diff --git a/.buildkite/experimental/0_webui.yml b/.buildkite/experimental/0_webui.yml
new file mode 100644
index 00000000000000..ab3f68db4c3931
--- /dev/null
+++ b/.buildkite/experimental/0_webui.yml
@@ -0,0 +1,18 @@
+# This file represents what is put into the webUI.
+# It is purely for keeping track of the changes we make to the webUI configuration; modifying this file has no effect.
+# We use the `cryptic` buildkite plugin to provide secrets management, which requires some integration into the WebUI's steps.
+agents:
+  queue: "julia"
+  sandbox.jl: "true"
+
+steps:
+  - label: ":unlock: Unlock secrets, launch pipelines"
+    plugins:
+      - staticfloat/cryptic:
+          # Our list of pipelines that should be launched (but don't require a signature)
+          # These pipelines can be modified by any contributor and CI will still run.
+          # Build secrets will not be available in these pipelines (or their children)
+          # but some of our signed pipelines can wait upon the completion of these unsigned
+          # pipelines.
+          unsigned_pipelines:
+            - .buildkite/experimental/pipeline.yml
diff --git a/.buildkite/experimental/pipeline.yml b/.buildkite/experimental/pipeline.yml
new file mode 100644
index 00000000000000..6f86f7ef243e5c
--- /dev/null
+++ b/.buildkite/experimental/pipeline.yml
@@ -0,0 +1,19 @@
+# This file launches all the build jobs that _don't_ require secrets access.
+# These jobs can pass their output off to jobs that do require secrets access,
+# but those privileged steps require signing before they can be run.
+#
+# Yes, this is creating another layer of indirection; the flow now looks like:
+#
+#   [webui] -> pipeline.yml -> llvm_passes.yml
+#
+# when we could theoretically just have the `webui` launch `llvm_passes.yml`,
+# however this raises the bar for contributors to add new (unsigned) steps to
+# our CI configuration, so I'd rather live with an extra layer of indirection
+# and only need to touch the webui configuration when we need to alter
+# something about the privileged steps.
+steps:
+  - label: ":buildkite: Launch unsigned pipelines"
+    commands: |
+      buildkite-agent pipeline upload .buildkite/experimental/sanitizers.yml
+    agents:
+      queue: julia
diff --git a/.buildkite/sanitizers.yml b/.buildkite/experimental/sanitizers.yml
similarity index 85%
rename from .buildkite/sanitizers.yml
rename to .buildkite/experimental/sanitizers.yml
index f29ed4e42a4a6c..534dac81e53f32 100644
--- a/.buildkite/sanitizers.yml
+++ b/.buildkite/experimental/sanitizers.yml
@@ -14,8 +14,8 @@ steps:
       - JuliaCI/julia#v1:
           version: 1.6
       - staticfloat/sandbox#v1:
-          rootfs_url: https://github.com/JuliaCI/rootfs-images/releases/download/v1/llvm-passes.tar.gz
-          rootfs_treehash: "f3ed53f159e8f13edfba8b20ebdb8ece73c1b8a8"
+          rootfs_url: https://github.com/JuliaCI/rootfs-images/releases/download/v2.0/llvm_passes.tar.gz
+          rootfs_treehash: "0b5a80c1d0ab110a57fbdb7f4bc042a5ede310f3"
           uid: 1000
           gid: 1000
           workspaces:
@@ -29,6 +29,6 @@ steps:
       echo "--- Test that ASAN is enabled"
       contrib/asan/check.jl ./tmp/test-asan/asan/usr/bin/julia-debug
     timeout_in_minutes: 120
-    notify:
-      - github_commit_status:
-          context: "asan"
+    # notify:
+    #   - github_commit_status:
+    #       context: "asan"
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
index 99473055f2eeb4..097b8976eea702 100644
--- a/.buildkite/pipeline.yml
+++ b/.buildkite/pipeline.yml
@@ -19,6 +19,5 @@ steps:
       buildkite-agent pipeline upload .buildkite/whitespace.yml
       buildkite-agent pipeline upload .buildkite/embedding.yml
       buildkite-agent pipeline upload .buildkite/llvm_passes.yml
-      buildkite-agent pipeline upload .buildkite/sanitizers.yml
     agents:
       queue: julia