diff --git a/.github/workflows/flux-image-test.yaml b/.github/workflows/flux-image-test.yaml
new file mode 100644
index 0000000000000..37b8c0169e110
--- /dev/null
+++ b/.github/workflows/flux-image-test.yaml
@@ -0,0 +1,158 @@
+---
+  # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+  name: "Flux Image Test"
+
+  on:
+    pull_request:
+      branches: ["main"]
+      paths: ["kubernetes/**"]
+
+  concurrency:
+    group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+    cancel-in-progress: true
+
+  jobs:
+    changed-files:
+      name: Get Changed Files
+      runs-on: ubuntu-latest
+      outputs:
+        matrix: ${{ steps.changed-files.outputs.all_changed_and_modified_files }}
+      steps:
+        - name: Generate Token
+          uses: actions/create-github-app-token@v1
+          id: app-token
+          with:
+            app-id: "${{ secrets.BOT_APP_ID }}"
+            private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+        - name: Checkout
+          uses: actions/checkout@v4
+          with:
+            token: "${{ steps.app-token.outputs.token }}"
+            fetch-depth: 0
+
+        - name: Get changed files
+          id: changed-files
+          uses: tj-actions/changed-files@v41
+          with:
+            files: kubernetes/**
+            dir_names_max_depth: 2
+            dir_names: true
+            json: true
+            escape_json: false
+
+        - name: List all changed files
+          run: echo "${{ steps.changed-files.outputs.all_changed_and_modified_files }}"
+
+    extract-images:
+      name: Flux Image Test
+      runs-on: ubuntu-latest
+      needs: ["changed-files"]
+      permissions:
+        pull-requests: write
+      strategy:
+        matrix:
+          paths: ${{ fromJSON(needs.changed-files.outputs.matrix) }}
+        max-parallel: 4
+        fail-fast: false
+      outputs:
+        matrix: ${{ steps.extract-images.outputs.images }}
+      steps:
+        - name: Generate Token
+          uses: actions/create-github-app-token@v1
+          id: app-token
+          with:
+            app-id: "${{ secrets.BOT_APP_ID }}"
+            private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+        - name: Setup System Tools
+          shell: bash
+          run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
+
+        - name: Setup Workflow Tools
+          uses: jdx/rtx-action@v1
+          with:
+            install: true
+            cache: true
+            rtx_toml: |
+              [tools]
+              flux2 = "latest"
+              yq = "latest"
+
+        - name: Checkout Default Branch
+          uses: actions/checkout@v4
+          with:
+            token: "${{ steps.app-token.outputs.token }}"
+            ref: main
+            path: default
+
+        - name: Checkout Pull Request Branch
+          uses: actions/checkout@v4
+          with:
+            token: "${{ steps.app-token.outputs.token }}"
+            path: pull
+
+        - name: Gather Images in Default Branch
+          uses: docker://ghcr.io/allenporter/flux-local:pr-472
+          with:
+            args: >-
+              get cluster
+              --path /github/workspace/default/${{ matrix.paths }}
+              --enable-images
+              --output yaml
+              --output-file default.yaml
+
+        - name: Filter Default Branch Results
+          shell: bash
+          run: |
+            yq -r '[.. | .images? | select(. != null)] | flatten | sort | unique | .[]' \
+                default.yaml > default.txt
+
+        - name: Gather Images in Pull Request Branch
+          uses: docker://ghcr.io/allenporter/flux-local:pr-472
+          with:
+            args: >-
+              get cluster
+              --path /github/workspace/pull/${{ matrix.paths }}
+              --enable-images
+              --output yaml
+              --output-file pull.yaml
+
+        - name: Filter Pull Request Branch Results
+          shell: bash
+          run: |
+            yq -r '[.. | .images? | select(. != null)] | flatten | sort | unique | .[]' \
+                pull.yaml > pull.txt
+
+        - name: Diff results
+          id: extract-images
+          shell: bash
+          run: |
+            images=$(jo -a $(grep -vf default.txt pull.txt))
+            echo "images=${images}" >> $GITHUB_OUTPUT
+            echo "${images}"
+
+    test-images:
+      if: ${{ needs.extract-images.outputs.matrix != '[]' }}
+      name: Test images from Helm Release
+      runs-on: ubuntu-latest
+      needs: ["extract-images"]
+      strategy:
+        matrix:
+          images: ${{ fromJSON(needs.extract-images.outputs.matrix) }}
+        max-parallel: 4
+        fail-fast: false
+      steps:
+        - name: Test Images from Helm Release
+          run: docker pull ${{ matrix.images }}
+
+    # Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7
+    test-images-success:
+      if: ${{ always() }}
+      needs: ["test-images"]
+      name: Test images from Helm Release successful
+      runs-on: ubuntu-latest
+      steps:
+        - if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
+          name: Check matrix status
+          run: exit 1
diff --git a/kubernetes/main/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/main/apps/cert-manager/cert-manager/app/helmrelease.yaml
index 28f2af4caf91c..36285ac67b136 100644
--- a/kubernetes/main/apps/cert-manager/cert-manager/app/helmrelease.yaml
+++ b/kubernetes/main/apps/cert-manager/cert-manager/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: cert-manager
-      version: v1.13.3
+      version: v1.13.2
       sourceRef:
         kind: HelmRepository
         name: jetstack
diff --git a/kubernetes/main/apps/network/nginx/external/helmrelease.yaml b/kubernetes/main/apps/network/nginx/external/helmrelease.yaml
index 8898dffbb404f..832dbe95b8052 100644
--- a/kubernetes/main/apps/network/nginx/external/helmrelease.yaml
+++ b/kubernetes/main/apps/network/nginx/external/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: ingress-nginx
-      version: 4.9.0
+      version: 4.8.3
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx
diff --git a/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml b/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml
index 919a509ff9522..de9bd4c695048 100644
--- a/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml
+++ b/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: ingress-nginx
-      version: 4.9.0
+      version: 4.8.3
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx
diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml
index fb2e475522ade..4024129e35cb5 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: rook-ceph
-      version: v1.13.1
+      version: v1.12.10
       sourceRef:
         kind: HelmRepository
         name: rook-ceph
diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
index 30a8b4a2846d7..410591d19383b 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: rook-ceph-cluster
-      version: v1.13.1
+      version: v1.12.10
       sourceRef:
         kind: HelmRepository
         name: rook-ceph