - |
+        apk add --no-cache ansible-core qemu-img
+        ansible-galaxy collection install community.general -p /usr/share/ansible/collections
+        make -C test-infra/image-builder push-single-staging \
+          image_name=ubuntu-2404 \
+          staging_registry=us-central1-docker.pkg.dev/$PROJECT_ID/kubespray
+substitutions:
+  _PULL_BASE_REF: "master"
+images:
+  - us-central1-docker.pkg.dev/$PROJECT_ID/kubespray/vm-ubuntu-2404:latest
diff --git a/test-infra/image-builder/roles/kubevirt-images/defaults/main.yml b/test-infra/image-builder/roles/kubevirt-images/defaults/main.yml
index e3f55e31e..2d2debf05 100644
--- a/test-infra/image-builder/roles/kubevirt-images/defaults/main.yml
+++ b/test-infra/image-builder/roles/kubevirt-images/defaults/main.yml
@@ -3,6 +3,7 @@ images_dir: /images/base
 
 docker_user: kubespray+buildvmimages
 docker_host: quay.io
+docker_login: true
 registry: quay.io/kubespray
 kubevirt_images_push: true
 kubevirt_images_selected: []
diff --git a/test-infra/image-builder/roles/kubevirt-images/tasks/main.yml b/test-infra/image-builder/roles/kubevirt-images/tasks/main.yml
index 37f41119a..da176d860 100644
--- a/test-infra/image-builder/roles/kubevirt-images/tasks/main.yml
+++ b/test-infra/image-builder/roles/kubevirt-images/tasks/main.yml
@@ -186,6 +186,7 @@
       when:
         - kubevirt_container_builder == 'docker'
         - kubevirt_images_push
+        - docker_login
 
     - name: Docker push image
       command: docker push {{ registry }}/vm-{{ item.key }}:{{ item.value.tag }}
@@ -199,3 +200,4 @@
       when:
         - kubevirt_container_builder == 'docker'
         - kubevirt_images_push
+        - docker_login