diff --git a/.github/workflows/action-build-and-test.yaml b/.github/workflows/action-build-and-test.yaml
new file mode 100644
index 00000000..b3967089
--- /dev/null
+++ b/.github/workflows/action-build-and-test.yaml
@@ -0,0 +1,86 @@
+name: Action - Build and Test
+description: "Build and test the operator (with optional e2e tests)"
+
+inputs:
+  run-e2e:
+    description: "Run e2e tests"
+    required: false
+    default: false
+  go-version:
+    description: "Go version to use"
+    required: false
+    default: "${{ env.GO_VERSION }}"
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v3
+
+    - uses: debianmaster/actions-k3s@master
+      id: k3s
+      with:
+        version: 'latest'
+    - run: |
+        kubectl get nodes
+        kubectl get pods -A
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: ${{ inputs.go-version }}
+
+    - name: Build
+      run: make build
+
+    - name: Lint
+      run: make lint
+
+    - name: Setup Envtest
+      run: make envtest
+
+    - name: Test
+      run: make test
+
+    - name: Build the Docker image
+      run: make docker-build
+
+    - name: Deploy controller to local cluster
+      env:
+        # deploy with 1-click demo mode when not running e2e tests
+        DEPLOY_ONE_CLICK_DEMO_MODE: ${{ inputs.run-e2e &&  'false' || 'true' }}
+        NGROK_API_KEY: ${{ github.repository == 'ngrok/ngrok-operator' && secrets.NGROK_CI_API_KEY || 'fake-api-key' }}
+        NGROK_AUTHTOKEN: ${{ github.repository == 'ngrok/ngrok-operator' && secrets.NGROK_CI_AUTHTOKEN || 'fake-authtoken' }}
+        E2E_BINDING_NAME: k8s/e2e-${{ github.run_id }}
+      run: |
+        # create some namespaces for bindings tests
+        kubectl create ns e2e || true
+
+        # deploy ngrok-op for e2e tests
+        make deploy_for_e2e
+
+    - name: Check if controller is up
+      run: |
+        kubectl get nodes
+        kubectl get pods -A
+
+    - name: Install cosign
+      if: inputs.run-e2e
+      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+    - name: Install chainsaw
+      if: inputs.run-e2e
+      uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
+      with:
+        verify: true
+
+    - name: Run e2e tests
+      if: inputs.run-e2e
+      run: |
+        make e2e-tests
+
+    # best effort to remove ngrok k8s resources from cluster
+    # this allows our finalizers to delete upstream ngrok API resources too
+    # that hopefully helps not pollute our ngrok-operator-ci account
+    - name: Cleanup e2e tests
+      if: inputs.run-e2e
+      run: |
+        make e2e-clean
diff --git a/.github/workflows/action-changes.yaml b/.github/workflows/action-changes.yaml
new file mode 100644
index 00000000..6086c2db
--- /dev/null
+++ b/.github/workflows/action-changes.yaml
@@ -0,0 +1,39 @@
+name: Action - Changes
+description: "Detect changes in the repository"
+
+outputs:
+  charts: ${{ steps.filter.outputs.charts }}
+  chartyaml: ${{ steps.filter.outputs.chartyaml }}
+  go: ${{ steps.filter.outputs.go }}
+  tag: ${{ steps.filter.outputs.tag }}
+  tests: ${{ steps.filter.outputs.tests }}
+  make: ${{ steps.filter.outputs.make }}
+
+runs:
+  using: "composite"
+  steps:
+    - id: filter
+      uses: dorny/paths-filter@v2.11.1
+      with:
+        filters: |
+          chartyaml:
+            - 'helm/ngrok-operator/Chart.yaml'
+          charts:
+            - 'helm/ngrok-operator/**'
+            - 'scripts/e2e.sh'
+          go:
+            - '**.go'
+            - 'go.mod'
+            - 'go.sum'
+            - 'cmd/**'
+            - 'internal/**'
+            - 'pkg/**'
+            - 'Dockerfile'
+            - 'scripts/e2e.sh'
+            - 'VERSION'
+          tests:
+            - 'test/**'
+          make:
+            - 'Makefile'
+          tag:
+            - 'VERSION'
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 4b7d6593..6e33b04d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -15,44 +15,11 @@ jobs:
 
   changes:
     runs-on: ubuntu-latest
-    outputs:
-      charts: ${{ steps.filter.outputs.charts }}
-      chartyaml: ${{ steps.filter.outputs.chartyaml }}
-      go: ${{ steps.filter.outputs.go }}
-      tag: ${{ steps.filter.outputs.tag }}
-      tests: ${{ steps.filter.outputs.tests }}
-      make: ${{ steps.filter.outputs.make }}
     permissions:
       contents: read
       pull-requests: read
     steps:
-    - name: Checkout repo
-      uses: actions/checkout@v3
-    - id: filter
-      uses: dorny/paths-filter@v2.11.1
-      with:
-        filters: |
-          chartyaml:
-            - 'helm/ngrok-operator/Chart.yaml'
-          charts:
-            - 'helm/ngrok-operator/**'
-            - 'scripts/e2e.sh'
-          go:
-            - '**.go'
-            - 'go.mod'
-            - 'go.sum'
-            - 'cmd/**'
-            - 'internal/**'
-            - 'pkg/**'
-            - 'Dockerfile'
-            - 'scripts/e2e.sh'
-            - 'VERSION'
-          tests:
-            - 'test/**'
-          make:
-            - 'Makefile'
-          tag:
-            - 'VERSION'
+    - uses: "ngrok/ngrok-operator/.github/workflows/action-changes.yaml@${{ github.sha }}"
 
   # Make sure that Kubebuilder autogenerated files are up to date.
   kubebuilder-diff:
@@ -113,7 +80,6 @@ jobs:
     - run: git diff --exit-code go.mod
     - run: git diff --exit-code go.sum
 
-
   build-and-test:
     runs-on: ubuntu-latest
     needs:
@@ -125,73 +91,18 @@ jobs:
       (needs.changes.outputs.chartyaml == 'true') ||
       (needs.changes.outputs.tests == 'true') ||
       (needs.changes.outputs.make == 'true')
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
-    - uses: actions/checkout@v3
-
-    - uses: debianmaster/actions-k3s@master
-      id: k3s
-      with:
-        version: 'latest'
-    - run: |
-        kubectl get nodes
-        kubectl get pods -A
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
+    - uses: "ngrok/ngrok-operator/.github/workflows/action-build-and-test.yaml@${{ github.sha }}"
       with:
+        # this workflow is for incoming PRs, so we want to skip e2e tests
+        # and deploy the demo mode because our api keys are not available
+        # on contributor's forks
+        run-e2e: false
         go-version: ${{ env.GO_VERSION }}
 
-    - name: Build
-      run: make build
-
-    - name: Lint
-      run: make lint
-
-    - name: Setup Envtest
-      run: make envtest
-
-    - name: Test
-      run: make test
-
-    - name: Build the Docker image
-      run: make docker-build
-
-    - name: Deploy controller to local cluster
-      env:
-        NGROK_API_KEY: ${{ github.repository == 'ngrok/ngrok-operator' && secrets.NGROK_CI_API_KEY || 'fake-api-key' }}
-        NGROK_AUTHTOKEN: ${{ github.repository == 'ngrok/ngrok-operator' && secrets.NGROK_CI_AUTHTOKEN || 'fake-authtoken' }}
-        E2E_BINDING_NAME: k8s/e2e-${{ github.run_id }}
-      run: |
-        # create some namespaces for bindings tests
-        kubectl create ns e2e || true
-
-        # deploy ngrok-op for e2e tests
-        make deploy_for_e2e
-
-    - name: Check if controller is up
-      run: |
-        kubectl get nodes
-        kubectl get pods -A
-
-    - name: Install cosign
-      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
-    - name: Install chainsaw
-      uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
-      with:
-        verify: true
-
-    - name: Run e2e tests
-      if: github.repository == 'ngrok/ngrok-operator'
-      run: |
-        make e2e-tests
-
-    # best effort to remove ngrok k8s resources from cluster
-    # this allows our finalizers to delete upstream ngrok API resources too
-    # that hopefully helps not pollute our ngrok-operator-ci account
-    - name: Cleanup e2e tests
-      run: |
-        make e2e-clean
-
   helm:
     runs-on: ubuntu-latest
     timeout-minutes: 15
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
new file mode 100644
index 00000000..deedb6d3
--- /dev/null
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,39 @@
+name: Tests
+on:
+  push:
+    branches: [ "main" ]
+  pull_request_target:
+    branches: [ "main" ]
+
+env:
+  GO_VERSION: '1.23'
+  DOCKER_BUILDX_PLATFORMS: linux/amd64,linux/arm64
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+    - uses: "ngrok/ngrok-operator/.github/workflows/action-changes.yaml@${{ github.sha }}"
+
+  build-and-test:
+    runs-on: ubuntu-latest
+    needs:
+    - changes
+    - kubebuilder-diff
+    if: |
+      (needs.changes.outputs.go == 'true') ||
+      (needs.changes.outputs.charts == 'true') ||
+      (needs.changes.outputs.chartyaml == 'true') ||
+      (needs.changes.outputs.tests == 'true') ||
+      (needs.changes.outputs.make == 'true')
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+    - uses: "ngrok/ngrok-operator/.github/workflows/action-build-and-test.yaml@${{ github.sha }}"
+      with:
+        run-e2e: true
+        go-version: ${{ env.GO_VERSION }}
diff --git a/Makefile b/Makefile
index b459378f..fe16b477 100644
--- a/Makefile
+++ b/Makefile
@@ -31,6 +31,11 @@ HELM_TEMPLATES_DIR = $(HELM_CHART_DIR)/templates
 
 CONTROLLER_GEN_PATHS = {./api/..., ./internal/controller/...}
 
+# Default Environment Variables
+
+# when true, deploy with --set oneClickDemoMode=true
+DEPLOY_ONE_CLICK_DEMO_MODE ?= false
+
 # Targets
 
 .PHONY: all
@@ -194,6 +199,7 @@ deploy_for_e2e: _deploy-check-env-vars docker-build manifests kustomize _helm_se
 	helm upgrade $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) --install \
 		--namespace $(KUBE_NAMESPACE) \
 		--create-namespace \
+		--set oneClickDemoMode=$(DEPLOY_ONE_CLICK_DEMO_MODE) \
 		--set image.repository=$(IMG) \
 		--set image.tag="latest" \
 		--set podAnnotations."k8s\.ngrok\.com/test"="\{\"env\": \"e2e\"\}" \