diff --git a/.github/actions/docker-run/action.yaml b/.github/actions/docker-run/action.yaml
index 3fc5562be2..ce2473c5f7 100644
--- a/.github/actions/docker-run/action.yaml
+++ b/.github/actions/docker-run/action.yaml
@@ -6,7 +6,7 @@ inputs:
     required: true
   image:
     description: "The image to use"
-    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0"
+    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420"
     required: false
   workdir:
     description: "The images working directory"
diff --git a/.github/workflows/build-beta.yaml b/.github/workflows/build-beta.yaml
index f6d515492f..e72e25ba0f 100644
--- a/.github/workflows/build-beta.yaml
+++ b/.github/workflows/build-beta.yaml
@@ -152,7 +152,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
 
     steps:
       - name: Harden Runner
diff --git a/.github/workflows/build-old.yaml b/.github/workflows/build-old.yaml
index af65aa7c90..0ddbe0d9e0 100644
--- a/.github/workflows/build-old.yaml
+++ b/.github/workflows/build-old.yaml
@@ -26,7 +26,7 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -139,7 +139,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
 
     steps:
       - name: Harden Runner
@@ -262,7 +262,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
 
     steps:
       - name: Harden Runner
diff --git a/.github/workflows/build-world.yaml b/.github/workflows/build-world.yaml
index 1c1fdcbe53..e7fbc11f14 100644
--- a/.github/workflows/build-world.yaml
+++ b/.github/workflows/build-world.yaml
@@ -27,7 +27,7 @@ jobs:
     # permissions:
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index a75db7549e..baa5d9a8b6 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -29,7 +29,7 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -175,7 +175,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
 
     steps:
       - name: Harden Runner
@@ -303,7 +303,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
 
     steps:
       - name: Harden Runner
diff --git a/.github/workflows/lint-world.yaml b/.github/workflows/lint-world.yaml
index c1e813e5ca..8cc69a20fc 100644
--- a/.github/workflows/lint-world.yaml
+++ b/.github/workflows/lint-world.yaml
@@ -32,7 +32,7 @@ jobs:
       group: wolfi-os-builder-${{ matrix.arch }}
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
 
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
diff --git a/.github/workflows/postsubmit-bundle-build.yaml b/.github/workflows/postsubmit-bundle-build.yaml
index 2e497dc678..64fbab0581 100644
--- a/.github/workflows/postsubmit-bundle-build.yaml
+++ b/.github/workflows/postsubmit-bundle-build.yaml
@@ -30,7 +30,7 @@ jobs:
 
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
 
     permissions:
       id-token: write
@@ -114,7 +114,7 @@ jobs:
           )
 
           BUNDLE=$(wolfictl bundle \
-            --bundle-base ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0 \
+            --bundle-base ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420 \
             --bundle-repo "${BUNDLE_REPO}" \
             ${COMMON_FLAGS} \
             --runner bubblewrap \
diff --git a/Makefile b/Makefile
index 749da08891..6b775225dc 100644
--- a/Makefile
+++ b/Makefile
@@ -156,7 +156,7 @@ dev-container:
 	    -v "${PWD}:${PWD}" \
 	    -w "${PWD}" \
 	    -e SOURCE_DATE_EPOCH=0 \
-	    ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+	    ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
 
 PACKAGES_CONTAINER_FOLDER ?= /work/packages
 # This target spins up a docker container that is helpful for testing local
@@ -223,6 +223,6 @@ dev-container-wolfi:
 		--mount type=bind,source="${PWD}/local-melange.rsa.pub",destination="/etc/apk/keys/local-melange.rsa.pub",readonly \
 		--mount type=bind,source="$(TMP_REPOS_FILE)",destination="/etc/apk/repositories",readonly \
 		-w "$(PACKAGES_CONTAINER_FOLDER)" \
-		ghcr.io/wolfi-dev/sdk:latest@sha256:dbeee4a8febf4ee668d87a60fa16d51e9b0802f76581b052c2349fd00bbb12a0
+		ghcr.io/wolfi-dev/sdk:latest@sha256:1674addbde81a3228d19516119c48e2b55ec41159383d3cd4d8b76be6d316420
 	@rm "$(TMP_REPOS_FILE)"
 	@rmdir "$(TMP_REPOS_DIR)"