diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3cb1974..9cd7d97 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -33,21 +33,21 @@ jobs:
 
       - name: Build the MATE bdist
         run: |
-          # Extremely annoying: the `pull_request` event creates a merge commit,
-          # which means that `GITHUB_SHA` is completely useless to key off of.
-          # We have to do some additional sleuthing for these events to get the right
-          # commit.
-          if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
-            ref="${ACTUAL_GITHUB_SHA_ON_PULL_REQUEST}"
-          else
-            ref="${GITHUB_SHA}"
-          fi
-
           docker run \
             --rm -v $(pwd):/mate \
-            "ghcr.io/galoisinc/mate-dev:${ref}" \
+            "ghcr.io/galoisinc/mate-dev:${GITHUB_RUN_ID}" \
             ./shake.sh -j bdist
 
+      - name: Compress the MATE bdist
+        run: |
+          tar czf mate-bdist.tar.gz ./.out/bdist
+
+      - name: Upload the MATE bdist
+        uses: actions/upload-artifact@v3
+        with:
+          name: mate-bdist
+          path: mate-bdist.tar.gz
+
       - name: Build and push the mate-dist image
         run: |
           # HACK: These files are owned by the container root, so we can't
@@ -60,16 +60,9 @@ jobs:
 
       - name: Build the docs
         run: |
-          # See above comment
-          if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
-            ref="${ACTUAL_GITHUB_SHA_ON_PULL_REQUEST}"
-          else
-            ref="${GITHUB_SHA}"
-          fi
-
           docker run \
             --rm -v $(pwd):/mate \
-            "ghcr.io/galoisinc/mate-dev:${ref}" \
+            "ghcr.io/galoisinc/mate-dev:${GITHUB_RUN_ID}" \
             ./shake.sh -j doc
 
       - name: Upload docs to Github Pages
@@ -78,3 +71,41 @@ jobs:
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: .out/bdist/local/doc/html
+
+  test-legacy:
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Login to Packages Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull mate-dev
+        run: |
+          docker pull "ghcr.io/galoisinc/mate-dev:${GITHUB_RUN_ID}"
+
+      # - name: Fetch the MATE bdist
+      #   uses: actions/download-artifact@v3
+      #   with:
+      #     name: mate-bdist
+
+      # - name: Extract the MATE bdist
+      #   run: |
+      #     tar xzf mate-dist.tar.gz
+
+      - name: Run legacy tests
+        run: |
+          # TODO: Figure out the right way to plumb the integration test setting.
+          docker run \
+            -e MATE_INTEGRATION_TESTS=0 \
+            --rm -v $(pwd):/mate \
+            "ghcr.io/galoisinc/mate-dev:${GITHUB_RUN_ID}" \
+              ./shake.sh --skip=build pytests -- -- -n logical -x
+
diff --git a/ci/README.md b/ci/README.md
deleted file mode 100644
index 4ba9731..0000000
--- a/ci/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-All scripts in this folder are expected to be POSIX sh compliant.
-The reasoning is that they may be executed on very minimal systems such as alpine containers or NixOS that only have `/bin/sh`.
-
-NB: This directory really should be named `scripts` and not `ci`, but the code churn required will have to wait for another day.  
-see: https://gitlab-ext.galois.com/mate/MATE/-/issues/1117
diff --git a/ci/gha-docker-build b/ci/gha-docker-build
index b92a8a6..a1cb444 100755
--- a/ci/gha-docker-build
+++ b/ci/gha-docker-build
@@ -2,6 +2,8 @@
 
 # gha-docker-build: build a MATE Docker image with some caching help
 
+set -e
+
 # This script only works in CI.
 if [[ -z "${GITHUB_ACTIONS}" ]]; then
   >&2 echo "Fatal: Only works in GitHub Actions."
@@ -50,6 +52,14 @@ docker build \
 
 docker push "${full_image_name}:${ref}"
 
+# Also tag it with the current workflow run ID, to make reuse in subsequent
+# CI steps easier (no need to track the commit ref).
+docker tag \
+  "${full_image_name}:${ref}" \
+  "${full_image_name}:${GITHUB_RUN_ID}"
+
+docker push "${full_image_name}:${GITHUB_RUN_ID}"
+
 # Additionally, if we're on main or we're doing a manually triggered build,
 # tag the image as ":main".
 if [[ "${GITHUB_REF_NAME}" == "main" || "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
diff --git a/ci/ssh.sh b/ci/ssh.sh
deleted file mode 100644
index 68c61a7..0000000
--- a/ci/ssh.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-# This script sets up an SSH agent with access to a key that the CI runner can
-# use to clone submodules from private repos and push documentation to the
-# webserver.
-
-set -eu
-
-eval "$(ssh-agent -s)"
-echo "${STOCKFISH_PKEY}" | tr -d '\r' | ssh-add -
-mkdir -p ~/.ssh
-chmod 700 ~/.ssh
-if [ -f /.dockerenv ]; then
-  printf '%s\n\t%s\n\n' 'Host *' 'StrictHostKeyChecking no' > ~/.ssh/config
-fi
-chmod 600 ~/.ssh/config