diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
index 562abe889c9..a55dce4378c 100644
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -27,7 +27,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:fd8c71214f6455c75ec44ae99eb9f7ffc85f260ccce69d4367eb2e5d568facd9 -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:dd55b59445eb3a4324b6d186e15522805692504f4830ee375286ace346e5a097 -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this
@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-16-core
     needs: changes
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:fd8c71214f6455c75ec44ae99eb9f7ffc85f260ccce69d4367eb2e5d568facd9
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dd55b59445eb3a4324b6d186e15522805692504f4830ee375286ace346e5a097
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
 
@@ -103,7 +103,7 @@ jobs:
       - name: Check sonames
         id: soname
         if: steps.file_check.outputs.exists == 'true'
-        uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:5876ee08b32ee3e9ff0d4c83867d168bbefe6b1e6cc5bee1f07442e5493ca6e4
+        uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7e693b6957ee6e3d66a9446dc2cd604dbf86f31fa4d8b9200fd8c7a742c5928c
         with:
           entrypoint: wolfictl
           args: check so-name
@@ -113,7 +113,7 @@ jobs:
         if: steps.file_check.outputs.exists == 'true'
         # Let's not fail the whole job if this step fails as it is for improved UX rather than an enforced check
         continue-on-error: true
-        uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:5876ee08b32ee3e9ff0d4c83867d168bbefe6b1e6cc5bee1f07442e5493ca6e4
+        uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7e693b6957ee6e3d66a9446dc2cd604dbf86f31fa4d8b9200fd8c7a742c5928c
         with:
           entrypoint: wolfictl
           args: check diff
diff --git a/.github/workflows/dag-push-production.yaml b/.github/workflows/dag-push-production.yaml
index c6d5212eff7..2ef94b00fd1 100644
--- a/.github/workflows/dag-push-production.yaml
+++ b/.github/workflows/dag-push-production.yaml
@@ -93,11 +93,11 @@ jobs:
       - run: |
           kubectl set image daemonset/csi-secrets-store \
             -n kube-system \
-            secrets-store=cgr.dev/chainguard/secrets-store-csi-driver:latest@sha256:e14da2fdff70406ff77119750aa4be4298665a1557972479a868723f2ddbb168
+            secrets-store=cgr.dev/chainguard/secrets-store-csi-driver:latest@sha256:3deee5c924791d3b4a6365f22abfb480e8de4747054fcafe4c32400af37294b2
 
           kubectl set image daemonset/csi-secrets-store-provider-gcp \
             -n kube-system \
-            provider=cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp:latest@sha256:88deaa80e3df528d6a95251187ed14f252d9cf10e7fb12ca8523ed5dc12b95ab
+            provider=cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp:latest@sha256:21419f70b9aedc080547a1d358a8529d1bc8c29c183c08d892d0b343a6519078
 
           # Wait for DaemonSets to become ready.
           kubectl rollout status daemonset -n kube-system csi-secrets-store
@@ -156,7 +156,7 @@ jobs:
             --cpu=30 --ram=100Gi \
             --bucket=${BUCKET} \
             --src-bucket=${SRC_BUCKET} \
-            --sdk-image ghcr.io/wolfi-dev/sdk:latest@sha256:fd8c71214f6455c75ec44ae99eb9f7ffc85f260ccce69d4367eb2e5d568facd9 \
+            --sdk-image ghcr.io/wolfi-dev/sdk:latest@sha256:dd55b59445eb3a4324b6d186e15522805692504f4830ee375286ace346e5a097 \
             --pending-timeout=10m \
             --secret-key \
             --arch=arm64
diff --git a/.github/workflows/push-production.yaml b/.github/workflows/push-production.yaml
index b6e9d06eb35..94534c4bcc8 100644
--- a/.github/workflows/push-production.yaml
+++ b/.github/workflows/push-production.yaml
@@ -68,7 +68,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:fd8c71214f6455c75ec44ae99eb9f7ffc85f260ccce69d4367eb2e5d568facd9 -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:dd55b59445eb3a4324b6d186e15522805692504f4830ee375286ace346e5a097 -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       - name: 'Build Wolfi'
diff --git a/.github/workflows/wolfictl-check-update.yaml b/.github/workflows/wolfictl-check-update.yaml
index 64070ab1403..0a82a9a36e0 100644
--- a/.github/workflows/wolfictl-check-update.yaml
+++ b/.github/workflows/wolfictl-check-update.yaml
@@ -28,7 +28,7 @@ jobs:
     - name: Check
       id: check
       if: ${{ steps.files.outputs.all_changed_files != '' }}
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:5876ee08b32ee3e9ff0d4c83867d168bbefe6b1e6cc5bee1f07442e5493ca6e4
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7e693b6957ee6e3d66a9446dc2cd604dbf86f31fa4d8b9200fd8c7a742c5928c
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
diff --git a/.github/workflows/wolfictl-lint.yaml b/.github/workflows/wolfictl-lint.yaml
index d1aede1d9de..bdcfa07d768 100644
--- a/.github/workflows/wolfictl-lint.yaml
+++ b/.github/workflows/wolfictl-lint.yaml
@@ -19,13 +19,13 @@ jobs:
     - uses: actions/checkout@v3
     - name: Lint
       id: lint
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:5876ee08b32ee3e9ff0d4c83867d168bbefe6b1e6cc5bee1f07442e5493ca6e4
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7e693b6957ee6e3d66a9446dc2cd604dbf86f31fa4d8b9200fd8c7a742c5928c
       with:
         entrypoint: wolfictl
         args: lint --skip-rule no-makefile-entry-for-package
     - name: Enforce YAML formatting
       id: lint-yaml
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:5876ee08b32ee3e9ff0d4c83867d168bbefe6b1e6cc5bee1f07442e5493ca6e4
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7e693b6957ee6e3d66a9446dc2cd604dbf86f31fa4d8b9200fd8c7a742c5928c
       with:
         entrypoint: wolfictl
         args: lint yam
diff --git a/.github/workflows/wolfictl-update-gh.yaml b/.github/workflows/wolfictl-update-gh.yaml
index cd604379f68..329f1277f20 100644
--- a/.github/workflows/wolfictl-update-gh.yaml
+++ b/.github/workflows/wolfictl-update-gh.yaml
@@ -23,7 +23,7 @@ jobs:
     steps:
     - uses: actions/checkout@v3
 
-    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:5876ee08b32ee3e9ff0d4c83867d168bbefe6b1e6cc5bee1f07442e5493ca6e4
+    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7e693b6957ee6e3d66a9446dc2cd604dbf86f31fa4d8b9200fd8c7a742c5928c
       with:
         entrypoint: wolfictl
         args: update https://github.com/${{github.repository}} --release-monitoring-query=false --github-labels request-version-update --github-labels "automated pr"
diff --git a/.github/workflows/wolfictl-update-rm.yaml b/.github/workflows/wolfictl-update-rm.yaml
index b84fe2755e0..4fffe3919a6 100644
--- a/.github/workflows/wolfictl-update-rm.yaml
+++ b/.github/workflows/wolfictl-update-rm.yaml
@@ -23,7 +23,7 @@ jobs:
     steps:
     - uses: actions/checkout@v3
 
-    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:5876ee08b32ee3e9ff0d4c83867d168bbefe6b1e6cc5bee1f07442e5493ca6e4
+    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7e693b6957ee6e3d66a9446dc2cd604dbf86f31fa4d8b9200fd8c7a742c5928c
       with:
         entrypoint: wolfictl
         args: update https://github.com/${{github.repository}} --github-release-query=false --github-labels request-version-update --github-labels "automated pr"