diff --git a/.github/workflows/check-code.yml b/.github/workflows/check-code.yml
index 6370fd9..cf1e144 100644
--- a/.github/workflows/check-code.yml
+++ b/.github/workflows/check-code.yml
@@ -12,6 +12,10 @@ jobs:
     name: Check Code
     runs-on: ubuntu-latest
     steps:
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
+      - name: Run the Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
       - uses: actions/checkout@v3
       - name: Run check code
-        run: make check-code
+        run: nix develop -c make check-code
diff --git a/.github/workflows/vendor/rust-check-code.yml b/.github/workflows/vendor/rust-check-code.yml
index 6370fd9..cf1e144 100644
--- a/.github/workflows/vendor/rust-check-code.yml
+++ b/.github/workflows/vendor/rust-check-code.yml
@@ -12,6 +12,10 @@ jobs:
     name: Check Code
     runs-on: ubuntu-latest
     steps:
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
+      - name: Run the Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
       - uses: actions/checkout@v3
       - name: Run check code
-        run: make check-code
+        run: nix develop -c make check-code
diff --git a/ci/vendir.lock.yml b/ci/vendir.lock.yml
index 978e5cd..4439877 100644
--- a/ci/vendir.lock.yml
+++ b/ci/vendir.lock.yml
@@ -2,14 +2,14 @@ apiVersion: vendir.k14s.io/v1alpha1
 directories:
 - contents:
   - git:
-      commitTitle: 'chore: add webhook config'
-      sha: 9d0f008e41df2f5d5e0461171c02fc0c4aee1d6f
+      commitTitle: 'chore: rm bundled-deps'
+      sha: 7cb2d7f641f5658e5abc01fb17047966f51d9ddb
     path: .
   path: ../.github/workflows/vendor
 - contents:
   - git:
-      commitTitle: 'chore: add webhook config'
-      sha: 9d0f008e41df2f5d5e0461171c02fc0c4aee1d6f
+      commitTitle: 'chore: rm bundled-deps'
+      sha: 7cb2d7f641f5658e5abc01fb17047966f51d9ddb
     path: .
-  path: ./vendor
+  path: vendor
 kind: LockConfig
diff --git a/ci/vendir.yml b/ci/vendir.yml
index 4d72a7e..e99966d 100644
--- a/ci/vendir.yml
+++ b/ci/vendir.yml
@@ -8,7 +8,7 @@ directories:
   - path: . # Copy this folder out to ..
     git:
       url: https://github.com/GaloyMoney/concourse-shared.git
-      ref: 9d0f008e41df2f5d5e0461171c02fc0c4aee1d6f
+      ref: 7cb2d7f641f5658e5abc01fb17047966f51d9ddb
     includePaths:
     - shared/actions/*
     excludePaths:
@@ -21,7 +21,7 @@ directories:
   - path: .
     git:
       url: https://github.com/GaloyMoney/concourse-shared.git
-      ref: 9d0f008e41df2f5d5e0461171c02fc0c4aee1d6f
+      ref: 7cb2d7f641f5658e5abc01fb17047966f51d9ddb
     includePaths:
     - shared/ci/**/*
     excludePaths:
diff --git a/ci/vendor/pipeline-fragments.lib.yml b/ci/vendor/pipeline-fragments.lib.yml
index d343b32..a960311 100644
--- a/ci/vendor/pipeline-fragments.lib.yml
+++ b/ci/vendor/pipeline-fragments.lib.yml
@@ -4,6 +4,10 @@
 #@  return "us.gcr.io/galoy-org"
 #@ end
 
+#@ def private_docker_registry():
+#@  return "gcr.io/galoy-org"
+#@ end
+
 #@ def nodejs_concourse_image():
 #@   return public_docker_registry() + "/nodejs-concourse"
 #@ end
@@ -40,6 +44,12 @@ source:
   repository: #@ release_concourse_image()
 #@ end
 
+#@ def nix_task_image_config():
+type: registry-image
+source:
+  repository: nixpkgs/nix-flakes
+#@ end
+
 #@ def slack_failure_notification():
 #@ fail_url = "<$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME| :face_with_symbols_on_mouth: $BUILD_JOB_NAME> failed!"
 put: slack
@@ -50,6 +60,26 @@ params:
   text:    #@ fail_url
 #@ end
 
+#@ def check_code():
+name: check-code
+serial: true
+plan:
+- in_parallel:
+  - { get: repo, trigger: true }
+  - { get: pipeline-tasks }
+- task: check-code
+  config:
+    platform: linux
+    image_resource: #@ nix_task_image_config()
+    inputs:
+    - name: bundled-deps
+    - name: pipeline-tasks
+    - name: repo
+    run:
+      path: pipeline-tasks/ci/vendor/tasks/check-code.sh
+on_failure: #@ slack_failure_notification()
+#@ end
+
 #@ def nodejs_check_code():
 name: check-code
 serial: true
@@ -134,6 +164,7 @@ plan:
   - { get: repo, trigger: true }
   - { get: pipeline-tasks }
 - task: #@ container
+  attempts: 2
   timeout: 12m
   tags: ["galoy-staging"]
   config:
@@ -260,21 +291,27 @@ plan:
     run:
       path: pipeline-tasks/ci/vendor/tasks/docker-prep-docker-build-env.sh
 - task: build
-  privileged: true
   config:
     platform: linux
     image_resource:
       type: registry-image
       source:
-        repository: vito/oci-build-task
+        repository: gcr.io/kaniko-project/executor
+        tag: debug
     inputs:
     - name: repo
     outputs:
     - name: image
-    params:
-      CONTEXT: repo
     run:
-      path: build
+      path: /kaniko/executor
+      args:
+        - --dockerfile=Dockerfile
+        - --context=repo
+        - --use-new-run
+        - --single-snapshot
+        - --cache=false
+        - --no-push
+        - --tar-path=image/image.tar
 - put: edge-image
   params:
     image: image/image.tar
@@ -365,6 +402,7 @@ plan:
       platform: linux
       image_resource: #@ nodejs_task_image_config()
       inputs:
+        - name: repo
         - name: pipeline-tasks
         - name: edge-image
         - name: charts-repo
@@ -401,14 +439,14 @@ source:
   private_key: #@ data.values.github_private_key
 #@ end
 
-#@ def edge_image_resource():
+#@ def edge_image_resource(publicRepo = True):
 name: edge-image
 type: registry-image
 source:
   tag: edge
   username: #@ data.values.docker_registry_user
   password: #@ data.values.docker_registry_password
-  repository: #@ public_docker_registry() + "/" + data.values.gh_repository
+  repository: #@ public_docker_registry() + "/" + data.values.gh_repository if publicRepo else private_docker_registry() + "/" + data.values.gh_repository
 #@ end
 
 #@ def nodejs_deps_resource(webhook = False):
@@ -472,13 +510,13 @@ source:
   private_key: #@ data.values.github_private_key
 #@ end
 
-#@ def versioned_image_resource():
+#@ def versioned_image_resource(publicRepo = True):
 name: versioned-image
 type: registry-image
 source:
   username: #@ data.values.docker_registry_user
   password: #@ data.values.docker_registry_password
-  repository: #@ public_docker_registry() + "/" + data.values.gh_repository
+  repository: #@ public_docker_registry() + "/" + data.values.gh_repository if publicRepo else private_docker_registry() + "/" + data.values.gh_repository
 #@ end
 
 #@ def gh_release_resource():
diff --git a/ci/vendor/tasks/check-code.sh b/ci/vendor/tasks/check-code.sh
new file mode 100644
index 0000000..2dcd194
--- /dev/null
+++ b/ci/vendor/tasks/check-code.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+#! Auto synced from Shared CI Resources repository
+#! Don't change this file, instead change it in github.com/GaloyMoney/concourse-shared
+
+set -eu
+
+pushd repo
+
+nix develop -c make check-code
diff --git a/ci/vendor/tasks/docker-bump-image-digest.sh b/ci/vendor/tasks/docker-bump-image-digest.sh
index f47ad52..2616b7b 100755
--- a/ci/vendor/tasks/docker-bump-image-digest.sh
+++ b/ci/vendor/tasks/docker-bump-image-digest.sh
@@ -12,7 +12,9 @@ export app_version=$(cat version/version)
 pushd charts-repo
 
 yq -i e '.image.digest = strenv(digest)' ./charts/${CHARTS_SUBDIR}/values.yaml
-yq -i e '.image.git_ref = strenv(ref)' ./charts/${CHARTS_SUBDIR}/values.yaml
+
+sed -i "s|\(digest: \"${digest}\"\).*$|\1 # METADATA:: repository=https://github.com/GaloyMoney/${CHARTS_SUBDIR};commit_ref=${ref};app=${CHARTS_SUBDIR};|g" "./charts/${CHARTS_SUBDIR}/values.yaml"
+
 yq -i e '.appVersion = strenv(app_version)' ./charts/${CHARTS_SUBDIR}/Chart.yaml
 
 if [[ -z $(git config --global user.email) ]]; then
diff --git a/ci/vendor/tasks/test-on-docker-host.sh b/ci/vendor/tasks/test-on-docker-host.sh
index a18691c..31f127c 100755
--- a/ci/vendor/tasks/test-on-docker-host.sh
+++ b/ci/vendor/tasks/test-on-docker-host.sh
@@ -30,7 +30,7 @@ ${SSH_PUB_KEY}
 EOF
 gcloud auth activate-service-account --key-file ${CI_ROOT}/gcloud-creds.json 2> /dev/null
 
-gcloud_ssh "docker ps -qa | xargs docker rm -fv || true; sudo rm -rf ${REPO_PATH}"
+gcloud_ssh "docker ps -qa | xargs docker rm -fv || true; sudo rm -rf ${REPO_PATH} || true; mkdir -p ${REPO_PATH} && cd ${REPO_PATH}/../ && rmdir $(basename ${REPO_PATH})"
 
 pushd ${REPO_PATH}
 
@@ -42,11 +42,11 @@ gcloud compute scp --ssh-key-file=${CI_ROOT}/login.ssh \
   --zone=${host_zone} \
   --project=${gcp_project} > /dev/null
 
-gcloud_ssh "cd ${REPO_PATH}; export TMP_ENV_CI=tmp.env.ci; export COMPOSE_PROJECT_NAME=${REPO_PATH}; docker compose pull; docker compose -f docker-compose.yml up ${TEST_CONTAINER}"
+gcloud_ssh "cd ${REPO_PATH}; export TMP_ENV_CI=tmp.env.ci; export COMPOSE_PROJECT_NAME=$(basename ${REPO_PATH}); source .envrc || true;  docker compose pull; docker compose -f docker-compose.yml up ${TEST_CONTAINER} --attach ${TEST_CONTAINER} 2>&1"
 
 container_id=$(gcloud_ssh "docker ps -q -f status=exited -f name=${PWD##*/}-${TEST_CONTAINER}-")
 test_status=$(gcloud_ssh "docker inspect $container_id --format='{{.State.ExitCode}}'")
 
-gcloud_ssh "cd ${REPO_PATH}; docker compose down --remove-orphans --timeout 1"
+gcloud_ssh "cd ${REPO_PATH}; export COMPOSE_PROJECT_NAME=$(basename ${REPO_PATH}); docker compose down --remove-orphans --timeout 1"
 
 exit $test_status