diff --git a/.github/workflows/build-apko-image.yml b/.github/workflows/build-apko-image.yml
new file mode 100644
index 000000000..479337254
--- /dev/null
+++ b/.github/workflows/build-apko-image.yml
@@ -0,0 +1,30 @@
+name: Build and upload all apko container images
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - "release/**"
+      - "feat/reproducible-builds-ko"
+    paths:
+      - "image/apko/*.yaml"
+
+jobs:
+  build-apko-image:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out repository
+        id: checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Build and upload apko image
+        uses: ./.github/actions/build_apko
+        with:
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/build-constellation-node-operator-ko.yml b/.github/workflows/build-constellation-node-operator-ko.yml
new file mode 100644
index 000000000..ae7c30453
--- /dev/null
+++ b/.github/workflows/build-constellation-node-operator-ko.yml
@@ -0,0 +1,32 @@
+name: Build and upload constellation node operator image (KO)
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-constellation-node-operator:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out repository
+        id: checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Install operator-sdk
+        uses: ./.github/actions/install_operator_sdk
+        with:
+          version: v1.22.2
+
+      - name: Build and upload constellation-node-operator container image
+        uses: ./.github/actions/build_micro_service_ko
+        with:
+          name: node-operator
+          koTarget: ./operators/constellation-node-operator
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
diff --git a/.github/workflows/build-joinservice-image-ko.yml b/.github/workflows/build-joinservice-image-ko.yml
new file mode 100644
index 000000000..dd6e1996b
--- /dev/null
+++ b/.github/workflows/build-joinservice-image-ko.yml
@@ -0,0 +1,38 @@
+name: Build and upload join service image (KO)
+env:
+  REGISTRY: ghcr.io
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-join-service-ko:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image: ${{ steps.build-and-upload.outputs.image }}
+      digest: ${{ steps.build-and-upload.outputs.digest }}
+    steps:
+      - name: Check out repository
+        id: checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Setup Go environment
+        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
+        with:
+          go-version: "1.19.3"
+
+      - name: Build and upload join service container image
+        id: build-and-upload
+        uses: ./.github/actions/build_micro_service_ko
+        with:
+          name: joinservice
+          koTarget: ./joinservice/cmd
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
diff --git a/.github/workflows/build-kms-image-ko.yml b/.github/workflows/build-kms-image-ko.yml
new file mode 100644
index 000000000..9a5c1283e
--- /dev/null
+++ b/.github/workflows/build-kms-image-ko.yml
@@ -0,0 +1,42 @@
+name: Build and upload KMS image (KO)
+env:
+  REGISTRY: ghcr.io
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-kms-server:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image: ${{ steps.build-and-upload.outputs.image }}
+      digest: ${{ steps.build-and-upload.outputs.digest }}
+    steps:
+      - name: Check out repository
+        id: checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Setup Go environment
+        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
+        with:
+          go-version: "1.19.3"
+
+      - name: Set up ko
+        uses: imjasonh/setup-ko@v0.6
+
+      - name: Build and upload KMS server container image
+        id: build-and-upload
+        uses: ./.github/actions/build_micro_service_ko
+        with:
+          name: kmsserver
+          koConfig: .ko.yaml
+          koTarget: ./kms/cmd
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
diff --git a/.github/workflows/build-verification-service-ko.yml b/.github/workflows/build-verification-service-ko.yml
new file mode 100644
index 000000000..6671ae950
--- /dev/null
+++ b/.github/workflows/build-verification-service-ko.yml
@@ -0,0 +1,33 @@
+name: Build and upload verification-service image (KO)
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-verification-service:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out repository
+        id: checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Setup Go environment
+        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
+        with:
+          go-version: "1.19.3"
+
+      - name: Build and upload verification-service container image (KO)
+        id: build-and-upload
+        uses: ./.github/actions/build_micro_service_ko
+        with:
+          name: verification-service
+          koTarget: ./verify/cmd
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}