diff --git a/.github/scripts/compute-image-tag.sh b/.github/scripts/compute-image-tag.sh
new file mode 100755
index 0000000..d0c9c38
--- /dev/null
+++ b/.github/scripts/compute-image-tag.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# Computes the OCI image tag for Garden Linux ccloud images
+#
+# This script centralizes the image tag format computation to ensure consistency
+# across all workflows (nightly, dev, upload_oci).
+#
+# Usage:
+#   ./compute-image-tag.sh <version> [flavor]
+#
+# Arguments:
+#   version - The version for the tag (e.g., "1877.10.1", "pr-123")
+#   flavor  - The image flavor (e.g., "metal-sci-usi-amd64"). Defaults to "metal-sci-usi-amd64".
+#
+# Environment:
+#   GITHUB_SHA - Git commit SHA (required, set automatically by GitHub Actions)
+#
+# Output:
+#   Prints the computed image tag to stdout
+#
+# Tag format:
+#   {version}-{flavor}-{dashed_version}-{commit_sha_short}
+#
+# Examples:
+#   ./compute-image-tag.sh "1877.10.1"
+#   # Output: 1877.10.1-metal-sci-usi-amd64-1877-10-1-abcd1234
+#
+#   ./compute-image-tag.sh "pr-123" "metal-capi-amd64"
+#   # Output: pr-123-metal-capi-amd64-pr-123-abcd1234
+
+set -euo pipefail
+
+VERSION="${1:?Error: VERSION argument required}"
+FLAVOR="${2:-metal-sci-usi-amd64}"
+
+if [ -z "${GITHUB_SHA:-}" ]; then
+    echo "Error: GITHUB_SHA environment variable is required" >&2
+    exit 1
+fi
+
+COMMIT_SHA="${GITHUB_SHA::8}"
+DASHED_VERSION="${VERSION//./-}"
+
+IMAGE_TAG="${VERSION}-${FLAVOR}-${DASHED_VERSION}-${COMMIT_SHA}"
+
+echo "$IMAGE_TAG"
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 96200d3..79cf895 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -55,16 +55,18 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       UPLOAD_VERSION: ${{ steps.meta.outputs.upload_version }}
-      COMMIT_SHA: ${{ steps.meta.outputs.sha }}
+      image_tag: ${{ steps.meta.outputs.image_tag }}
     steps:
-      - name: Derive image version
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Compute image metadata
         id: meta
         run: |
           PR_NUMBER=${{ github.event.pull_request.number }}
           UPLOAD_VERSION="pr-${PR_NUMBER}"
           echo "upload_version=${UPLOAD_VERSION}" >> $GITHUB_OUTPUT
-          SHA="${GITHUB_SHA::8}"
-          echo "sha=${SHA}" >> $GITHUB_OUTPUT
+          IMAGE_TAG=$(.github/scripts/compute-image-tag.sh "${UPLOAD_VERSION}")
+          echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
 
   upload:
     name: Upload PR image to OCI
@@ -83,7 +85,7 @@ jobs:
     if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.event.action != 'closed' }}
     uses: ./.github/workflows/test.yml
     with:
-      image_tag: "${{ needs.meta.outputs.UPLOAD_VERSION }}-metal-sci-usi-amd64-${{ needs.meta.outputs.UPLOAD_VERSION }}-${{ needs.meta.outputs.COMMIT_SHA }}"
+      image_tag: ${{ needs.meta.outputs.image_tag }}
 
   cleanup_images:
     name: Cleanup PR images
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index feff127..407cefc 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -23,7 +23,7 @@ jobs:
     with:
       version: ${{ inputs.version || 'now' }}
       # to set target to "release" or "nightly" we need proper KMS secrets
-      # have a look at gardenlinux/.github/workflows/github.mjs 
+      # have a look at gardenlinux/.github/workflows/github.mjs
       target: dev
       fail_fast: true
       platform_test_build: false
@@ -32,6 +32,20 @@ jobs:
       # aws_kms_role: ${{ secrets.KMS_SIGNING_IAM_ROLE }}
       # aws_oidc_session: ${{ secrets.AWS_OIDC_SESSION }}
       # secureboot_db_kms_arn: ${{ secrets.SECUREBOOT_DB_KMS_ARN }}
+  meta:
+    name: Compute image metadata
+    needs: [build]
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.meta.outputs.image_tag }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Compute image tag
+        id: meta
+        run: |
+          IMAGE_TAG=$(.github/scripts/compute-image-tag.sh "${{ needs.build.outputs.version }}")
+          echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
   upload_oci:
     name: Run glcli to publish to OCI
     needs: [build]
@@ -40,3 +54,9 @@ jobs:
     uses: ./.github/workflows/upload_oci.yml
     with:
       version: ${{ needs.build.outputs.version }}
+  test:
+    name: Test nightly image
+    needs: [meta, upload_oci]
+    uses: ./.github/workflows/test.yml
+    with:
+      image_tag: ${{ needs.meta.outputs.image_tag }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 68e6106..729fffd 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,19 +1,11 @@
 name: test hypervisor capabilities
 on:
-  push:
-    branches:
-      - feat/ci-test-cloud-hypervisor
-  workflow_run:
-    workflows:
-      - nightly
-    types:
-      - completed
   workflow_dispatch:
     inputs:
       image_tag:
         description: "Image tag to test (must be usi-sci)"
         type: string
-        default: ""
+        required: true
   workflow_call:
     inputs:
       image_tag:
@@ -27,20 +19,30 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+      - name: Install oras
+        uses: oras-project/setup-oras@v1
+        with:
+          version: 1.2.2
+      - name: Validate image tag
+        run: |
+          if [ -z "${{ inputs.image_tag }}" ]; then
+            echo "Error: image_tag is required"
+            exit 1
+          fi
+
+          echo "Verifying image ${{ inputs.image_tag }} exists in GHCR..."
+          if ! digest=$(oras resolve ghcr.io/gardenlinux/gardenlinux-ccloud:${{ inputs.image_tag }} 2>&1); then
+            echo "Error: Image tag '${{ inputs.image_tag }}' not found in ghcr.io/gardenlinux/gardenlinux-ccloud"
+            echo "Resolve output: $digest"
+            exit 1
+          fi
+          echo "Image tag present in GHCR (digest: ${digest:0:12}...)"
       - name: Install Dependencies
         uses: ./.github/actions/test/integration/dependencies
-      - name: Obtain newest Tag from GHCR
-        id: fetch_tag
-        if: ${{ inputs.image_tag == '' || github.event_name == 'workflow_run' || github.event_name == 'push' }}
-        run: |
-          #latest_tag=$(oras repo tags ghcr.io/gardenlinux/gardenlinux-ccloud | grep -E '^[0-9]+\.[0-9]+\.[0-9]+-metal-sci-usi-amd64-[0-9]+-[0-9]+-[0-9]-[0-9a-f]{8}$' | sort --version-sort -r | head -n 1)
-          latest_tag=$(oras repo tags ghcr.io/gardenlinux/gardenlinux-ccloud | grep -E '^1877\.[0-9]+\.[0-9]+-metal-sci-usi-amd64-[0-9]+-[0-9]+-[0-9]+-[0-9a-f]{8}$' | sort --version-sort -r | head -n 1)
-          echo $latest_tag
-          echo "latest_tag=$latest_tag" >> $GITHUB_ENV
       - name: Build
         uses: ./.github/actions/test/integration/build
         with:
-          image_tag: ${{ env.latest_tag || inputs.image_tag }}
+          image_tag: ${{ inputs.image_tag }}
       - name: Setup
         uses: ./.github/actions/test/integration/setup
       - name: Test QEMU