diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 808e0d6c4e..9ccdda5208 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -29,6 +29,19 @@ jobs:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        id: cache
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: ${{ runner.os }}-${{ hashFiles('./.github/workflows/resources/aqua.yaml') }}
+
+      - if: ${{ steps.cache.outputs.cache-hit != 'true' }}
+        name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
@@ -36,11 +49,7 @@ jobs:
           username: "${{ secrets.BOT_APP_ID }}"
           password: "${{ steps.app-token.outputs.token }}"
 
-      - name: Setup Flux
-        uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 # v2.2.2
-
       - name: Diff Resources
-        # uses: allenporter/flux-local/action/diff@19bfc6920e8964a479363bc230e6c329120ead02 # 3.2.0
         uses: allenporter/flux-local/action/diff@flux-build
         id: diff
         with:
diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
index d22b022639..4210d71146 100644
--- a/.github/workflows/flux-hr-sync.yaml
+++ b/.github/workflows/flux-hr-sync.yaml
@@ -38,17 +38,18 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Setup Tools
-        shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
-
-      - name: Setup Kube Tools
-        uses: yokawasa/action-setup-kube-tools@af4ebb1af1efd30c5bd84a2e9773355ad6362a33 # v0.9.3
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        id: cache
         with:
-          setup-tools: yq
+          path: ~/.local/share/aquaproj-aqua
+          key: ${{ runner.os }}-${{ hashFiles('./.github/workflows/resources/aqua.yaml') }}
 
-      - name: Setup Flux
-        uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 # v2.2.2
+      - if: ${{ steps.cache.outputs.cache-hit != 'true' }}
+        name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Write kubeconfig
         id: kubeconfig
diff --git a/.github/workflows/flux-hr-test-image.yaml b/.github/workflows/flux-hr-test-image.yaml
index 7d7725f16a..7eca927a8d 100644
--- a/.github/workflows/flux-hr-test-image.yaml
+++ b/.github/workflows/flux-hr-test-image.yaml
@@ -70,10 +70,18 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Setup Kube Tools
-        uses: yokawasa/action-setup-kube-tools@af4ebb1af1efd30c5bd84a2e9773355ad6362a33 # v0.9.3
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        id: cache
         with:
-          setup-tools: helm kustomize
+          path: ~/.local/share/aquaproj-aqua
+          key: ${{ runner.os }}-${{ hashFiles('./.github/workflows/resources/aqua.yaml') }}
+
+      - if: ${{ steps.cache.outputs.cache-hit != 'true' }}
+        name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Extract Images from HelmRelease
         id: extract-images
diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
index a7d0b82a5d..a08bc187a9 100644
--- a/.github/workflows/publish-terraform.yaml
+++ b/.github/workflows/publish-terraform.yaml
@@ -27,6 +27,24 @@ jobs:
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
+      - name: Generate tag
+        id: generate-tag
+        shell: bash
+        run: echo "tag=ghcr.io/${{ github.repository_owner }}/manifests/terraform:$(git rev-parse --short HEAD)" >> "${GITHUB_OUTPUT}"
+
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        id: cache
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: ${{ runner.os }}-${{ hashFiles('./.github/workflows/resources/aqua.yaml') }}
+
+      - if: ${{ steps.cache.outputs.cache-hit != 'true' }}
+        name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
@@ -37,14 +55,6 @@ jobs:
           # username: "${{ secrets.BOT_APP_ID }}"
           # password: "${{ steps.app-token.outputs.token }}"
 
-      - name: Setup Flux
-        uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 # v2.2.2
-
-      - name: Generate tag
-        id: generate-tag
-        shell: bash
-        run: echo "tag=ghcr.io/${{ github.repository_owner }}/manifests/terraform:$(git rev-parse --short HEAD)" >> "${GITHUB_OUTPUT}"
-
       - name: Publish manifests
         shell: bash
         run: |
diff --git a/.github/workflows/resources/aqua.yaml b/.github/workflows/resources/aqua.yaml
new file mode 100644
index 0000000000..2ba7e5e515
--- /dev/null
+++ b/.github/workflows/resources/aqua.yaml
@@ -0,0 +1,11 @@
+---
+registries:
+  - type: standard
+    ref: v4.107.0
+
+packages:
+  - name: fluxcd/flux2@v2.2.2
+  - name: helm/helm@v3.13.3
+  - name: kubernetes-sigs/kustomize@kustomize/v5.3.0
+  - name: kubernetes/kubectl@v1.29.0
+  - name: mikefarah/yq@v4.40.5
diff --git a/.github/workflows/resources/extract-images.mjs b/.github/workflows/resources/extract-images.mjs
index a5c43d2a48..06ccb2b938 100644
--- a/.github/workflows/resources/extract-images.mjs
+++ b/.github/workflows/resources/extract-images.mjs
@@ -72,10 +72,10 @@ async function helmTemplate(release, repository) {
   // Template out helm values into Kubernetes manifests
   let manifests
   if ('type' in repository.spec && repository.spec.type == 'oci') {
-    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false ${repository.spec.url}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
+    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false --skip-tests ${repository.spec.url}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
   } else {
     await $`${helm} repo add ${release.spec.chart.spec.sourceRef.name} ${repository.spec.url}`
-    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false ${release.spec.chart.spec.sourceRef.name}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
+    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false --skip-tests ${release.spec.chart.spec.sourceRef.name}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
   }
 
   let documents = YAML.parseAllDocuments(manifests.stdout.trim()).map((item) => item.toJS())