diff --git a/.github/actions/build-custom-melange-package/action.yml b/.github/actions/build-custom-melange-package/action.yml
index adacedd588..ea2408d879 100644
--- a/.github/actions/build-custom-melange-package/action.yml
+++ b/.github/actions/build-custom-melange-package/action.yml
@@ -46,32 +46,52 @@ runs:
 
     # build the melange package
 
-    - name: template melange config
+    - uses: actions/setup-go@v5
+      with:
+        go-version: '1.23'
+
+    - name: install melange
       shell: bash
       run: |
-        export GIT_TAG=${{ inputs.git-tag }}
-        envsubst '${GIT_TAG}' < ${{ inputs.context }}/melange.yaml.tmpl > ${{ inputs.context }}/melange.yaml
+        sudo apt install -y make
+        make melange
 
-    - uses: chainguard-dev/actions/melange-build@main
-      with:
-        config: ${{ inputs.context }}/melange.yaml
-        archs: ${{ inputs.arch }}
-        git-commit: ${{ github.sha }}
-        git-repo-url: ${{ github.server_url }}/${{ github.repository }}
-        sign-with-temporary-key: true
+    # TODO: the bubblewrap package available from "apt install"
+    # is outdated and missing newer features such as --clearenv flag,
+    # so instead we download the wolfi .apk and use the binary in there
+    - name: 'Install dependencies (bubblewrap)'
+      shell: bash
+      run: |
+        sudo apt install -y libcap-dev meson ninja-build
+        git clone https://github.com/containers/bubblewrap
+        pushd bubblewrap
+        meson --prefix=/usr -Drequire_userns=true . output
+        cd output
+        ninja
+        sudo ninja install
+        popd
+        rm -rf bubblewrap
+
+    - name: build melange package
+      shell: bash
+      run: |
+        make melange-build \
+          MELANGE_CONFIG=${{ inputs.context }}/melange.yaml.tmpl \
+          ARCHS=${{ inputs.arch }} \
+          GIT_TAG=${{ inputs.git-tag }}
 
     # upload artifacts generated by the melange build so they can later be used by apko
 
     - name: rename melange.rsa.pub
       shell: bash
-      run: mv melange.rsa.pub melange-${{ inputs.arch }}.rsa.pub
+      run: mv build/melange.rsa.pub build/melange-${{ inputs.arch }}.rsa.pub
 
     - uses: actions/upload-artifact@v4
       with:
         name: ${{ inputs.component }}-melange-packages-${{ inputs.arch }}
-        path: ./packages
+        path: ./build/packages
 
     - uses: actions/upload-artifact@v4
       with:
         name: ${{ inputs.component }}-melange-rsa-pub-${{ inputs.arch }}
-        path: ./melange-${{ inputs.arch }}.rsa.pub
+        path: ./build/melange-${{ inputs.arch }}.rsa.pub
diff --git a/Makefile b/Makefile
index 744437e79f..d173a861dd 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,5 @@
 include Makefile.build.mk
+include common.mk
 CURRENT_USER := $(shell id -u -n)
 MINIO_TAG ?= 0.20241107.005220-r0
 RQLITE_TAG ?= 8.34.0-r0
diff --git a/common.mk b/common.mk
new file mode 100644
index 0000000000..29dbe864a5
--- /dev/null
+++ b/common.mk
@@ -0,0 +1,128 @@
+SHELL := /bin/bash
+
+ARCH ?= $(shell go env GOARCH)
+CURRENT_USER := $(if $(GITHUB_USER),$(GITHUB_USER),$(shell id -u -n))
+
+## Location to install dependencies to
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+
+## Tool Binaries
+MELANGE ?= $(LOCALBIN)/melange
+APKO ?= $(LOCALBIN)/apko
+
+## Version to use for building
+VERSION ?= $(shell git describe --tags --match='[0-9]*.[0-9]*.[0-9]*')
+
+# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
+
+image-tag = $(shell echo "$1" | sed 's/+/-/')
+
+.PHONY: print-%
+print-%:
+	@echo -n $($*)
+
+.PHONY: check-env-%
+check-env-%:
+	@ if [ "${${*}}" = "" ]; then \
+		echo "Environment variable $* not set"; \
+		exit 1; \
+	fi
+
+melange: $(MELANGE)
+$(MELANGE): $(LOCALBIN)
+	go install chainguard.dev/melange@latest && \
+		test -s $(GOBIN)/melange && \
+		ln -sf $(GOBIN)/melange $(LOCALBIN)/melange
+
+apko: $(APKO)
+$(APKO): $(LOCALBIN)
+	go install chainguard.dev/apko@latest && \
+		test -s $(GOBIN)/apko && \
+		ln -sf $(GOBIN)/apko $(LOCALBIN)/apko
+
+CHAINGUARD_TOOLS_USE_DOCKER = 0
+ifeq ($(CHAINGUARD_TOOLS_USE_DOCKER),"1")
+MELANGE_CACHE_DIR ?= /go/pkg/mod
+APKO_CMD = docker run -v $(shell pwd):/work -w /work -v $(shell pwd)/build/.docker:/root/.docker cgr.dev/chainguard/apko
+MELANGE_CMD = docker run --privileged --rm -v $(shell pwd):/work -w /work -v "$(shell go env GOMODCACHE)":${MELANGE_CACHE_DIR} cgr.dev/chainguard/melange
+else
+MELANGE_CACHE_DIR ?= cache/.melange-cache
+APKO_CMD = apko
+MELANGE_CMD = melange
+endif
+
+$(MELANGE_CACHE_DIR):
+	mkdir -p $(MELANGE_CACHE_DIR)
+
+.PHONY: apko-build
+apko-build: ARCHS ?= $(ARCH)
+apko-build: check-env-IMAGE apko-template
+	cd build && ${APKO_CMD} \
+		build apko.yaml ${IMAGE} apko.tar \
+		--arch ${ARCHS}
+
+.PHONY: apko-build-and-publish
+apko-build-and-publish: ARCHS ?= $(ARCH)
+apko-build-and-publish: check-env-IMAGE apko-template
+	@bash -c 'set -o pipefail && cd build && ${APKO_CMD} publish apko.yaml ${IMAGE} --arch ${ARCHS} | tee digest'
+	$(MAKE) apko-output-image
+
+.PHONY: apko-login
+apko-login:
+	rm -f build/.docker/config.json
+	@ { [ "${PASSWORD}" = "" ] || [ "${USERNAME}" = "" ] ; } || \
+	${APKO_CMD} \
+		login -u "${USERNAME}" \
+		--password "${PASSWORD}" "${REGISTRY}"
+
+.PHONY: apko-print-pkg-version
+apko-print-pkg-version: ARCHS ?= $(ARCH)
+apko-print-pkg-version: apko-template check-env-PACKAGE_NAME
+		cd build && \
+		${APKO_CMD} show-packages apko.yaml --arch=${ARCHS} | \
+		grep ${PACKAGE_NAME} | \
+		cut -s -d" " -f2 | \
+		head -n1
+
+.PHONY: apko-output-image
+apko-output-image: check-env-IMAGE
+	@digest=$$(cut -s -d'@' -f2 build/digest); \
+	if [ -z "$$digest" ]; then \
+		echo "error: no image digest found" >&2; \
+		exit 1; \
+	fi ; \
+	echo "$(IMAGE)@$$digest" > build/image
+
+.PHONY: melange-build
+melange-build: ARCHS ?= $(ARCH)
+melange-build: MELANGE_SOURCE_DIR ?= .
+melange-build: $(MELANGE_CACHE_DIR) melange-template
+	mkdir -p build
+	${MELANGE_CMD} \
+		keygen build/melange.rsa
+	${MELANGE_CMD} \
+		build build/melange.yaml \
+		--arch ${ARCHS} \
+		--signing-key build/melange.rsa \
+		--cache-dir=$(MELANGE_CACHE_DIR) \
+		--source-dir $(MELANGE_SOURCE_DIR) \
+		--out-dir build/packages \
+		--git-repo-url github.com/replicatedhq/kots
+
+
+.PHONY: melange-template
+melange-template: check-env-MELANGE_CONFIG check-env-GIT_TAG
+	mkdir -p build
+	envsubst '$${GIT_TAG}' < ${MELANGE_CONFIG} > build/melange.yaml
+
+.PHONY: apko-template
+apko-template: check-env-APKO_CONFIG check-env-GIT_TAG
+	mkdir -p build
+	envsubst '$${GIT_TAG}' < ${APKO_CONFIG} > build/apko.yaml