diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
deleted file mode 100644
index f403553..0000000
--- a/.github/workflows/build-image.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-name: Build and Publish CI image
-
-permissions:
-  packages: write
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - "images/build/*"
-      - ".github/workflows/build-image.yaml"
-  # run a test build on PRs that change the build image;
-  # no image is pushed since the 'Build and Push' step
-  # checks if the trigger is a pull request or not.
-  pull_request:
-    branches:
-      - main
-    paths:
-      - "images/build/*"
-      - ".github/workflows/build-image.yaml"
-
-jobs:
-  build:
-    if: github.repository_owner == 'kcp-dev'
-    name: Build CI Image
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Append build image env variables
-        run: |
-          echo "$(cat images/build/env)" >> $GITHUB_ENV
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-
-      - name: Docker Metadata
-        id: meta
-        uses: docker/metadata-action@v4
-        with:
-          images: |
-            ghcr.io/${{ github.repository }}/build
-          tags: |
-            type=semver,pattern={{version}},value=v${{ env.BUILD_IMAGE_TAG }}
-
-      - name: Build and Push
-        uses: docker/build-push-action@v4
-        with:
-          context: "{{defaultContext}}:images/build"
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64
-          cache-from: type=gha,scope=${{ github.ref_name }}-buildx
-          cache-to: type=gha,scope=${{ github.ref_name }}-buildx,mode=max
-          build-args: |
-            GO_VERSION=${{ env.GO_IMAGE_VERSION }}
-            K8S_VERSION=${{ env.K8S_VERSION }}
diff --git a/images/build/env b/images/build/env
index 516bd19..4ccc117 100644
--- a/images/build/env
+++ b/images/build/env
@@ -1,3 +1,3 @@
-BUILD_IMAGE_TAG=1.19.9-2
+BUILD_IMAGE_TAG=1.19.9-3
 GO_IMAGE_VERSION=1.19.9
 K8S_VERSION=1.26.3
diff --git a/images/build/hack/build-image.sh b/images/build/hack/build-image.sh
new file mode 100644
index 0000000..12db2fe
--- /dev/null
+++ b/images/build/hack/build-image.sh
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# Copyright 2023 The KCP Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -euo pipefail
+
+# in CI, make use of the registry mirror to avoid getting rate limited
+if [ -n "${DOCKER_REGISTRY_MIRROR_ADDR:-}" ]; then
+  # remove "http://" or "https://" prefix
+  mirror="$(echo "$DOCKER_REGISTRY_MIRROR_ADDR" | awk -F// '{print $NF}')"
+
+  echo "Configuring registry mirror for docker.io ..."
+
+  cat <<EOF > /etc/containers/registries.conf.d/mirror.conf
+[[registry]]
+prefix = "docker.io"
+insecure = true
+location = "$mirror"
+EOF
+fi
+
+repository=ghcr.io/kcp-dev/infra/build
+architectures="amd64"
+
+cd ./images/build
+
+# read configuration file for build image
+source ./env
+
+image="$repository:${BUILD_IMAGE_TAG}"
+echo "Building container image $image ..."
+
+# build image for all architectures
+for arch in $architectures; do
+  fullTag="$image-$arch"
+
+  echo "Building $version-$arch ..."
+  buildah build-using-dockerfile \
+    --file Dockerfile \
+    --tag "$fullTag" \
+    --arch "$arch" \
+    --override-arch "$arch" \
+    --build-arg "GO_VERSION=${GO_IMAGE_VERSION}" \
+    --build-arg "K8S_VERSION=${K8S_VERSION}"
+    --format=docker \
+    .
+done
+
+echo "Creating manifest $image ..."
+buildah manifest create "$image"
+for arch in $architectures; do
+  buildah manifest add "$image" "$image-$arch"
+done
+
+# push manifest, except in presubmits
+if [ -z "${DRY_RUN:-}" ]; then
+  echo "Logging into GHCR ..."
+  buildah login --username "$KCP_GHCR_USERNAME" --password "$KCP_GHCR_PASSWORD" ghcr.io
+
+  echo "Pushing manifest and images ..."
+  buildah manifest push --all "$image" "docker://$image"
+else
+  echo "Not pushing images because \$DRY_RUN is set."
+fi
+
+echo "Done."
diff --git a/prow/jobs/infra/infra-postsubmits.yaml b/prow/jobs/infra/infra-postsubmits.yaml
index 4807ea7..de16447 100644
--- a/prow/jobs/infra/infra-postsubmits.yaml
+++ b/prow/jobs/infra/infra-postsubmits.yaml
@@ -41,3 +41,27 @@ postsubmits:
                 value: /etc/prow/kubeconfig/kubeconfig
               - name: KUBE_CONTEXT
                 value: default
+
+    - name: post-infra-publish-images-build
+      decorate: true
+      clone_uri: "ssh://git@github.com/kcp-dev/infra.git"
+      cluster: prow # GHCR credentials are only available here
+      labels:
+        preset-ghcr-credentials: "true"
+      branches:
+        - ^main$
+      # this forces to bump the image tag in this file to get a
+      # new image build
+      run_if_changed: '^images/build/env$'
+      spec:
+        containers:
+          - image: quay.io/containers/buildah:v1.30.0
+            command:
+              - images/build/hack/build-image.sh
+            # docker-in-docker needs privileged mode
+            securityContext:
+              privileged: true
+            resources:
+              requests:
+                cpu: 2
+                memory: 3Gi
diff --git a/prow/jobs/infra/infra-presubmits.yaml b/prow/jobs/infra/infra-presubmits.yaml
index c90b384..6eb1372 100644
--- a/prow/jobs/infra/infra-presubmits.yaml
+++ b/prow/jobs/infra/infra-presubmits.yaml
@@ -60,3 +60,26 @@ presubmits:
           secret:
             secretName: github-token
 
+    - name: pull-infra-images-build
+      decorate: true
+      clone_uri: "ssh://git@github.com/kcp-dev/infra.git"
+      # this forces to bump the image tag in this file to get a
+      # new image build
+      run_if_changed: '^images/build/env$'
+      labels:
+        preset-goproxy: "true"
+      spec:
+        containers:
+          - image: quay.io/containers/buildah:v1.30.0
+            command:
+              - images/build/hack/build-image.sh
+            # docker-in-docker needs privileged mode
+            securityContext:
+              privileged: true
+            env:
+              - name: DRY_RUN
+                value: '1'
+            resources:
+              requests:
+                memory: 1Gi
+                cpu: 1