diff --git a/.github/workflows/bin.yml b/.github.old/workflows/bin.yml
similarity index 100%
rename from .github/workflows/bin.yml
rename to .github.old/workflows/bin.yml
diff --git a/.github/workflows/ci.yml b/.github.old/workflows/ci.yml
similarity index 100%
rename from .github/workflows/ci.yml
rename to .github.old/workflows/ci.yml
diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml
new file mode 100644
index 0000000..aa7e593
--- /dev/null
+++ b/.github/workflows/bootstrap.yml
@@ -0,0 +1,37 @@
+name: bootstrap
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'hadolint/**'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'hadolint/**'
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: hadolint
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install QEMU static binaries
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
+          password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/bake-action@v4
+        with:
+          push: true
diff --git a/hadolint/Containerfile b/hadolint/Containerfile
new file mode 100644
index 0000000..72a8778
--- /dev/null
+++ b/hadolint/Containerfile
@@ -0,0 +1,38 @@
+# syntax=docker/dockerfile:1
+ARG CONTAINER_REGISTRY=docker.io
+FROM $CONTAINER_REGISTRY/ubuntu:jammy-20231004 as base
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN <<EOF
+  apt-get update
+  apt-get install --no-install-recommends -y \
+    ca-certificates \
+    curl \
+    xz-utils
+  rm -rf /var/lib/apt/lists/*
+  dpkgArch="$(dpkg --print-architecture)"
+  case "${dpkgArch##*-}" in \
+    amd64) \
+      HADOLINT_URL=https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 \
+      HADOLINT_SHA256='56de6d5e5ec427e17b74fa48d51271c7fc0d61244bf5c90e828aab8362d55010' \
+      ;; \
+    arm64) \
+      HADOLINT_URL=https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-arm64 \
+      HADOLINT_SHA256='5798551bf19f33951881f15eb238f90aef023f11e7ec7e9f4c37961cb87c5df6' \
+      ;; \
+    *) echo "unsupported architecture"; exit 1 ;; \
+  esac
+  curl -fsSL -o /usr/local/bin/hadolint -L ${HADOLINT_URL}
+  chmod +x /usr/local/bin/hadolint
+  echo "${HADOLINT_SHA256} /usr/local/bin/hadolint" | sha256sum -c -
+EOF
+
+FROM base as lint
+COPY --from=base --chmod=777 /usr/local/bin/hadolint /usr/local/bin/hadolint
+COPY Containerfile /
+
+RUN /usr/local/bin/hadolint --ignore DL3008 --ignore DL3033 --ignore DL3059 Containerfile
+
+FROM base as release
+COPY --from=base --chmod=777 /usr/local/bin/hadolint /bin/hadolint
+CMD ["/bin/hadolint", "-"]
diff --git a/hadolint/README.md b/hadolint/README.md
new file mode 100644
index 0000000..87873ec
--- /dev/null
+++ b/hadolint/README.md
@@ -0,0 +1,76 @@
+# hadolint
+
+Hadolint is a linter for Containerfiles/Dockerfiles. It helps you build [best practice](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) container images. 
+
+We use this during the `lint` phase of our CI pipelines for container images.
+
+This image packages releases from https://github.com/hadolint/hadolint
+
+Image source: https://github.com/boxcutter/oci/tree/main/bootstrap/hadolint
+
+# Using hadolint
+
+To lint a `Containerfile` just pipe it to `docker run`:
+
+```bash
+docker container run --rm -i docker.io/boxcutter/hadolint < Containerfile
+```
+
+# CLI
+
+```bash
+docker container run --rm -i docker.io/boxcutter/hadolint hadolint --help
+hadolint - Dockerfile Linter written in Haskell
+
+Usage: hadolint [-v|--version] [-c|--config FILENAME] [DOCKERFILE...]
+                [--file-path-in-report FILEPATHINREPORT] [--no-fail]
+                [--no-color] [-V|--verbose] [-f|--format ARG] [--error RULECODE]
+                [--warning RULECODE] [--info RULECODE] [--style RULECODE]
+                [--ignore RULECODE]
+                [--trusted-registry REGISTRY (e.g. docker.io)]
+                [--require-label LABELSCHEMA (e.g. maintainer:text)]
+                [--strict-labels] [--disable-ignore-pragma]
+                [-t|--failure-threshold THRESHOLD]
+
+  Lint Dockerfile for errors and best practices
+
+Available options:
+  -h,--help                Show this help text
+  -v,--version             Show version
+  -c,--config FILENAME     Path to the configuration file
+  --file-path-in-report FILEPATHINREPORT
+                           The file path referenced in the generated report.
+                           This only applies for the 'checkstyle' format and is
+                           useful when running Hadolint with Docker to set the
+                           correct file path.
+  --no-fail                Don't exit with a failure status code when any rule
+                           is violated
+  --no-color               Don't colorize output
+  -V,--verbose             Enables verbose logging of hadolint's output to
+                           stderr
+  -f,--format ARG          The output format for the results [tty | json |
+                           checkstyle | codeclimate | gitlab_codeclimate | gnu |
+                           codacy | sonarqube | sarif] (default: tty)
+  --error RULECODE         Make the rule `RULECODE` have the level `error`
+  --warning RULECODE       Make the rule `RULECODE` have the level `warning`
+  --info RULECODE          Make the rule `RULECODE` have the level `info`
+  --style RULECODE         Make the rule `RULECODE` have the level `style`
+  --ignore RULECODE        A rule to ignore. If present, the ignore list in the
+                           config file is ignored
+  --trusted-registry REGISTRY (e.g. docker.io)
+                           A docker registry to allow to appear in FROM
+                           instructions
+  --require-label LABELSCHEMA (e.g. maintainer:text)
+  The option --require-label=label:format makes
+  Hadolint check that the label `label` conforms to
+  format requirement `format`
+  --strict-labels          Do not permit labels other than specified in
+  `label-schema`
+  --disable-ignore-pragma  Disable inline ignore pragmas `# hadolint
+  ignore=DLxxxx`
+  -t,--failure-threshold THRESHOLD
+  Exit with failure code only when rules with a
+  severity equal to or above THRESHOLD are violated.
+  Accepted values: [error | warning | info | style |
+  ignore | none] (default: info)
+```
\ No newline at end of file
diff --git a/hadolint/docker-bake.hcl b/hadolint/docker-bake.hcl
new file mode 100644
index 0000000..a9b2517
--- /dev/null
+++ b/hadolint/docker-bake.hcl
@@ -0,0 +1,45 @@
+variable "IMAGE_NAME" {
+  default = "hadolint"
+}
+
+variable "VERSION" {
+  default = "2.12.0"
+}
+
+variable "CONTAINER_REGISTRY" {
+  default = "docker.io/boxcutter"
+}
+
+# There's no darwin-based Docker, so if we're running on macOS, change the platform to linux
+variable "LOCAL_PLATFORM" {
+  default = regex_replace("${BAKE_LOCAL_PLATFORM}", "^(darwin)", "linux")
+}
+
+target "_common" {
+  dockerfile = "Containerfile"
+  tags = [
+    # docker.io/boxcuter/hadolint:x.x.x
+    "${CONTAINER_REGISTRY}/${IMAGE_NAME}:${VERSION}",
+    "${CONTAINER_REGISTRY}/${IMAGE_NAME}:latest"
+  ]
+}
+
+target "lint" {
+  dockerfile = "Containerfile"
+  target = "lint"
+  output = ["type=cacheonly"]
+}
+
+target "local" {
+  inherits = ["_common"]
+  platforms = ["${LOCAL_PLATFORM}"]
+}
+
+group "default" {
+  targets = ["lint", "release"]
+}
+
+target "release" {
+  inherits = ["_common"]
+  platforms = ["linux/amd64", "linux/arm64/v8"]
+}