diff --git a/roles/push-to-intermediate-registry/tasks/main.yaml b/roles/push-to-intermediate-registry/tasks/main.yaml
index 740d88acc..0d991a08a 100644
--- a/roles/push-to-intermediate-registry/tasks/main.yaml
+++ b/roles/push-to-intermediate-registry/tasks/main.yaml
@@ -1,18 +1,3 @@
-# This can be removed if we add this functionality to Zuul directly
-- name: Load information from zuul_return
-  when: buildset_registry is not defined
-  set_fact:
-    buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
-- name: Ensure registry cert directory exists
-  file:
-    path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/"
-    state: directory
-- name: Write registry TLS certificate
-  copy:
-    content: "{{ buildset_registry.cert }}"
-    dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
-- name: Push image to intermediate registry
+- name: Push images to intermediate registry
+  when: docker_images is defined
   include_tasks: push.yaml
-  loop: "{{ docker_images }}"
-  loop_control:
-    loop_var: image
diff --git a/roles/push-to-intermediate-registry/tasks/push-image.yaml b/roles/push-to-intermediate-registry/tasks/push-image.yaml
new file mode 100644
index 000000000..df922fd23
--- /dev/null
+++ b/roles/push-to-intermediate-registry/tasks/push-image.yaml
@@ -0,0 +1,26 @@
+- name: Push tag to intermediate registry
+  command: >-
+    skopeo --insecure-policy copy
+    --src-creds={{ buildset_registry.username }}:{{ buildset_registry.password }}
+    --dest-creds={{ intermediate_registry.username }}:{{ intermediate_registry.password }}
+    docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
+    docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }}
+  loop: "{{ image.tags | default(['latest']) }}"
+  loop_control:
+    loop_var: image_tag
+  # no_log: true  TODO(corvus) replace
+
+- name: Return artifact to Zuul
+  zuul_return:
+    data:
+      zuul:
+        artifacts:
+          - name: "image_{{ image.repository }}:{{ image_tag }}"
+            url: "docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag}}"
+            metadata:
+              type: container_image
+              repository: "{{ image.repository }}"
+              tag: "{{ image_tag }}"
+  loop: "{{ image.tags | default(['latest']) }}"
+  loop_control:
+    loop_var: image_tag
diff --git a/roles/push-to-intermediate-registry/tasks/push.yaml b/roles/push-to-intermediate-registry/tasks/push.yaml
index df922fd23..cd6d5e387 100644
--- a/roles/push-to-intermediate-registry/tasks/push.yaml
+++ b/roles/push-to-intermediate-registry/tasks/push.yaml
@@ -1,26 +1,18 @@
-- name: Push tag to intermediate registry
-  command: >-
-    skopeo --insecure-policy copy
-    --src-creds={{ buildset_registry.username }}:{{ buildset_registry.password }}
-    --dest-creds={{ intermediate_registry.username }}:{{ intermediate_registry.password }}
-    docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
-    docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }}
-  loop: "{{ image.tags | default(['latest']) }}"
+# This can be removed if we add this functionality to Zuul directly
+- name: Load information from zuul_return
+  when: buildset_registry is not defined
+  set_fact:
+    buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
+- name: Ensure registry cert directory exists
+  file:
+    path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/"
+    state: directory
+- name: Write registry TLS certificate
+  copy:
+    content: "{{ buildset_registry.cert }}"
+    dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
+- name: Push image to intermediate registry
+  include_tasks: push-image.yaml
+  loop: "{{ docker_images }}"
   loop_control:
-    loop_var: image_tag
-  # no_log: true  TODO(corvus) replace
-
-- name: Return artifact to Zuul
-  zuul_return:
-    data:
-      zuul:
-        artifacts:
-          - name: "image_{{ image.repository }}:{{ image_tag }}"
-            url: "docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag}}"
-            metadata:
-              type: container_image
-              repository: "{{ image.repository }}"
-              tag: "{{ image_tag }}"
-  loop: "{{ image.tags | default(['latest']) }}"
-  loop_control:
-    loop_var: image_tag
+    loop_var: image