diff --git a/.github/workflows/build-sandboxes.yml b/.github/workflows/build-sandboxes.yml
index 6768a04..61ca889 100644
--- a/.github/workflows/build-sandboxes.yml
+++ b/.github/workflows/build-sandboxes.yml
@@ -17,6 +17,8 @@ on:
 env:
   REGISTRY: ghcr.io
   IMAGE_PREFIX: ${{ github.repository }}
+  ECR_REGISTRY: 524473328983.dkr.ecr.us-west-2.amazonaws.com
+  ECR_IMAGE_PREFIX: nemoclaw-community
 
 permissions:
   contents: read
@@ -217,3 +219,78 @@ jobs:
             BASE_IMAGE=${{ steps.base.outputs.image }}
           cache-from: type=gha,scope=${{ matrix.sandbox }}
           cache-to: type=gha,mode=max,scope=${{ matrix.sandbox }}
+
+  # ---------------------------------------------------------------------------
+  # Publish images to ECR (re-tag from GHCR, no rebuild required)
+  # ---------------------------------------------------------------------------
+  publish-ecr:
+    name: Publish to ECR
+    needs: [detect-changes, build-base, build]
+    if: |
+      always() &&
+      github.ref == 'refs/heads/main' &&
+      needs.detect-changes.result == 'success' &&
+      (needs.build-base.result == 'success' || needs.build-base.result == 'skipped') &&
+      (needs.build.result == 'success' || needs.build.result == 'skipped')
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: us-west-2
+    steps:
+      - name: Lowercase image prefix
+        id: repo
+        run: echo "image_prefix=${IMAGE_PREFIX,,}" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to ECR
+        run: aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${{ env.ECR_REGISTRY }}
+
+      - name: Copy base image to ECR
+        if: needs.detect-changes.outputs.base-changed == 'true'
+        run: |
+          set -euo pipefail
+          GHCR_IMAGE="${{ env.REGISTRY }}/${{ steps.repo.outputs.image_prefix }}/sandboxes/base"
+          ECR_IMAGE="${{ env.ECR_REGISTRY }}/${{ env.ECR_IMAGE_PREFIX }}/sandboxes/base"
+          SHA="${{ github.sha }}"
+
+          echo "Copying ${GHCR_IMAGE}:${SHA} -> ${ECR_IMAGE}:${SHA}"
+          docker buildx imagetools create \
+            -t "${ECR_IMAGE}:${SHA}" \
+            "${GHCR_IMAGE}:${SHA}"
+
+          echo "Copying ${GHCR_IMAGE}:latest -> ${ECR_IMAGE}:latest"
+          docker buildx imagetools create \
+            -t "${ECR_IMAGE}:latest" \
+            "${GHCR_IMAGE}:latest"
+
+      - name: Copy sandbox images to ECR
+        if: needs.detect-changes.outputs.sandboxes != '[]'
+        run: |
+          set -euo pipefail
+          SANDBOXES='${{ needs.detect-changes.outputs.sandboxes }}'
+          SHA="${{ github.sha }}"
+
+          for SANDBOX in $(echo "$SANDBOXES" | jq -r '.[]'); do
+            GHCR_IMAGE="${{ env.REGISTRY }}/${{ steps.repo.outputs.image_prefix }}/sandboxes/${SANDBOX}"
+            ECR_IMAGE="${{ env.ECR_REGISTRY }}/${{ env.ECR_IMAGE_PREFIX }}/sandboxes/${SANDBOX}"
+
+            echo "Copying ${GHCR_IMAGE}:${SHA} -> ${ECR_IMAGE}:${SHA}"
+            docker buildx imagetools create \
+              -t "${ECR_IMAGE}:${SHA}" \
+              "${GHCR_IMAGE}:${SHA}"
+
+            echo "Copying ${GHCR_IMAGE}:latest -> ${ECR_IMAGE}:latest"
+            docker buildx imagetools create \
+              -t "${ECR_IMAGE}:latest" \
+              "${GHCR_IMAGE}:latest"
+          done