diff --git a/.drone.yml b/.drone.yml
index 9d96f1e4a6980..ed97bbca9afba 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -1275,11 +1275,6 @@ image_pull_secrets:
 kind: pipeline
 type: kubernetes
 name: push-build-linux-arm64
-environment:
-  BUILDBOX_VERSION: teleport10
-  GID: "1000"
-  RUNTIME: go1.19.8
-  UID: "1000"
 trigger:
   event:
     include:
@@ -1322,9 +1317,10 @@ steps:
   pull: if-not-exists
   commands:
   - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e -workflow
-    release-linux-arm64.yml -workflow-ref=${DRONE_BRANCH} -input oss-teleport-ref=${DRONE_COMMIT}
-    -input upload-artifacts=false -input oss-teleport-repo="${DRONE_REPO}"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 1h0m0s -workflow release-linux-arm64.yml -workflow-ref=${DRONE_BRANCH}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_COMMIT}
+    -input "upload-artifacts=false" '
   environment:
     GHA_APP_KEY:
       from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
@@ -5239,11 +5235,6 @@ image_pull_secrets:
 kind: pipeline
 type: kubernetes
 name: build-linux-arm64
-environment:
-  BUILDBOX_VERSION: teleport10
-  GID: "1000"
-  RUNTIME: go1.19.8
-  UID: "1000"
 trigger:
   event:
     include:
@@ -5258,6 +5249,8 @@ workspace:
   path: /go
 clone:
   disable: true
+depends_on:
+- clean-up-previous-build
 steps:
 - name: Check out code
   image: docker:git
@@ -5283,9 +5276,10 @@ steps:
   pull: if-not-exists
   commands:
   - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e -workflow
-    release-linux-arm64.yml -workflow-ref=${DRONE_TAG} -input oss-teleport-ref=${DRONE_TAG}
-    -input upload-artifacts=true -input oss-teleport-repo="${DRONE_REPO}"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 1h0m0s -workflow release-linux-arm64.yml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
+    "upload-artifacts=true" '
   environment:
     GHA_APP_KEY:
       from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
@@ -20247,6 +20241,6 @@ image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 ---
 kind: signature
-hmac: c033b7e21ecf8503a8e5125e0e0d5b127dab1948f71c1f757788141e733045bd
+hmac: 0f66eef0fd310ee80bb80671bffba2bb97b2f426888260d6bec8fb5aedd5c860
 
 ...
diff --git a/dronegen/gha.go b/dronegen/gha.go
index 8ffdfc07886df..af9082d897e5f 100644
--- a/dronegen/gha.go
+++ b/dronegen/gha.go
@@ -14,27 +14,55 @@
 
 package main
 
-import "fmt"
+import (
+	"fmt"
+	"sort"
+	"strings"
+	"time"
+
+	"golang.org/x/exp/maps"
+)
 
 type ghaBuildType struct {
 	buildType
 	trigger
-	namePrefix      string
-	uploadArtifacts bool
-	srcRefVar       string
-	workflowRefVar  string
-	slackOnError    bool
+	pipelineName string
+	ghaWorkflow  string
+	srcRefVar    string
+	workflowRef  string
+	timeout      time.Duration
+	slackOnError bool
+	dependsOn    []string
+	inputs       map[string]string
 }
 
 func ghaBuildPipeline(b ghaBuildType) pipeline {
-	p := newKubePipeline(fmt.Sprintf("%sbuild-%s-%s", b.namePrefix, b.os, b.arch))
+	p := newKubePipeline(b.pipelineName)
 	p.Trigger = b.trigger
 	p.Workspace = workspace{Path: "/go"}
-	p.Environment = map[string]value{
-		"BUILDBOX_VERSION": buildboxVersion,
-		"RUNTIME":          goRuntime,
-		"UID":              {raw: "1000"},
-		"GID":              {raw: "1000"},
+	p.DependsOn = append(p.DependsOn, b.dependsOn...)
+
+	var cmd strings.Builder
+	cmd.WriteString(`go run ./cmd/gh-trigger-workflow `)
+	cmd.WriteString(`-owner ${DRONE_REPO_OWNER} `)
+	cmd.WriteString(`-repo teleport.e `)
+	cmd.WriteString(`-tag-workflow `)
+	fmt.Fprintf(&cmd, `-timeout %s `, b.timeout.String())
+	fmt.Fprintf(&cmd, `-workflow %s `, b.ghaWorkflow)
+	fmt.Fprintf(&cmd, `-workflow-ref=%s `, b.workflowRef)
+
+	// If we don't need to build teleport...
+	if b.srcRefVar != "" {
+		cmd.WriteString(`-input oss-teleport-repo=${DRONE_REPO} `)
+		fmt.Fprintf(&cmd, `-input oss-teleport-ref=${%s} `, b.srcRefVar)
+	}
+
+	// Sort inputs so the are output in a consistent order to avoid
+	// spurious changes in the generated drone config.
+	keys := maps.Keys(b.inputs)
+	sort.Strings(keys)
+	for _, k := range keys {
+		fmt.Fprintf(&cmd, `-input "%s=%s" `, k, b.inputs[k])
 	}
 
 	p.Steps = []step{
@@ -56,11 +84,7 @@ func ghaBuildPipeline(b ghaBuildType) pipeline {
 			},
 			Commands: []string{
 				`cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"`,
-				`go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e -workflow release-linux-arm64.yml ` +
-					fmt.Sprintf(`-workflow-ref=${%s} `, b.workflowRefVar) +
-					fmt.Sprintf(`-input oss-teleport-ref=${%s} `, b.srcRefVar) +
-					fmt.Sprintf(`-input upload-artifacts=%t `, b.uploadArtifacts) +
-					`-input oss-teleport-repo="${DRONE_REPO}"`,
+				cmd.String(),
 			},
 		},
 	}
diff --git a/dronegen/push.go b/dronegen/push.go
index 30206b02b8861..e3d5a5502d61c 100644
--- a/dronegen/push.go
+++ b/dronegen/push.go
@@ -14,7 +14,10 @@
 
 package main
 
-import "fmt"
+import (
+	"fmt"
+	"time"
+)
 
 // pushCheckoutCommands builds a list of commands for Drone to check out a git commit on a push build
 func pushCheckoutCommands(b buildType) []string {
@@ -73,13 +76,15 @@ func pushPipelines() []pipeline {
 	}
 
 	ps = append(ps, ghaBuildPipeline(ghaBuildType{
-		buildType:       buildType{os: "linux", arch: "arm64"},
-		trigger:         triggerPush,
-		namePrefix:      "push-",
-		uploadArtifacts: false,
-		slackOnError:    true,
-		srcRefVar:       "DRONE_COMMIT",
-		workflowRefVar:  "DRONE_BRANCH",
+		buildType:    buildType{os: "linux", arch: "arm64"},
+		trigger:      triggerPush,
+		pipelineName: "push-build-linux-arm64",
+		ghaWorkflow:  "release-linux-arm64.yml",
+		timeout:      60 * time.Minute,
+		slackOnError: true,
+		srcRefVar:    "DRONE_COMMIT",
+		workflowRef:  "${DRONE_BRANCH}",
+		inputs:       map[string]string{"upload-artifacts": "false"},
 	}))
 
 	// Only amd64 Windows is supported for now.
diff --git a/dronegen/tag.go b/dronegen/tag.go
index edb22b6ff2913..5c3c0b8509770 100644
--- a/dronegen/tag.go
+++ b/dronegen/tag.go
@@ -17,6 +17,7 @@ package main
 import (
 	"fmt"
 	"strings"
+	"time"
 )
 
 const (
@@ -191,11 +192,15 @@ func tagPipelines() []pipeline {
 	}
 
 	ps = append(ps, ghaBuildPipeline(ghaBuildType{
-		buildType:       buildType{os: "linux", arch: "arm64", fips: false},
-		trigger:         triggerTag,
-		uploadArtifacts: true,
-		srcRefVar:       "DRONE_TAG",
-		workflowRefVar:  "DRONE_TAG",
+		buildType:    buildType{os: "linux", arch: "arm64", fips: false},
+		trigger:      triggerTag,
+		pipelineName: "build-linux-arm64",
+		ghaWorkflow:  "release-linux-arm64.yml",
+		srcRefVar:    "DRONE_TAG",
+		workflowRef:  "${DRONE_TAG}",
+		timeout:      60 * time.Minute,
+		dependsOn:    []string{tagCleanupPipelineName},
+		inputs:       map[string]string{"upload-artifacts": "true"},
 	}))
 
 	// Only amd64 Windows is supported for now.