diff --git a/.github/workflows/build-world.yaml b/.github/workflows/build-world.yaml
index 1c910d10473..3121e252ba2 100644
--- a/.github/workflows/build-world.yaml
+++ b/.github/workflows/build-world.yaml
@@ -20,7 +20,7 @@ jobs:
       fail-fast: false
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:bff8933f9d36cd8b2abd059df2aa279a110852a8f9e26da5f0e6a398a7598102
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:21b9395fdd2e30a5a3f222cdb52e626280423eaac0238266886cb85140a3939f
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
 
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 998bd5586bd..0f762085ace 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -31,7 +31,7 @@ jobs:
     # permissions:
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:bff8933f9d36cd8b2abd059df2aa279a110852a8f9e26da5f0e6a398a7598102
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:21b9395fdd2e30a5a3f222cdb52e626280423eaac0238266886cb85140a3939f
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -104,7 +104,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:bff8933f9d36cd8b2abd059df2aa279a110852a8f9e26da5f0e6a398a7598102
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:21b9395fdd2e30a5a3f222cdb52e626280423eaac0238266886cb85140a3939f
 
     steps:
       - uses: actions/checkout@v3
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
index 9572fbc2e84..aec7fde8eb4 100644
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -27,7 +27,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:bff8933f9d36cd8b2abd059df2aa279a110852a8f9e26da5f0e6a398a7598102 -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:21b9395fdd2e30a5a3f222cdb52e626280423eaac0238266886cb85140a3939f -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this
@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-16-core
     needs: changes
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:bff8933f9d36cd8b2abd059df2aa279a110852a8f9e26da5f0e6a398a7598102
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:21b9395fdd2e30a5a3f222cdb52e626280423eaac0238266886cb85140a3939f
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
 
diff --git a/.github/workflows/dag-push-production.yaml b/.github/workflows/dag-push-production.yaml
index 4f0b99b8153..900452324c0 100644
--- a/.github/workflows/dag-push-production.yaml
+++ b/.github/workflows/dag-push-production.yaml
@@ -156,7 +156,7 @@ jobs:
             --cpu=30 --ram=100Gi \
             --bucket=${BUCKET} \
             --src-bucket=${SRC_BUCKET} \
-            --sdk-image ghcr.io/wolfi-dev/sdk:latest@sha256:bff8933f9d36cd8b2abd059df2aa279a110852a8f9e26da5f0e6a398a7598102 \
+            --sdk-image ghcr.io/wolfi-dev/sdk:latest@sha256:21b9395fdd2e30a5a3f222cdb52e626280423eaac0238266886cb85140a3939f \
             --pending-timeout=20m \
             --secret-key \
             --arch=arm64
diff --git a/.github/workflows/push-production.yaml b/.github/workflows/push-production.yaml
index 84fd1bf7c9f..430ff4b2664 100644
--- a/.github/workflows/push-production.yaml
+++ b/.github/workflows/push-production.yaml
@@ -68,7 +68,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:bff8933f9d36cd8b2abd059df2aa279a110852a8f9e26da5f0e6a398a7598102 -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:21b9395fdd2e30a5a3f222cdb52e626280423eaac0238266886cb85140a3939f -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       - name: 'Build Wolfi'
diff --git a/.github/workflows/wolfictl-check-update.yaml b/.github/workflows/wolfictl-check-update.yaml
index 4624dcfcbe9..bfc8859c002 100644
--- a/.github/workflows/wolfictl-check-update.yaml
+++ b/.github/workflows/wolfictl-check-update.yaml
@@ -28,7 +28,7 @@ jobs:
     - name: Check
       id: check
       if: ${{ steps.files.outputs.all_changed_files != '' }}
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:4db845fa9cda54bc3427fa8419abc6334f123388ec32dcc6fd22917483af313b
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:bdb4532885085c1cc086f3cf100525231b49ea41609fb8555c5dc57ea6656b9a
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
diff --git a/.github/workflows/wolfictl-lint.yaml b/.github/workflows/wolfictl-lint.yaml
index a4ce587f3c7..138cd173164 100644
--- a/.github/workflows/wolfictl-lint.yaml
+++ b/.github/workflows/wolfictl-lint.yaml
@@ -19,13 +19,13 @@ jobs:
     - uses: actions/checkout@v3
     - name: Lint
       id: lint
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:4db845fa9cda54bc3427fa8419abc6334f123388ec32dcc6fd22917483af313b
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:bdb4532885085c1cc086f3cf100525231b49ea41609fb8555c5dc57ea6656b9a
       with:
         entrypoint: wolfictl
         args: lint --skip-rule no-makefile-entry-for-package
     - name: Enforce YAML formatting
       id: lint-yaml
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:4db845fa9cda54bc3427fa8419abc6334f123388ec32dcc6fd22917483af313b
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:bdb4532885085c1cc086f3cf100525231b49ea41609fb8555c5dc57ea6656b9a
       with:
         entrypoint: wolfictl
         args: lint yam
diff --git a/.github/workflows/wolfictl-update-gh.yaml b/.github/workflows/wolfictl-update-gh.yaml
index ec775864d57..d70d1e63064 100644
--- a/.github/workflows/wolfictl-update-gh.yaml
+++ b/.github/workflows/wolfictl-update-gh.yaml
@@ -23,7 +23,7 @@ jobs:
     steps:
     - uses: actions/checkout@v3
 
-    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:4db845fa9cda54bc3427fa8419abc6334f123388ec32dcc6fd22917483af313b
+    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:bdb4532885085c1cc086f3cf100525231b49ea41609fb8555c5dc57ea6656b9a
       with:
         entrypoint: wolfictl
         args: update https://github.com/${{github.repository}} --release-monitoring-query=false --github-labels request-version-update --github-labels "automated pr"
diff --git a/.github/workflows/wolfictl-update-rm.yaml b/.github/workflows/wolfictl-update-rm.yaml
index 64084b8e13d..e8a451db4ef 100644
--- a/.github/workflows/wolfictl-update-rm.yaml
+++ b/.github/workflows/wolfictl-update-rm.yaml
@@ -23,7 +23,7 @@ jobs:
     steps:
     - uses: actions/checkout@v3
 
-    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:4db845fa9cda54bc3427fa8419abc6334f123388ec32dcc6fd22917483af313b
+    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:bdb4532885085c1cc086f3cf100525231b49ea41609fb8555c5dc57ea6656b9a
       with:
         entrypoint: wolfictl
         args: update https://github.com/${{github.repository}} --github-release-query=false --github-labels request-version-update --github-labels "automated pr"