diff --git a/.dockerignore b/.dockerignore
index ba04bfbbd..36118f794 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -24,9 +24,6 @@ image
 Dockerfile
 Dockerfile.*
 
-# GitHub actions
-.github
-
 # VS Code configuration folder
 .vscode
 
diff --git a/.github/actions/versionsapi/Dockerfile b/.github/actions/versionsapi/Dockerfile
new file mode 100644
index 000000000..7c5315990
--- /dev/null
+++ b/.github/actions/versionsapi/Dockerfile
@@ -0,0 +1,26 @@
+FROM golang:1.19.4@sha256:766625f2182dacec4c8774355a65a81a3b73acb0b4287b6a32a8efc185aede2c as builder
+
+# Download project root dependencies
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+COPY . .
+
+# Build
+WORKDIR /workspace/internal/versionsapi/cli
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o versionsapi .
+
+FROM alpine:3.17.1@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a as release
+
+RUN apk add --no-cache bash
+
+WORKDIR /
+COPY --from=builder /workspace/internal/versionsapi/cli/versionsapi .
+COPY .github/actions/versionsapi/entrypoint.sh .
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/.github/actions/versionsapi/action.yml b/.github/actions/versionsapi/action.yml
new file mode 100644
index 000000000..f9a2b03d5
--- /dev/null
+++ b/.github/actions/versionsapi/action.yml
@@ -0,0 +1,49 @@
+name: versionsapi
+description: "A GitHub Action to interact with the versions API"
+
+inputs:
+  command:
+    description: Command to run
+    required: true
+  ref:
+    description: --ref flag
+    required: false
+  stream:
+    description: --stream flag
+    required: false
+  version:
+    description: --version flag
+    required: false
+  add_latest:
+    description: --latest flag (boolean)
+    required: false
+    default: "false"
+  add_release:
+    description: --release flag (boolean)
+    required: false
+    default: "false"
+  rm_all:
+    description: --all flag (boolean)
+    required: false
+    default: "false"
+  dryrun:
+    description: --dryrun flag (boolean)
+    required: false
+    default: "false"
+outputs:
+  output:
+    description: Output of the command
+
+runs:
+  using: docker
+  image: docker://ghcr.io/edgelesssys/constellation/versionsapi-ci-cli:latest
+  args:
+    - ${{ inputs.command }}
+    - ${{ inputs.ref != '' && format('--ref={0}', inputs.ref) || '' }}
+    - ${{ inputs.stream != '' && format('--stream={0}', inputs.stream) || '' }}
+    - ${{ inputs.version != '' && format('--version={0}', inputs.version) || '' }}
+    - ${{ inputs.add_latest == 'true' && '--latest' || '' }}
+    - ${{ inputs.add_release == 'true' && '--release' || '' }}
+    - ${{ inputs.rm_all == 'true' && '--all' || '' }}
+    - ${{ inputs.dryrun == 'true' && '--dryrun' || '' }}
+    - --verbose
diff --git a/.github/actions/versionsapi/entrypoint.sh b/.github/actions/versionsapi/entrypoint.sh
new file mode 100755
index 000000000..570e42a8c
--- /dev/null
+++ b/.github/actions/versionsapi/entrypoint.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+for arg in "$@"; do
+  if [[ ${arg} != "" ]]; then
+    args[${#args[@]}]="${arg}"
+  fi
+done
+
+out=$(/versionsapi "${args[@]}")
+if [[ $? -ne 0 ]]; then
+  exit 1
+fi
+
+if [[ ${GITHUB_ACTIONS} == "true" ]]; then
+  echo "output=${out}" | tee "${GITHUB_ENV}"
+else
+  echo "${out}"
+fi
diff --git a/.github/workflows/build-versionsapi-ci-image.yml b/.github/workflows/build-versionsapi-ci-image.yml
new file mode 100644
index 000000000..d9d9d5344
--- /dev/null
+++ b/.github/workflows/build-versionsapi-ci-image.yml
@@ -0,0 +1,34 @@
+name: Build and upload versionsapi CI image
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - "internal/versionsapi/**"
+
+jobs:
+  build-versionsapi-ci-cli:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out repository
+        id: checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Setup Go environment
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        with:
+          go-version: "1.19.4"
+
+      - name: Build and upload container image
+        uses: ./.github/actions/build_micro_service
+        with:
+          name: versionsapi-ci-cli
+          dockerfile: .github/actions/versionsapi/Dockerfile
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/versionsapi.yml b/.github/workflows/versionsapi.yml
index 606a7d414..ca03c8b37 100644
--- a/.github/workflows/versionsapi.yml
+++ b/.github/workflows/versionsapi.yml
@@ -8,9 +8,9 @@ on:
         required: true
         type: choice
         options:
-          - add
           - latest
           - list
+          - add
           - remove
       ref:
         description: --ref flag
@@ -97,7 +97,8 @@ jobs:
     outputs:
       output: ${{ steps.run.outputs.output }}
     steps:
-      - name: Checkout
+      - name: Check out repository
+        id: checkout
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@@ -163,41 +164,15 @@ jobs:
         with:
           gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }}
 
-      - name: Setup Go environment
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
-        with:
-          go-version: "1.19.5"
-          cache: true
-
-      - name: Build versionsapi CLI
-        working-directory: internal/versionsapi/cli
-        run: go build -o versionsapi
-
       - name: Execute versionsapi CLI
         id: run
-        working-directory: internal/versionsapi/cli
-        run: |
-          set -x
-
-          ref=$([[ -n "${{ inputs.ref }}" ]] && echo "--ref ${{ inputs.ref }}" || echo "")
-          stream=$([[ -n "${{ inputs.stream }}" ]] && echo "--stream ${{ inputs.stream }}" || echo "")
-          version=$([[ -n "${{ inputs.version }}" ]] && echo "--version ${{ inputs.version }}" || echo "")
-          add_latest=$([[ "${{ inputs.add_latest }}" == "true" ]] && echo "--latest" || echo "")
-          add_release=$([[ "${{ inputs.add_release }}" == "true" ]] && echo "--release" || echo "")
-          rm_all=$([[ "${{ inputs.rm_all }}" == "true" ]] && echo "--all" || echo "")
-          dryrun=$([[ "${{ inputs.dryrun }}" == "true" ]] && echo "--dryrun" || echo "")
-
-          # shellcheck disable=SC2086
-          out=$(
-            ./versionsapi "${{ inputs.command }}" \
-              ${ref} \
-              ${stream} \
-              ${version} \
-              ${add_latest} \
-              ${add_release} \
-              ${rm_all} \
-              ${dryrun} \
-              --verbose
-          )
-          echo "$out"
-          echo "output=$out" >> "$GITHUB_OUTPUT"
+        uses: ./.github/actions/versionsapi
+        with:
+          command: ${{ inputs.command }}
+          ref: ${{ inputs.ref }}
+          stream: ${{ inputs.stream }}
+          version: ${{ inputs.version }}
+          add_latest: ${{ inputs.add_latest }}
+          add_release: ${{ inputs.add_release }}
+          rm_all: ${{ inputs.rm_all }}
+          dryrun: ${{ inputs.dryrun }}