diff --git a/.github/workflows/build-world.yaml b/.github/workflows/build-world.yaml
index 875f35c0fa3..f539df116e2 100644
--- a/.github/workflows/build-world.yaml
+++ b/.github/workflows/build-world.yaml
@@ -24,7 +24,7 @@ jobs:
     # permissions:
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index feedb046e4f..7b1b771c867 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -29,7 +29,7 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -142,7 +142,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493
 
     steps:
       - uses: actions/checkout@v4
@@ -241,7 +241,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
index 4cae89cb779..40e91b503f0 100644
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -33,7 +33,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493 -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this
@@ -70,7 +70,7 @@ jobs:
       group: wolfi-builder-${{ matrix.arch }}
     needs: changes
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
     outputs:
@@ -187,7 +187,7 @@ jobs:
     name: "ABI Compatibility check"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493
     needs: build
     if: needs.build.outputs.packages_were_built == 'true'
 
@@ -226,7 +226,7 @@ jobs:
     name: "Scan packages for CVEs"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493
     needs: build
     if: needs.build.outputs.packages_were_built == 'true'
 
diff --git a/.github/workflows/lint-world.yaml b/.github/workflows/lint-world.yaml
index d9fea133b01..7fd84f4d0d6 100644
--- a/.github/workflows/lint-world.yaml
+++ b/.github/workflows/lint-world.yaml
@@ -29,7 +29,7 @@ jobs:
       group: wolfi-os-builder-${{ matrix.arch }}
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/withdraw-packages.yaml b/.github/workflows/withdraw-packages.yaml
index 011f7d169f8..aa3b26eb990 100644
--- a/.github/workflows/withdraw-packages.yaml
+++ b/.github/workflows/withdraw-packages.yaml
@@ -22,7 +22,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493 -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       - name: 'Authenticate to Google Cloud'
diff --git a/.github/workflows/wolfictl-check-update.yaml b/.github/workflows/wolfictl-check-update.yaml
index dfbca3e425b..3e8e92663fe 100644
--- a/.github/workflows/wolfictl-check-update.yaml
+++ b/.github/workflows/wolfictl-check-update.yaml
@@ -29,7 +29,7 @@ jobs:
     - name: Check
       id: check
       if: ${{ steps.files.outputs.all_changed_files != '' }}
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:382a366643d438427f7be0c2177f8de4525e62660811d1bdf72ac817be531920
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:f71c4f87add3bcdcaa5e847dddce00c119df4e69d58d352648e2b3397b9843b1
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
diff --git a/.github/workflows/wolfictl-lint.yaml b/.github/workflows/wolfictl-lint.yaml
index d3007bc4989..1e0d2c3f3a3 100644
--- a/.github/workflows/wolfictl-lint.yaml
+++ b/.github/workflows/wolfictl-lint.yaml
@@ -19,13 +19,13 @@ jobs:
     - uses: actions/checkout@v4
     - name: Lint
       id: lint
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:382a366643d438427f7be0c2177f8de4525e62660811d1bdf72ac817be531920
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:f71c4f87add3bcdcaa5e847dddce00c119df4e69d58d352648e2b3397b9843b1
       with:
         entrypoint: wolfictl
         args: lint --skip-rule no-makefile-entry-for-package
     - name: Enforce YAML formatting
       id: lint-yaml
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:382a366643d438427f7be0c2177f8de4525e62660811d1bdf72ac817be531920
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:f71c4f87add3bcdcaa5e847dddce00c119df4e69d58d352648e2b3397b9843b1
       with:
         entrypoint: wolfictl
         args: lint yam
diff --git a/.github/workflows/wolfictl-update-gh.yaml b/.github/workflows/wolfictl-update-gh.yaml
index 2bd63ed9aef..39003638405 100644
--- a/.github/workflows/wolfictl-update-gh.yaml
+++ b/.github/workflows/wolfictl-update-gh.yaml
@@ -29,7 +29,7 @@ jobs:
         scope: ${{ github.repository }}
         identity: github-updates
 
-    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:382a366643d438427f7be0c2177f8de4525e62660811d1bdf72ac817be531920
+    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:f71c4f87add3bcdcaa5e847dddce00c119df4e69d58d352648e2b3397b9843b1
       with:
         entrypoint: wolfictl
         args: update https://github.com/${{github.repository}} --release-monitoring-query=false --github-labels request-version-update --github-labels "automated pr"
diff --git a/.github/workflows/wolfictl-update-rm.yaml b/.github/workflows/wolfictl-update-rm.yaml
index 7888658deb3..7ac33568721 100644
--- a/.github/workflows/wolfictl-update-rm.yaml
+++ b/.github/workflows/wolfictl-update-rm.yaml
@@ -29,7 +29,7 @@ jobs:
         scope: ${{ github.repository }}
         identity: release-monitoring-updates
 
-    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:382a366643d438427f7be0c2177f8de4525e62660811d1bdf72ac817be531920
+    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:f71c4f87add3bcdcaa5e847dddce00c119df4e69d58d352648e2b3397b9843b1
       with:
         entrypoint: wolfictl
         args: update https://github.com/${{github.repository}} --github-release-query=false --github-labels request-version-update --github-labels "automated pr"
diff --git a/Makefile b/Makefile
index 1dc98f58e17..c293845a665 100644
--- a/Makefile
+++ b/Makefile
@@ -161,7 +161,7 @@ dev-container:
 	    -v "${PWD}:${PWD}" \
 	    -w "${PWD}" \
 	    -e SOURCE_DATE_EPOCH=0 \
-	    ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
+	    ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493
 
 PACKAGES_CONTAINER_FOLDER ?= /work/packages
 TMP_REPOSITORIES_DIR := $(shell mktemp -d)
@@ -226,6 +226,6 @@ dev-container-wolfi:
 		--mount type=bind,source="${PWD}/local-melange.rsa.pub",destination="/etc/apk/keys/local-melange.rsa.pub",readonly \
 		--mount type=bind,source="$(TMP_REPOSITORIES_FILE)",destination="/etc/apk/repositories",readonly \
 		-w "$(PACKAGES_CONTAINER_FOLDER)" \
-		ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
+		ghcr.io/wolfi-dev/sdk:latest@sha256:70d2cc25253f3597fec405a17953c28e4b8faefc2813f6649a59ef6d7b8e3493
 	@rm "$(TMP_REPOSITORIES_FILE)"
 	@rmdir "$(TMP_REPOSITORIES_DIR)"