diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index cf086fae..84ba61ea 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -49,7 +49,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # v1.0.1
+      - uses: octo-sts/action@a26b0c6455c7f13316f29a8766287f939e75f6c8 # v1.0.2
         id: octo-sts
         with:
           scope: ${{ github.repository }}
@@ -73,7 +73,7 @@ jobs:
           fi
 
       - name: Bump and push Git tag
-        uses: chainguard-dev/actions/git-tag@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1
+        uses: chainguard-dev/actions/git-tag@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2
         if: steps.check.outputs.bump == 'yes'
         with:
           token: ${{ steps.octo-sts.outputs.token }}
diff --git a/.github/workflows/test-apt-faster.yaml b/.github/workflows/test-apt-faster.yaml
index 4272f73a..adbd902f 100644
--- a/.github/workflows/test-apt-faster.yaml
+++ b/.github/workflows/test-apt-faster.yaml
@@ -42,13 +42,19 @@ jobs:
           set -o pipefail
           sudo apt-get --quiet update 2>&1 | tee apt-get-update.log
 
-      - name: "check apt install"
+      - name: "check apt-get install"
         shell: bash
         run: |
           set -o pipefail
           sudo apt-get --quiet --assume-yes install \
             python3-venv qemu-system-x86 | tee apt-get-install.log
 
+      - name: "check apt install"
+        shell: bash
+        run: |
+          set -o pipefail
+          sudo apt install -y libcap-dev | tee apt-install.log
+
       - name: "show configs"
         shell: bash
         run: |
@@ -80,31 +86,42 @@ jobs:
           stderr() { echo "$@" 1>&2; }
           tfail() { echo "FAIL:" "$@"; fails=$((fails+1)); }
           tpass() { echo "PASS:" "$@"; }
+
+          # shellcheck disable=SC2317
           nomatch() {
             for f in "$@"; do [ -e "$f" ] && return 1; done
             return 0
           }
 
+          # shellcheck disable=SC2317
+          file_or_stdin() {
+            [ "$1" = "-" ] && return 0
+            [ -f "$1" ] && [ -r "$1" ] && return 0
+            stderr "file '$1' - not a file or not readable"
+            return 1
+          }
+
+          # shellcheck disable=SC2317
           grep_is() {
             local str="$1" file="$2" exp="$3" out=""
-            [ -f "$file" -a -r "$file" ] || [ "$file" = "-" ] ||
-              { stderr "file '$file' - not a file or not readable"; return 1; }
+            file_or_stdin "$file" || return 1
             out=$(grep -- "$str" "$file")
             [ "$out" = "$exp" ] && return 0
             stderr "grep '$str' '$file' expected '$exp' found '$out'"
             return 1
           }
 
+          # shellcheck disable=SC2317
           grep_has() {
             local str="$1" file="$2" exp="$3" out=""
-            [ -f "$file" -a -r "$file" ] || [ "$file" = "-" ] ||
-              { stderr "file '$file' - not a file or not readable"; return 1; }
+            file_or_stdin "$file" || return 1
             out=$(grep -- "$str" "$file")
             printf "%s\n" "$out" | grep -q -- "$exp" && return 0
             stderr "grep '$str' '$file' did not contain '$exp'. contents: $out"
             return 1
           }
 
+          # shellcheck disable=SC2317
           empty_file() {
             local f="$1"
             [ -f "$f" ] && [ ! -s "$f" ]
diff --git a/.github/workflows/test-argo-workflows.yaml b/.github/workflows/test-argo-workflows.yaml
index ad939d6b..42c7bbc4 100644
--- a/.github/workflows/test-argo-workflows.yaml
+++ b/.github/workflows/test-argo-workflows.yaml
@@ -27,7 +27,7 @@ jobs:
           persist-credentials: false
 
       - name: Install Kind
-        uses: chainguard-dev/actions/setup-kind@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1
+        uses: chainguard-dev/actions/setup-kind@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2
 
       - name: Install Argo Workflows
         uses: ./setup-argo-workflows
diff --git a/.github/workflows/test-setup-kind.yaml b/.github/workflows/test-setup-kind.yaml
index ae7266ba..a5c5b4c7 100644
--- a/.github/workflows/test-setup-kind.yaml
+++ b/.github/workflows/test-setup-kind.yaml
@@ -98,6 +98,6 @@ jobs:
 
     - name: Collect diagnostics
       if: ${{ failure() }}
-      uses: chainguard-dev/actions/kind-diag@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1
+      uses: chainguard-dev/actions/kind-diag@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2
       with:
         artifact-name: logs.${{ matrix.k8s-version }}
diff --git a/apt-faster/action.yaml b/apt-faster/action.yaml
index 7fb583f7..1618be6b 100644
--- a/apt-faster/action.yaml
+++ b/apt-faster/action.yaml
@@ -19,27 +19,27 @@ runs:
       run: |
         sudo tee /usr/bin/apt-get.aptfaster >/dev/null <<"EOF"
         #!/bin/sh
-        a=" $* "
         emd="eatmydata"
-        if ! command -v eatmydata >/dev/null 2>&1; then
-           emd=""
-           if [ "$(id -u)" = "0" ] &&
-              [ "${a#* install }" != "$a" -o "${a#* upgrade }" != "$a" -o \
-                "${a#* dist-upgrade }" != "$a" ]; then
-             # we are root, this is install, so install emd
-             echo "=== first installing eatmydata ===" 1>&2
-             out=$(DEBIAN_FRONTEND=noninteractive "$0.distrib" install \
-                   --quiet --assume-yes eatmydata 2>&1)
-             ret=$?
-             if [ $ret -ne 0 ]; then
-                echo "FAILED: $out" 1>&2;
-                echo "failed to install libeatmydata."
-                exit $ret
-             fi
-             emd="eatmydata"
+        wrap=""
+        if ! command -v "$emd" >/dev/null 2>&1 && [ "$(id -u)" = "0" ]; then
+          a=" $* "
+          if [ "${a#* install }" != "$a" ] ||
+              [ "${a#* upgrade }" != "$a" ] ||
+              [ "${a#* dist-upgrade }" != "$a" ] ||
+              [ "${a#* full-upgrade }" != "$a" ]; then
+            echo "=== first installing $emd ===" 1>&2
+            out=$(DEBIAN_FRONTEND=noninteractive "$0.distrib" install \
+                  --quiet --assume-yes "$emd" 2>&1)
+            ret=$?
+            if [ $ret -ne 0 ]; then
+               printf "%s\n" \
+                 "FAILED: $out" "FATAL: failed to install $emd" 1>&2
+               exit $ret
+            fi
+            wrap="$emd"
           fi
-        fi 1>&2 </dev/null
-        exec $emd "apt-get.distrib" "$@"
+        fi
+        exec $wrap "$0.distrib" "$@"
         EOF
 
         sudo chmod 755 /usr/bin/apt-get.aptfaster
@@ -55,6 +55,13 @@ runs:
           sudo dpkg-divert --local --rename --add /usr/bin/apt-get
         sudo ln -sf apt-get.aptfaster /usr/bin/apt-get
 
+    - name: replace apt
+      shell: bash
+      run: |
+        [ -e "/usr/bin/apt.distrib" ] ||
+          sudo dpkg-divert --local --rename --add /usr/bin/apt
+        sudo ln -sf apt-get.aptfaster /usr/bin/apt
+
     - name: update - disable appstream
       shell: bash
       run: |
diff --git a/setup-melange/action.yaml b/setup-melange/action.yaml
index 725b296f..6f6eaf26 100644
--- a/setup-melange/action.yaml
+++ b/setup-melange/action.yaml
@@ -27,21 +27,40 @@ runs:
       shell: bash
       run: |
         sudo apt install -y build-essential git jq
-    # TODO: the bubblewrap package available from "apt install"
-    # is outdated and missing newer features such as --clearenv flag,
-    # so instead we download the wolfi .apk and use the binary in there
+
     - name: 'Install dependencies (bubblewrap)'
       shell: bash
       run: |
-        sudo apt install -y libcap-dev meson ninja-build
-        git clone https://github.com/containers/bubblewrap
-        pushd bubblewrap
-        meson --prefix=/usr -Drequire_userns=true . output
-        cd output
-        ninja
-        sudo ninja install
-        popd
-        rm -rf bubblewrap
+        sudo apt install --assume-yes bubblewrap
+
+    - name: Enable bubblewrap in ubuntu
+      shell: bash
+      run: |
+        set -x
+        # https://github.com/chainguard-dev/melange/issues/1508
+        sudo tee /etc/apparmor.d/local-bwrap <<"EOF"
+        abi <abi/4.0>,
+        include <tunables/global>
+
+        profile local-bwrap /usr/bin/bwrap flags=(unconfined) {
+          userns,
+          # Site-specific additions and overrides. See local/README for details.
+          include if exists <local/bwrap>
+        }
+        EOF
+
+        sudo systemctl reload apparmor
+        if ! bwrap --unshare-user --bind / / true ; then
+          echo "FATAL: failed to verify 'bwrap --unshare-user'"
+          which bwrap || :
+          ls /proc/self/ns || echo "no /proc/self/ns"
+          kver=$(uname -r) || echo "uname -r failed"
+          if config="/boot/config-$kver" && [ -f "$config" ]; then
+            grep CONFIG_USER_NS "$config" || echo "no CONFIG_USER_NS in $config"
+          fi
+          exit 1
+        fi
+        echo "bubblewrap (bwrap) installed successfully."
 
     - name: 'Install melange'
       if:
@@ -65,18 +84,24 @@ runs:
           ;;
         latest-release)
           # fetch the latest 20 releases, we need to filter by the ones that have assets.
-          releases=$(curl -s -u "username:${{ github.token }}" https://api.github.com/repos/chainguard-dev/melange/releases?per_page=20)
+          tmpf=$(mktemp)
+          url="https://api.github.com/repos/chainguard-dev/melange/releases/latest"
+          curl --fail -s -u "username:${{ github.token }}" "$url" > "$tmpf" ||
+            { echo "error in github api call for latest melange release"; exit 1; }
+          tag=$(jq -r .tag_name < "$tmpf") ||
+            { echo "error parsing json from $url"; exit 1; }
 
-          # search for the first release that has assets.
-          tag=$(echo $releases | jq -r 'first(.[] | select(.assets | length > 0) | .tag_name)')
-          if [[ -z ${tag} ]]; then
+          if [ -z "$tag" ]; then
             # this should, ideally, never happen.
             echo "No melange release with assets found"
             exit 1
           fi
+          rm -f "$tmpf"
+          echo "Found 'latest-release' for melange is '$tag'"
           ;;
         *)
           tag="${{ inputs.version }}"
+          ;;
         esac
 
         if [[ ! -z ${tag} ]]; then