diff --git a/.github/actions/build_micro_service_ko/action.yml b/.github/actions/build_micro_service_ko/action.yml
new file mode 100644
index 000000000..1c241fcfa
--- /dev/null
+++ b/.github/actions/build_micro_service_ko/action.yml
@@ -0,0 +1,42 @@
+name: Build micro service
+description: Build and upload a container image for a Constellation micro-service
+inputs:
+  name:
+    description: "Name of the micro-service"
+    required: true
+  koConfig:
+    description: "Path to the .ko.yaml config file"
+    required: true
+  koTarget:
+    description: "Go package to build with ko"
+    required: true
+  pushTag:
+    description: "Use this image tag"
+    required: false
+  githubToken:
+    description: "GitHub authorization token"
+    required: true
+
+# Linux runner only
+# TODO: Add complete tagging
+runs:
+  using: "composite"
+  steps:
+    - name: Determine pseudo version
+      id: pseudo-version
+      uses: ./.github/actions/pseudo_version
+
+    - name: Set up ko
+      uses: imjasonh/setup-ko@v0.6
+
+    - name: Build and upload ko container image
+      id: build
+      env:
+        KO_USER: ${{ github.actor }}
+        KO_CONFIG_PATH: ${{ inputs.koConfig }}
+        KO_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+        KO_DOCKER_REPO: ${{ env.REGISTRY }}/edgelesssys/constellation
+        GIT_REF: ${{ github.ref }}
+      run: |
+        tag=$(echo ${GIT_REF} | cut -d'/' -f3)
+        ko build ${{ inputs.koTarget }} --preserve-import-paths --tags ${tag}
diff --git a/.github/workflows/build-kms-image-ko.yml b/.github/workflows/build-kms-image-ko.yml
new file mode 100644
index 000000000..629f92b8b
--- /dev/null
+++ b/.github/workflows/build-kms-image-ko.yml
@@ -0,0 +1,60 @@
+name: Build and upload KMS image (KO)
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: kmsserver
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - "release/**"
+    paths:
+      - "kms/**"
+      - "internal/constants/**"
+      - "internal/file/**"
+
+jobs:
+  build-kms-server:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image: ${{ steps.build-and-upload.outputs.image }}
+      digest: ${{ steps.build-and-upload.outputs.digest }}
+    steps:
+      - name: Check out repository
+        id: checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Setup Go environment
+        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
+        with:
+          go-version: "1.19.3"
+
+      - name: Set up ko
+        uses: imjasonh/setup-ko@v0.6
+
+      - name: Build and upload KMS server container image
+        id: build-and-upload
+        env:
+          KO_USER: ${{ github.actor }}
+          KO_CONFIG_PATH: ${{ github.workspace }}/.ko.yaml
+          KO_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          KO_DOCKER_REPO: ${{ env.REGISTRY }}/edgelesssys/constellation
+          GIT_REF: ${{ github.ref }}
+        run: |
+          tag=$(echo ${GIT_REF} | cut -d'/' -f3)
+          ko build ./kms/cmd --preserve-import-paths -t ${tag}
+
+      - name: Build and upload KMS server container image
+        id: build-and-upload
+        uses: ./.github/actions/build_micro_service_ko
+        with:
+          name: kmsserver
+          koConfig: .ko.yaml
+          koTarget: ./kms/cmd
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/build-kms-image.yml b/.github/workflows/build-kms-image.yml
index b87b9bb90..a824cc327 100644
--- a/.github/workflows/build-kms-image.yml
+++ b/.github/workflows/build-kms-image.yml
@@ -20,9 +20,6 @@ jobs:
     permissions:
       contents: read
       packages: write
-    outputs:
-      image: ${{ steps.build-and-upload.outputs.image }}
-      digest: ${{ steps.build-and-upload.outputs.digest }}
     steps:
       - name: Check out repository
         id: checkout
@@ -35,14 +32,14 @@ jobs:
         with:
           go-version: "1.19.3"
 
-      - name: Set up ko
-        uses: imjasonh/setup-ko@v0.6
-
       - name: Build and upload KMS server container image
         id: build-and-upload
-        env:
-          KO_USER: ${{ github.actor }}
-          KO_CONFIG_PATH: ${{ github.workspace }}/.ko.yaml
-          KO_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          KO_DOCKER_REPO: ${{ env.REGISTRY }}/edgelesssys/constellation
-        run: ko build ./kms/cmd --preserve-import-paths -t ${{ github.sha }}
+        uses: ./.github/actions/build_micro_service
+        with:
+          name: kmsserver
+          projectVersion: "0.0.0"
+          dockerfile: kms/Dockerfile
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}