diff --git a/.github/in-cluster-test-scripts/external-workloads-install.sh b/.github/in-cluster-test-scripts/external-workloads-install.sh
deleted file mode 100644
index 58767cf49c..0000000000
--- a/.github/in-cluster-test-scripts/external-workloads-install.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-
-set -x
-set -e
-
-# Install Cilium in cluster
-cilium install \
-  --version "${CILIUM_VERSION}" \
-  --set cluster.name="${CLUSTER_NAME}" \
-  --set bpf.monitorAggregation=none \
-  --datapath-mode=tunnel \
-  --set kubeProxyReplacement=true \
-  --set loadBalancer.l7.backend=envoy \
-  --set tls.secretsBackend=k8s \
-  --set ipv4NativeRoutingCIDR="${CLUSTER_CIDR}"
-
-# Enable Relay
-cilium hubble enable
-
-# Wait for cilium and hubble relay to be ready
-# NB: necessary to work against occassional flakes due to https://github.com/cilium/cilium-cli/issues/918
-cilium status --wait
-
-# Enable cluster mesh
-# Explicitly specify LoadBalancer service type since the default type is NodePort in helm mode.
-# Ref: https://github.com/cilium/cilium-cli/pull/1527#discussion_r1177244379
-#
-# In Helm mode, externalWorkloads.enabled is set to false by default. You need to pass
-# --enable-external-workloads flag to enable it.
-# Ref: https://github.com/cilium/cilium/pull/25259
-cilium clustermesh enable --service-type LoadBalancer --enable-external-workloads
-
-# Wait for cluster mesh status to be ready
-cilium clustermesh status --wait
-
-# Add VM to cluster mesh
-cilium clustermesh vm create "${VM_NAME}" -n default --ipv4-alloc-cidr 10.192.1.0/30
-cilium clustermesh vm status
-
-# Create install script for VMs
-cilium clustermesh vm install install-external-workload.sh --config debug
-kubectl -n kube-system create cm install-external-workload-script --from-file=script=install-external-workload.sh
diff --git a/.github/in-cluster-test-scripts/external-workloads.sh b/.github/in-cluster-test-scripts/external-workloads.sh
deleted file mode 100644
index 1a619eb9ac..0000000000
--- a/.github/in-cluster-test-scripts/external-workloads.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-set -x
-set -e
-
-# Run connectivity test
-cilium connectivity test --debug --all-flows --collect-sysdump-on-failure --external-target google.com.
-
-# Run performance test
-cilium connectivity perf --duration 1s
diff --git a/.github/workflows/externalworkloads.yaml b/.github/workflows/externalworkloads.yaml
index d0856a6fc8..5f68d0f97f 100644
--- a/.github/workflows/externalworkloads.yaml
+++ b/.github/workflows/externalworkloads.yaml
@@ -147,55 +147,52 @@ jobs:
         run: |
           gcloud container clusters get-credentials ${{ env.clusterName }} --zone ${{ env.zone }}
 
-      - name: Create gcloud-free kubeconfig and load it in configmap
-        run: |
-          .github/get-kubeconfig.sh
-          kubectl create configmap cilium-cli-kubeconfig -n kube-system --from-file kubeconfig
-
-      - name: Load cilium install script in configmap
-        run: |
-          kubectl create configmap cilium-cli-test-script-install -n kube-system --from-file=in-cluster-test-script.sh=.github/in-cluster-test-scripts/external-workloads-install.sh
-
-      - name: Create cilium-cli install job
-        run: |
-          helm install .github/cilium-cli-test-job-chart \
-            --generate-name \
-            --set tag=${{ steps.vars.outputs.sha }} \
-            --set cilium_version=${{ env.cilium_version }} \
-            --set cluster_name=${{ env.clusterName }} \
-            --set job_name=cilium-cli-install \
-            --set test_script_cm=cilium-cli-test-script-install \
-            --set vm_name=${{ env.vmName }} \
-            --set cluster_cidr=${{ steps.cluster.outputs.cluster_cidr }}
-
-      - name: Wait for install job
-        env:
-          timeout: 10m
-        run: |
-          # Background wait for job to complete or timeout
-          kubectl -n kube-system wait job/cilium-cli-install --for=condition=complete --timeout=${{ env.timeout }} &
-          complete_pid=$!
-
-          # Background wait for job to fail
-          (kubectl -n kube-system wait job/cilium-cli-install --for=condition=failed --timeout=${{ env.timeout }} && exit 1) &
-          failed_pid=$!
-
-          # Active wait for whichever background process ends first
-          wait -n $complete_pid $failed_pid
-          EXIT_CODE=$?
-
-          # Retrieve job logs
-          kubectl logs --timestamps -n kube-system job/cilium-cli-install
-          exit ${EXIT_CODE}
-        shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
+      - name: Install Cilium CLI
+        uses: ./
+        with:
+          skip-build: 'true'
+          image-tag: ${{ steps.vars.outputs.sha }}
+
+      - name: Install Cilium
+        timeout-minutes: 10
+        run: |
+          # Install Cilium in cluster
+          cilium install \
+            --version "${{ env.cilium_version }}" \
+            --set cluster.name="${{ env.clusterName }}" \
+            --set bpf.monitorAggregation=none \
+            --datapath-mode=tunnel \
+            --set kubeProxyReplacement=true \
+            --set loadBalancer.l7.backend=envoy \
+            --set tls.secretsBackend=k8s \
+            --set ipv4NativeRoutingCIDR="${{ steps.cluster.outputs.cluster_cidr }}"
+
+          # Enable Relay
+          cilium hubble enable
+
+          # Wait for cilium and hubble relay to be ready
+          # NB: necessary to work against occassional flakes due to https://github.com/cilium/cilium-cli/issues/918
+          cilium status --wait
+
+          # Enable cluster mesh
+          # Explicitly specify LoadBalancer service type since the default type is NodePort in helm mode.
+          # Ref: https://github.com/cilium/cilium-cli/pull/1527#discussion_r1177244379
+          #
+          # In Helm mode, externalWorkloads.enabled is set to false by default. You need to pass
+          # --enable-external-workloads flag to enable it.
+          # Ref: https://github.com/cilium/cilium/pull/25259
+          cilium clustermesh enable --service-type LoadBalancer --enable-external-workloads
+
+          # Wait for cluster mesh status to be ready
+          cilium clustermesh status --wait
+
+          # Add VM to cluster mesh
+          cilium clustermesh vm create ${{ env.vmName }} -n default --ipv4-alloc-cidr 10.192.1.0/30
+          cilium clustermesh vm status
 
-      - name: Copy VM install script from cilium-cli-install pod
-        run: |
-          kubectl -n kube-system get configmap install-external-workload-script -o go-template='{{ .data.script }}' > install-external-workload.sh
+          # Create install script for VMs
+          cilium clustermesh vm install install-external-workload.sh --config debug
           chmod +x install-external-workload.sh
-
-      - name: Finish installing Cilium on VM
-        run: |
           gcloud compute scp install-external-workload.sh ${{ env.vmName }}:~/ --zone ${{ env.zone }}
           gcloud compute ssh ${{ env.vmName }} --zone ${{ env.zone }} \
             --command "~/install-external-workload.sh"
@@ -213,38 +210,14 @@ jobs:
           gcloud compute ssh ${{ env.vmName }} --zone ${{ env.zone }} \
             --command "ping -c 3 \$(sudo cilium service list get -o jsonpath='{[?(@.spec.flags.name==\"clustermesh-apiserver\")].spec.backend-addresses[0].ip}')"
 
-      - name: Load cilium test script in configmap
+      - name: Run Test
+        timeout-minutes: 15
         run: |
-          kubectl create configmap cilium-cli-test-script -n kube-system --from-file=in-cluster-test-script.sh=.github/in-cluster-test-scripts/external-workloads.sh
+          # Run connectivity test
+          cilium connectivity test --debug --all-flows --collect-sysdump-on-failure --external-target google.com.
 
-      - name: Create cilium-cli test job
-        run: |
-          helm install .github/cilium-cli-test-job-chart \
-            --generate-name \
-            --set tag=${{ steps.vars.outputs.sha }} \
-            --set job_name=cilium-cli \
-            --set test_script_cm=cilium-cli-test-script
-
-      - name: Wait for test job
-        env:
-          timeout: 15m
-        run: |
-          # Background wait for job to complete or timeout
-          kubectl -n kube-system wait job/cilium-cli --for=condition=complete --timeout=${{ env.timeout }} &
-          complete_pid=$!
-
-          # Background wait for job to fail
-          (kubectl -n kube-system wait job/cilium-cli --for=condition=failed --timeout=${{ env.timeout }} && exit 1) &
-          failed_pid=$!
-
-          # Active wait for whichever background process ends first
-          wait -n $complete_pid $failed_pid
-          EXIT_CODE=$?
-
-          # Retrieve job logs
-          kubectl logs --timestamps -n kube-system job/cilium-cli
-          exit ${EXIT_CODE}
-        shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
+          # Run performance test
+          cilium connectivity perf --duration 1s
 
       - name: Post-test information gathering
         if: ${{ !success() }}
@@ -253,13 +226,6 @@ jobs:
           gcloud compute ssh ${{ env.vmName }} --zone ${{ env.zone }} --command "sudo cilium status"
           gcloud compute ssh ${{ env.vmName }} --zone ${{ env.zone }} --command "sudo docker logs cilium --timestamps"
 
-          echo "=== Install latest stable CLI ==="
-          curl -sSL --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
-          sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
-          sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/bin
-          rm cilium-linux-amd64.tar.gz{,.sha256sum}
-          cilium version
-
           echo "=== Retrieve cluster state ==="
           kubectl get pods --all-namespaces -o wide
           kubectl get cew --all-namespaces -o wide