diff --git a/.github/workflows/Build-and-deploy-deduplication-api.yaml b/.github/workflows/Build-and-deploy-deduplication-api.yaml
index 6d6d809ad..7b4fe64e9 100644
--- a/.github/workflows/Build-and-deploy-deduplication-api.yaml
+++ b/.github/workflows/Build-and-deploy-deduplication-api.yaml
@@ -1,38 +1,65 @@
-#name: Build and push deduplication-api image to ECR
-#on:
-#  push:
-#    branches:
-#      - main
-#      - rel-**
-#    paths:
-#      - "deduplication/**"
-#
-#jobs:
-## APP-145: turned off sonar scan for now until it is fixed (1/8/26)
-##  sonar_scan:
-##    permissions:
-##      id-token: write
-##      contents: read
-##    uses: ./.github/workflows/sonar.yaml
-##    secrets:
-##      CDC_NBS_SANDBOX_SHARED_SERVICES_ACCOUNTID: ${{secrets.CDC_NBS_SANDBOX_SHARED_SERVICES_ACCOUNTID}}
-##      PASSED_GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-##      SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
-##      DATABASE_USER: ${{secrets.DATABASE_USER}}
-##      DATABASE_PASSWORD: ${{secrets.DATABASE_PASSWORD}}
-#  call-build-microservice-container-workflow:
-#    permissions:
-#      id-token: write
-#      contents: read
-#      security-events: write
-#    name: Build Container
-##    needs: sonar_scan
-#    uses: CDCgov/NEDSS-Workflows/.github/workflows/Build-gradle-microservice-container.yaml@main
-#    with:
-#      microservice_name: nbs7-deduplication-api
-#      dockerfile_relative_path: -f ./deduplication/Dockerfile .
-#      environment_classifier: SNAPSHOT
-#      java_version: "21"
-#    secrets:
-#      NBS_ACCOUNTID: ${{secrets.NBS_ACCOUNTID}}
-#
+name: Build and push deduplication-api image to ECR
+on:
+  workflow_dispatch:
+ push:
+   branches:
+     - main
+     - rel-**
+   paths:
+     - "deduplication/**"
+
+jobs:
+ sonar_scan:
+   permissions:
+     id-token: write
+     contents: read
+   uses: ./.github/workflows/sonar.yaml
+   secrets:
+      CDC_NBS_SANDBOX_SHARED_SERVICES_ACCOUNTID: ${{secrets.CDC_NBS_SANDBOX_SHARED_SERVICES_ACCOUNTID}}
+      PASSED_GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
+      DATABASE_USER: ${{secrets.DATABASE_USER}}
+      DATABASE_PASSWORD: ${{secrets.DATABASE_PASSWORD}}
+ extract-version-suffix:
+   name: Extract image tag from version
+   needs: sonar_scan
+   runs-on: ubuntu-latest
+   outputs:
+     image_tag: ${{ steps.parse.outputs.image_tag }}
+   steps:
+     - name: Checkout repo
+       uses: actions/checkout@v4
+     - name: Read version from build.gradle and extract suffix
+       id: parse
+       run: |
+         version_line=$(grep "^version" ./deduplication/build.gradle)
+         version=$(echo "$version_line" | sed -E "s/version *= *['\"]([^'\"]+)['\"]/\1/")
+         echo "Full version: $version"
+
+         # Default value
+         image_tag="SNAPSHOT"
+
+         # Match SNAPSHOT-123
+         if [[ "$version" =~ SNAPSHOT-([0-9]+) ]]; then
+           image_tag="SNAPSHOT-${BASH_REMATCH[1]}"
+         elif [[ "$version" =~ SNAPSHOT ]]; then
+           image_tag="SNAPSHOT"
+         fi
+
+         echo "image_tag=$image_tag" >> $GITHUB_OUTPUT
+ call-build-microservice-container-workflow:
+   permissions:
+     id-token: write
+     contents: read
+     security-events: write
+   name: Build Container
+   needs: extract-version-suffix
+   uses: CDCgov/NEDSS-Workflows/.github/workflows/Build-gradle-microservice-container.yaml@main
+   with:
+     microservice_name: nbs7-deduplication-api
+     dockerfile_relative_path: -f ./deduplication/Dockerfile .
+     environment_classifier: ${{ needs.extract-version-suffix.outputs.image_tag }}
+     java_version: "21"
+   secrets:
+     NBS_ACCOUNTID: ${{secrets.NBS_ACCOUNTID}}
+
diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml
index 41b6ebb17..c1f1104cd 100644
--- a/.github/workflows/sonar.yaml
+++ b/.github/workflows/sonar.yaml
@@ -20,12 +20,6 @@ on:
       DATABASE_PASSWORD:
         description: "Test database password"
         required: true
-      TOKEN_SECRET:
-        description: "Secret named TOKEN_SECRET that references a default JWT token key"
-        required: true
-      PARAMETER_SECRET:
-        description: "Secret named PARAMETER_SECRET that references a default key for encrypting search parameters"
-        required: true
   pull_request:
     paths:
       - "data-ingestion-service/**"
@@ -41,8 +35,6 @@ env:
   sonar_token: ${{secrets.SONAR_TOKEN}}
   test_database_user: ${{secrets.DATABASE_USER}}
   test_database_password: ${{secrets.DATABASE_PASSWORD}}
-  token_secret: ${{secrets.TOKEN_SECRET}}
-  parameter_secret: ${{secrets.PARAMETER_SECRET}}
 
 jobs:
   pipeline:
@@ -128,8 +120,6 @@ jobs:
           SONAR_TOKEN: ${{ env.sonar_token }}
           DATABASE_USER: ${{ env.test_database_user }}
           DATABASE_PASSWORD: ${{ env.test_database_password }}
-          TOKEN_SECRET: ${{ env.token_secret }}
-          PARAMETER_SECRET: ${{ env.parameter_secret }}
         run: |
           ./gradlew build test sonarqube \
             "-Dorg.gradle.jvmargs=-Xms512m -Xmx4g -XX:MaxMetaspaceSize=1g" \