diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 9f1314e3c..01cfb8cc6 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -25,6 +25,7 @@ Fixes ${ISSUE_URL}
 Add one or more labels to trigger offline builds:
 - `build-default` - Full production build (ansible, terraform, all packages)
 - `build-demo` - Demo/WIAB build
+- `build-wiab-staging` - WIAB-staging build
 - `build-min` - Minimal build (fastest, essential charts only)
 - `build-all` - Run all three builds
 
diff --git a/.github/workflows/offline.yml b/.github/workflows/offline.yml
index aa947a33b..ca98b600e 100644
--- a/.github/workflows/offline.yml
+++ b/.github/workflows/offline.yml
@@ -9,6 +9,7 @@
 #   - No label: No builds run (must add label to trigger builds)
 #   - 'build-default': Builds only default profile
 #   - 'build-demo': Builds only demo profile
+#   - 'build-wiab-staging' - Builds only wiab-staging profile
 #   - 'build-min': Builds only min profile
 #   - 'build-all': Explicitly builds all profiles (useful for workflow changes)
 #
@@ -16,14 +17,14 @@
 #
 on:
   push:
-    branches: [master, develop]
+    branches: [wpb-21356*]
     tags: [v*]
     paths-ignore:
       - "*.md"
       - "**/*.md"
   pull_request:
     types: [synchronize, reopened, labeled]
-    branches: [master, develop]
+    branches: [wpb-21356*]
     paths-ignore:
       - "*.md"
       - "**/*.md"
@@ -32,9 +33,9 @@ jobs:
   build-default:
     name: Build default profile
     if: |
-      github.event_name == 'push' ||
       contains(github.event.pull_request.labels.*.name, 'build-all') ||
-      contains(github.event.pull_request.labels.*.name, 'build-default')
+      contains(github.event.pull_request.labels.*.name, 'build-default') ||
+      contains(github.event.pull_request.labels.*.name, 'build-wiab-staging')
     runs-on:
       group: wire-server-deploy
     outputs:
@@ -72,6 +73,27 @@ jobs:
           AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
           AWS_REGION: "eu-west-1"
 
+  verify-default:
+    name: Verify default profile
+    needs: build-default
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'build-all') ||
+      contains(github.event.pull_request.labels.*.name, 'build-default')
+    runs-on:
+      group: wire-server-deploy
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true
+      - uses: cachix/install-nix-action@v27
+      - uses: cachix/cachix-action@v15
+        with:
+          name: wire-server
+          signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}"
+
+      - name: Install nix environment
+        run: nix-env -f default.nix -iA env
+
       - name: Install terraform
         uses: hashicorp/setup-terraform@v3
         with:
@@ -89,6 +111,45 @@ jobs:
         env:
           HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
 
+  # verify wiab-staging profile
+  verify-wiab-staging:
+    name: Verify wiab staging profile
+    needs: build-default
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'build-all') ||
+      contains(github.event.pull_request.labels.*.name, 'build-wiab-staging')
+    runs-on:
+      group: wire-server-deploy
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true
+      - uses: cachix/install-nix-action@v27
+      - uses: cachix/cachix-action@v15
+        with:
+          name: wire-server
+          signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}"
+
+      - name: Install nix environment
+        run: nix-env -f default.nix -iA env
+
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.3.7"
+          terraform_wrapper: false
+
+      - name: Deploy offline wiab-staging environment to hetzner
+        run: ./offline/cd_staging.sh
+        env:
+          HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
+
+      - name: Clean up hetzner wiab-staging environment; just in case
+        if: always()
+        run: (cd terraform/examples/wiab-staging-hetzner ; terraform init && terraform destroy -auto-approve)
+        env:
+          HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
+
   # Build container in parallel
   build-container:
     name: Build container
@@ -118,7 +179,6 @@ jobs:
   build-demo:
     name: Build demo profile
     if: |
-      github.event_name == 'push' ||
       contains(github.event.pull_request.labels.*.name, 'build-all') ||
       contains(github.event.pull_request.labels.*.name, 'build-demo')
     runs-on:
@@ -179,7 +239,6 @@ jobs:
   build-min:
     name: Build min profile
     if: |
-      github.event_name == 'push' ||
       contains(github.event.pull_request.labels.*.name, 'build-all') ||
       contains(github.event.pull_request.labels.*.name, 'build-min')
     runs-on:
diff --git a/changelog.d/3-deploy-builds/wiab-staging b/changelog.d/3-deploy-builds/wiab-staging
index cbb040300..fd88872d7 100644
--- a/changelog.d/3-deploy-builds/wiab-staging
+++ b/changelog.d/3-deploy-builds/wiab-staging
@@ -3,3 +3,4 @@ Changed:  Add ansible playbook for wiab-staging VM provisioning
 Fixed: offline-deploy.sh for SSH_AUTH_SOCK handling and remove defunct passwords for postgresql
 Added: terraform resources for wiab-staging
 Added: cd_staging script to verify the default build bundle
+Changed: changed the flow of offline.yml - introduced wiab-staging build and split bundle processing with default-build
diff --git a/offline/cd.sh b/offline/cd.sh
index d58bff013..3db06c4d1 100755
--- a/offline/cd.sh
+++ b/offline/cd.sh
@@ -7,6 +7,9 @@ TF_DIR="${CD_DIR}/../terraform/examples/wire-server-deploy-offline-hetzner"
 ARTIFACTS_DIR="${CD_DIR}/default-build/output"
 VALUES_DIR="${CD_DIR}/../values"
 
+COMMIT_HASH="${GITHUB_SHA}"
+ARTIFACT="wire-server-deploy-static-${COMMIT_HASH}"
+
 # Retry configuration
 MAX_RETRIES=3
 RETRY_DELAY=30
@@ -110,15 +113,19 @@ ssh-add - <<< "$ssh_private_key"
 terraform output -json static-inventory > inventory.json
 yq eval -o=yaml '.' inventory.json > inventory.yml
 
-ssh -oStrictHostKeyChecking=accept-new -oConnectionAttempts=10 "root@$adminhost" tar xzv < "$ARTIFACTS_DIR/assets.tgz"
+ssh  -oStrictHostKeyChecking=accept-new -o ConnectionAttempts=10 \
+    "root@$adminhost" wget -q "https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/${ARTIFACT}.tgz"
+
+ssh  -oStrictHostKeyChecking=accept-new -o ConnectionAttempts=10 \
+    "root@$adminhost" tar xzf "$ARTIFACT.tgz"
 
 # override for ingress-nginx-controller values for hetzner environment $TF_DIR/setup_nodes.yml
-scp -A "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "root@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml"
+scp -oStrictHostKeyChecking=accept-new -o ConnectionAttempts=10 "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "root@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml"
 
-scp inventory.yml "root@$adminhost":./ansible/inventory/offline/inventory.yml
+scp -oStrictHostKeyChecking=accept-new -o ConnectionAttempts=10 inventory.yml "root@$adminhost":./ansible/inventory/offline/inventory.yml
 
 ssh "root@$adminhost" cat ./ansible/inventory/offline/inventory.yml || true
-
+ls -ls ssh_private_key || true
 echo "Running ansible playbook setup_nodes.yml via adminhost ($adminhost)..."
 ansible-playbook -i inventory.yml setup_nodes.yml --private-key "ssh_private_key" \
   -e "ansible_ssh_common_args='-o ProxyCommand=\"ssh -W %h:%p -q root@$adminhost -i ssh_private_key\" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"
diff --git a/offline/cd_staging.sh b/offline/cd_staging.sh
index 680393f43..dcec2997a 100755
--- a/offline/cd_staging.sh
+++ b/offline/cd_staging.sh
@@ -6,6 +6,7 @@ CD_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 TF_DIR="${CD_DIR}/../terraform/examples/wiab-staging-hetzner"
 ARTIFACTS_DIR="${CD_DIR}/default-build/output"
 VALUES_DIR="${CD_DIR}/../values"
+
 COMMIT_HASH="${GITHUB_SHA}"
 ARTIFACT="wire-server-deploy-static-${COMMIT_HASH}"
 
@@ -113,6 +114,9 @@ chmod 400 ssh_private_key
 terraform output -json static-inventory > inventory.json
 yq eval -o=yaml '.' inventory.json > inventory.yml
 
+# remove me
+cat inventory.yml
+
 echo "Running ansible playbook setup_nodes.yml via adminhost ($adminhost)..."
 ansible-playbook -i inventory.yml setup_nodes.yml --private-key "ssh_private_key"
 
@@ -124,7 +128,7 @@ ssh  -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAt
     "demo@$adminhost" tar xzf "$ARTIFACT.tgz"
 
 # override for ingress-nginx-controller values for hetzner environment $TF_DIR/setup_nodes.yml
-scp -A "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "demo@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml"
+scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "demo@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml"
 
 # Source and target files
 SOURCE="inventory.yml"
@@ -192,7 +196,7 @@ yq eval -i ".all.vars.ansible_ssh_private_key_file = \"ssh/ssh_private_key\"" "$
 
 echo "created secondary inventory file $TARGET successfully"
 
-scp "$TARGET" "demo@$adminhost":./ansible/inventory/offline/inventory.yml
+scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 "$TARGET" "demo@$adminhost":./ansible/inventory/offline/inventory.yml
 
 ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 "demo@$adminhost" cat ./ansible/inventory/offline/inventory.yml || true