diff --git a/.github/workflows/factory.yaml b/.github/workflows/factory.yaml
index c04e8f187..c30f0706a 100644
--- a/.github/workflows/factory.yaml
+++ b/.github/workflows/factory.yaml
@@ -43,7 +43,7 @@ jobs:
       run: make ci
 
     - name: Read some Secrets
-      uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
+      uses: rancher-eio/read-vault-secrets@d266f55186f80a893839f6e15662e67388e443e6 # v3
       if: ${{ inputs.push == true }}
       with:
         secrets: |
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index a9f6c985d..711d2569c 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -20,7 +20,7 @@ jobs:
     # The FOSSA token is shared between all repos in Harvester's GH org. It can
     # be used directly and there is no need to request specific access to EIO.
     - name: Read FOSSA token
-      uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
+      uses: rancher-eio/read-vault-secrets@d266f55186f80a893839f6e15662e67388e443e6 # v3
       with:
         secrets: |
           secret/data/github/org/harvester/fossa/credentials token | FOSSA_API_KEY_PUSH_ONLY
diff --git a/Dockerfile.dapper b/Dockerfile.dapper
index 98a2dd8f0..479db67fc 100644
--- a/Dockerfile.dapper
+++ b/Dockerfile.dapper
@@ -4,15 +4,10 @@ ARG DAPPER_HOST_ARCH
 ENV HOST_ARCH=${DAPPER_HOST_ARCH} ARCH=${DAPPER_HOST_ARCH}
 
 RUN zypper -n rm container-suseconnect && \
-    zypper -n install git curl docker gzip tar wget awk
+    zypper -n install git curl docker gzip tar wget awk docker-buildx
 
 ## install golangci
-RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s latest
-
-# The docker version in dapper is too old to have buildx. Install it manually.
-RUN curl -sSfL https://github.com/docker/buildx/releases/download/v0.13.1/buildx-v0.13.1.linux-${ARCH} -o buildx-v0.13.1.linux-${ARCH} && \
-    chmod +x buildx-v0.13.1.linux-${ARCH} && \
-    mv buildx-v0.13.1.linux-${ARCH} /usr/local/bin/buildx
+COPY --from=golangci/golangci-lint:v2.11.4-alpine@sha256:72bcd68512b4e27540dd3a778a1b7afd45759d8145cfb3c089f1d7af53e718e9 /usr/bin/golangci-lint /usr/local/bin/golangci-lint 
 
 ## install controller-gen
 RUN go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.18.0
diff --git a/Makefile b/Makefile
index 5d7b47efd..109983ebc 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,19 @@
 TARGETS := $(shell ls scripts)
 
+SHA512SUM_Linux_aarch64 := 781951b31e5ff018a04e755c6da7163b31a81edda61f1bed4def8d0e24229865c58a3d26aa0cc4184058d91ebcae300ead2cad16d3c46ccb1098419e3e41a016
+SHA512SUM_Linux_x86_64 := d2ec27ecf9362e2fafd27d76d85a5c5b92b53aefe07cffa76bf9887db6bee07b1023cca8fc32a2c9bdd2ecfadaee71397066b41bd37c9ebbbbce09913f0884d4
+SHA512SUM_Darwin_arm64 := 8a356c89ad32af1698ae8615a6e303773a8ac58b114368454d59965ec2aa8282e780d1e228d37c301ce6f87596f68bfe7f204eb5f4c019c386a58dd94153ddcf
+SHA512SUM_Darwin_x86_64 := dbab05de04dda26793f4ae7875d0fba96ee54b0228e192fd40c0b2116ed345b5444047fc2e0c90cb481f28cbe0e0452bcecb268c8d074cd8615eb2f5463c30b6
+SHA512SUM_Windows_x86_64 := 807aee2f68b6da35cb0885558f5cbc9a6c8747a56c7a200f0e1fcac9e2fd0da570cbb39e48b3192bd1a71805f2ab38fd19d77faebba97a89e5d9a8b430ee429e
+
 .dapper:
 	@echo Downloading dapper
-	@curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp
+	@curl -sL https://releases.rancher.com/dapper/v0.6.0/dapper-`uname -s`-`uname -m` > .dapper.tmp
+	@CHECKSUM=$$(shasum -a 512 .dapper.tmp | awk '{print $$1}'); \
+	if [ "$$CHECKSUM" != "$(SHA512SUM_$(shell uname -s)_$(shell uname -m))" ]; then \
+		echo "Checksum verification failed!"; \
+		exit 1; \
+	fi
 	@@chmod +x .dapper.tmp
 	@./.dapper.tmp -v
 	@mv .dapper.tmp .dapper
diff --git a/ci/scripts/helpers.sh b/ci/scripts/helpers.sh
index b934b920d..cfda372df 100755
--- a/ci/scripts/helpers.sh
+++ b/ci/scripts/helpers.sh
@@ -2,11 +2,17 @@
 
 TOP_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/" &> /dev/null && pwd )"
 
+HELM_VERSION=v3.20.0
+HELM_SUM_amd64=dbb4c8fc8e19d159d1a63dda8db655f9ffa4aac1b9a6b188b34a40957119b286
+HELM_SUM_arm64=bfb14953295d5324d47ab55f3dfba6da28d46c848978c8fbf412d4271bdc29f1
+HELM_SUM="HELM_SUM_${ARCH}"
+
 # ensure helm command
 if [[ $(ensure_command helm) -eq 1 ]]; then
     echo "no helm, try to curl..."
-    curl -O https://get.helm.sh/helm-v3.9.4-linux-amd64.tar.gz
-    tar -zxvf helm-v3.9.4-linux-amd64.tar.gz
+    curl -O https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz
+    echo "${!HELM_SUM}" helm-${HELM_VERSION}-linux-${ARCH}.tar.gz | sha256sum -c -
+    tar xvzf helm-${HELM_VERSION}-linux-${ARCH}.tar.gz
     HELM=$TOP_DIR/linux-amd64/helm
     $HELM version
 else
diff --git a/scripts/package_controller b/scripts/package_controller
index b45d182f7..65e24262e 100755
--- a/scripts/package_controller
+++ b/scripts/package_controller
@@ -14,7 +14,7 @@ if [ -e ${DOCKERFILE}.${ARCH} ]; then
     DOCKERFILE=${DOCKERFILE}.${ARCH}
 fi
 
-buildx build --load -f ${DOCKERFILE} -t ${IMAGE} .
+docker buildx build --load -f ${DOCKERFILE} -t ${IMAGE} .
 echo Built ${IMAGE}
 if [[ -n ${BUILD_FOR_CI} ]]; then
     docker push ${IMAGE}
diff --git a/scripts/package_webhook b/scripts/package_webhook
index 3ec4665cc..282680157 100755
--- a/scripts/package_webhook
+++ b/scripts/package_webhook
@@ -14,7 +14,7 @@ if [ -e ${DOCKERFILE}.${ARCH} ]; then
     DOCKERFILE=${DOCKERFILE}.${ARCH}
 fi
 
-buildx build --load -f ${DOCKERFILE} -t ${IMAGE} .
+docker buildx build --load -f ${DOCKERFILE} -t ${IMAGE} .
 echo Built ${IMAGE}
 if [[ -n ${BUILD_FOR_CI} ]]; then
     docker push ${IMAGE}