diff --git a/.cloudbuild/reads.cloudbuild.yaml b/.cloudbuild/reads.cloudbuild.yaml
index 47bfc7537..fcaa96a0c 100644
--- a/.cloudbuild/reads.cloudbuild.yaml
+++ b/.cloudbuild/reads.cloudbuild.yaml
@@ -9,6 +9,7 @@ steps:
         'deploy/dockerfiles/reads/reads-server.dockerfile',
         '.',
       ]
+
   - name: 'gcr.io/cloud-builders/docker'
     args:
       [
@@ -19,7 +20,42 @@ steps:
         'deploy/dockerfiles/reads/auth.dockerfile',
         '.',
       ]
-# TODO: commented out for testing without push
-# images:
-#   - 'us-docker.pkg.dev/$PROJECT_ID/gnomad/gnomad-reads-server:$SHORT_SHA'
-#   - 'us-docker.pkg.dev/$PROJECT_ID/gnomad/gnomad-reads-api:$SHORT_SHA'
+
+  - name: 'gcr.io/cloud-builders/docker'
+    args: ['push', 'us-docker.pkg.dev/$PROJECT_ID/gnomad/gnomad-reads-server:$SHORT_SHA']
+
+  - name: 'gcr.io/cloud-builders/docker'
+    args: ['push', 'us-docker.pkg.dev/$PROJECT_ID/gnomad/gnomad-api-server:$SHORT_SHA']
+
+  # Note: we use a custom image here to get the latest version of kustomize. See:
+  # https://github.com/GoogleCloudPlatform/cloud-builders-community/tree/master/kustomize
+  # for instructions on how to build that image.
+  - name: 'us-docker.pkg.dev/${PROJECT_ID}/gnomad/kustomize:v5.4.1'
+    entrypoint: bash
+    args:
+      - -c
+      - |
+        mkdir -p /root/.ssh && chmod 0700 /root/.ssh && \
+        echo "$$DEPLOY_KEY" > /root/.ssh/id_rsa && \
+        chmod 400 /root/.ssh/id_rsa && \
+        ssh-keyscan -t rsa github.com > /root/.ssh/known_hosts && \
+        git clone git@github.com:broadinstitute/gnomad-deployments.git && \
+        cd gnomad-deployments/reads/bluegreen && \
+        /usr/bin/kustomize --stack-trace edit set image "gnomad-reads-server=us-docker.pkg.dev/${PROJECT_ID}/gnomad/gnomad-reads-server:${SHORT_SHA}" && \
+        /usr/bin/kustomize --stack-trace edit set image "gnomad-api-server=us-docker.pkg.dev/${PROJECT_ID}/gnomad/gnomad-api-server:${SHORT_SHA}" && \
+        git add kustomization.yaml && \
+        git -c user.name="TGG Automation" -c user.email="tgg-automation@broadinstitute.org" commit -m "Deploying gnomad reads images with tag:${SHORT_SHA}\n
+        Built from gnomad-browser ${COMMIT_SHA}" && \
+        git push origin main
+
+    secretEnv:
+      - 'DEPLOY_KEY'
+
+images:
+  - 'us-docker.pkg.dev/$PROJECT_ID/gnomad/gnomad-reads-server:$SHORT_SHA'
+  - 'us-docker.pkg.dev/$PROJECT_ID/gnomad/gnomad-reads-api:$SHORT_SHA'
+
+availableSecrets:
+  secretManager:
+    - versionName: projects/$PROJECT_ID/secrets/GITHUB_DEPLOY_KEY/versions/latest
+      env: 'DEPLOY_KEY'