diff --git a/tekton/README.md b/tekton/README.md
index e2469468740..c1ef97e045d 100644
--- a/tekton/README.md
+++ b/tekton/README.md
@@ -13,6 +13,9 @@ to invoke these `Pipelines` automatically, but for now we will have to invoke th
 
 The `Tasks` which make up our release `Pipeline` are:
 
+* [`ci-images.yaml`](ci-images.yaml) - This `Task` uses [`kaniko`](https://github.com/GoogleContainerTools/kaniko)
+  to build and publish [images for the CI itself](#supporting-images), which can then be used as `steps` in
+  downstream `Tasks`
 * [`publish.yaml`](publish.yaml) - This `Task` uses [`kaniko`](https://github.com/GoogleContainerTools/kaniko)
   to build and publish base images, and uses [`ko`](https://github.com/google/go-containerregistry/tree/master/cmd/ko)
   to build all of the container images we release and generate the `release.yaml`
@@ -31,6 +34,14 @@ TODO(#569): Normally we'd use the image `PipelineResources` to control which ima
 However since we have so many images, all going to the same registry, we are cheating and using a parameter
 for the image registry instead.
 
+* [`ciimages-run.yaml`](ci-images-run.yaml) - This example `TaskRun` and `PipelineResources` demonstrate
+  how to invoke `ci-images.yaml`:
+
+  ```bash
+  kubectl apply -f tekton/ci-images.yaml
+  kubectl apply -f tekton/ci-images-run.yaml
+  ```
+
 * [`publish-run.yaml`](publish-run.yaml) - This example `TaskRun` and `PipelineResources` demonstrate
   how to invoke `publish.yaml`:
 
@@ -68,4 +79,24 @@ users.
 
 Some supporting scripts have been written using Python 2.7:
 
-* [koparse](./koparse) - Contains logic for parsing `release.yaml` files created by `ko`
\ No newline at end of file
+* [koparse](./koparse) - Contains logic for parsing `release.yaml` files created by `ko`
+
+## Supporting images
+
+TODO(#639) Ensure we are using the images that are published by the `Pipeline` itself.
+
+These images are built and published to be used by the release Pipeline itself.
+
+### ko image
+
+In order to run `ko`, and to be able to use a cluster's default credentials, we need an image which
+contains:
+
+* `ko`
+* `golang` - Required by `ko` to build
+* `gcloud` - Required to auth with default namespace credentials
+
+The image which we use for this is built from [tekton/ko/Dockerfile](./ko/Dockerfile).
+
+_[go-containerregistry#383](https://github.com/google/go-containerregistry/issues/383) is about publishing
+a `ko` image, which hopefully we'll be able to move it._
\ No newline at end of file
diff --git a/tekton/ci-images-run.yaml b/tekton/ci-images-run.yaml
new file mode 100644
index 00000000000..1bf9cb45781
--- /dev/null
+++ b/tekton/ci-images-run.yaml
@@ -0,0 +1,44 @@
+apiVersion: tekton.dev/v1alpha1
+kind: PipelineResource
+metadata:
+  name: tekton-pipelines
+spec:
+  type: git
+  params:
+  - name: url
+    value: https://github.com/tektoncd/pipeline # REPLACE with your own fork
+  - name: revision
+    value: master # REPLACE with your own commit
+---
+apiVersion: tekton.dev/v1alpha1
+kind: PipelineResource
+metadata:
+  name: ko-image
+spec:
+  type: image
+  params:
+   - name: url
+     value: ko-ci # Registry is provided via parameter, this is a hack see #569
+---
+apiVersion: tekton.dev/v1alpha1
+kind: TaskRun
+metadata:
+  name: publish-ci-images-run
+spec:
+  taskRef:
+    name: publish-ci-images
+  trigger:
+    type: manual
+  inputs:
+    resources:
+    - name: source
+      resourceRef:
+        name: tekton-pipelines
+    params:
+    - name: imageRegistry
+      value: gcr.io/tekton-releases # REPLACE with your own registry
+  outputs:
+    resources:
+    - name: builtKoImage
+      resourceRef:
+        name: ko-image
\ No newline at end of file
diff --git a/tekton/ci-images.yaml b/tekton/ci-images.yaml
new file mode 100644
index 00000000000..7a14e7a0738
--- /dev/null
+++ b/tekton/ci-images.yaml
@@ -0,0 +1,27 @@
+
+apiVersion: tekton.dev/v1alpha1
+kind: Task
+metadata:
+  name: publish-ci-images
+spec:
+  inputs:
+    resources:
+    - name: source
+      type: git
+    params:
+    - name: imageRegistry
+      description: TODO(#569) This is a hack to make it easy for folks to switch the registry being used by the many many image outputs
+  outputs:
+    resources:
+    - name: builtKoImage
+      type: image
+  steps:
+
+  - name: build-push-ko-image
+    image: gcr.io/kaniko-project/executor
+    command:
+    - /kaniko/executor
+    args:
+    - --dockerfile=/workspace/source/tekton/ko/Dockerfile
+    - --destination=${inputs.params.imageRegistry}/${outputs.resources.builtKoImage.url}
+    - --context=/workspace/source
\ No newline at end of file
diff --git a/tekton/ko/Dockerfile b/tekton/ko/Dockerfile
new file mode 100644
index 00000000000..e91d14a8305
--- /dev/null
+++ b/tekton/ko/Dockerfile
@@ -0,0 +1,10 @@
+FROM google/cloud-sdk:latest
+
+# Install golang
+RUN curl https://dl.google.com/go/go1.12.1.linux-amd64.tar.gz > go1.12.1.tar.gz
+RUN tar -C /usr/local -xzf go1.12.1.tar.gz
+ENV PATH="${PATH}:/usr/local/go/bin"
+
+# Install ko
+ENV GOBIN=/usr/local/go/bin
+RUN go get github.com/google/go-containerregistry/cmd/ko
\ No newline at end of file
diff --git a/tekton/publish.yaml b/tekton/publish.yaml
index ab04ea0b11e..ce19051564b 100644
--- a/tekton/publish.yaml
+++ b/tekton/publish.yaml
@@ -72,33 +72,6 @@ spec:
 
       cat /workspace/go/src/github.com/tektoncd/pipeline/.ko.yaml
 
-  # TODO(#631): publish a `ko` image
-  - name: install-ko
-    image: golang
-    env:
-    - name: GOBIN
-      value: /workspace
-    command: ["go"]
-    args:
-    - "get"
-    - "github.com/google/go-containerregistry/cmd/ko"
-
-  # TODO(#631): publish a `ko` image (which has golang)
-  - name: install-go
-    image: golang
-    env:
-    command:
-    - /bin/sh
-    args:
-    - -ce
-    - |
-      set -e
-      set -x
-      # TODO(#631): this is a hack to make the go binary available in a container that has gcloud
-      mkdir -p /workspace/golang
-      cp /usr/local/go/bin/go /workspace/golang/go
-      cp -R /usr/local/go /workspace/golang/localgo
-
   - name: ensure-release-dirs-exist
     image: busybox
     command: ["mkdir"]
@@ -106,16 +79,13 @@ spec:
     - "-p"
     - "/workspace/bucket/latest/"
     - "/workspace/bucket/previous/"
-  
+
   - name: run-ko
-    image: google/cloud-sdk
+    # TODO(#639) we should be able to use the image built by an upstream Task here instead of hardcoding
+    image: gcr.io/tekton-releases/ko-ci
     env:
     - name: KO_DOCKER_REPO
       value: ${inputs.params.imageRegistry}
-    - name: GOBIN
-      value: /workspace/golang
-    - name: GOPATH
-      value: /workspace/go
     command:
     - /bin/sh
     args:
@@ -124,11 +94,6 @@ spec:
       set -e
       set -x
 
-      # TODO(#631) Hacks to have the go binary available in this container
-      ls -lA /workspace/golang
-      cp -R /workspace/golang/localgo/ /usr/local/go
-      cp /workspace/golang/go /usr/bin/go
-
       # TODO(#631) This is a hack to auth with the default creds, need a solution that supports service accounts
       gcloud auth configure-docker