diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index 84c87d6..0000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "weekly"
diff --git a/.github/workflows/update-ubuntu-sha.yaml b/.github/workflows/update-ubuntu-sha.yaml
new file mode 100644
index 0000000..0f41a2b
--- /dev/null
+++ b/.github/workflows/update-ubuntu-sha.yaml
@@ -0,0 +1,32 @@
+name: Update SHA of latest ubuntu images
+# This is to workaround the 3mo timeout for GHA scheduled actions on repos with 
+# no new commits, by automatically creating new commits.
+on:
+  schedule:
+    # check for a new ubuntu image every week at 04:17am on mondays
+    - cron: "17 04 * * 1"
+  # let us manually trigger a build
+  workflow_dispatch:
+env:
+  BASE_IMAGE_NAME: base-docker
+  ACTION_IMAGE_NAME: base-action
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@master
+    - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d
+    - name: update SHAs
+      run: just update-docker-shas
+    - name: Commit file
+      run: |
+        git status
+        git add "*.sha"
+        if git diff-index --quiet HEAD; then
+          exit
+        fi
+        git config --local user.email "action@github.com"
+        git config --local user.name "GitHub Action"
+        git commit -m "Update base image SHA files"
+        git push origin
diff --git a/Dockerfile b/Dockerfile
index 1822776..91ec2a1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,16 +1,10 @@
 # syntax=docker/dockerfile:1.10
 # enable docker linting
 # check=error=true
-
-# this must come before FROM lines
-ARG UBUNTU_VERSION=ubuntu-20.04
-
-# Include each version with sha so that dependabot can update them
-FROM ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214 AS ubuntu-20.04
-FROM ubuntu:22.04@sha256:c7eb020043d8fc2ae0793fb35a37bff1cf33f156d4d4b12ccc7f3ef8706c38b1 AS ubuntu-22.04
-FROM ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b AS ubuntu-24.04
-
-FROM $UBUNTU_VERSION AS base-docker
+ARG UBUNTU_VERSION=ubuntu:20.04
+# we are parameterizing the base image, so we can't be explicit like DL3006 wants us to be
+# hadolint ignore=DL3006
+FROM $UBUNTU_VERSION as base-docker
 
 # default env vars
 ENV container=docker DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 LC_ALL=C.UTF-8
diff --git a/Justfile b/Justfile
index 72c3043..72d4325 100644
--- a/Justfile
+++ b/Justfile
@@ -52,7 +52,17 @@ test: build
   docker compose run $RUN_ARGS --rm -v {{justfile_directory()}}:/tests -w /tests "$ACTION_IMAGE_NAME-24.04" ./tests.sh
   ./check.sh
 
-# publish the images to ghcr.io
+# Update the files tracking the SHAs of ubuntu docker image
+update-docker-shas:
+  @just _update-sha "ubuntu:20.04"
+  @just _update-sha "ubuntu:22.04"
+
+_update-sha os:
+  echo {{ os }}
+  docker image pull {{ os }}
+  docker inspect --format='{{{{index .RepoDigests 0}}' {{ os }} > {{ os }}.sha
+
+
 publish-images:
   #!/bin/bash
   set -euo pipefail
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 8be35a0..ca67651 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -23,28 +23,28 @@ services:
     image: "base-docker:20.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-20.04
+        - UBUNTU_VERSION=ubuntu:20.04
 
   base-docker-22.04:
     extends: base-docker
     image: "base-docker:22.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-22.04
+        - UBUNTU_VERSION=ubuntu:22.04
 
   base-docker-24.04:
     extends: base-docker
     image: "base-docker:24.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-24.04
+        - UBUNTU_VERSION=ubuntu:24.04
 
   base-action-20.04:
     extends: base-docker
     image: "base-action:20.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-20.04
+        - UBUNTU_VERSION=ubuntu:20.04
       target: base-action
 
   base-action-22.04:
@@ -52,7 +52,7 @@ services:
     image: "base-action:22.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-22.04
+        - UBUNTU_VERSION=ubuntu:22.04
       target: base-action
 
   base-action-24.04:
@@ -60,7 +60,7 @@ services:
     image: "base-action:24.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-24.04
+        - UBUNTU_VERSION=ubuntu:24.04
       target: base-action
 
 secrets:
diff --git a/ubuntu:20.04.sha b/ubuntu:20.04.sha
new file mode 100644
index 0000000..7563a52
--- /dev/null
+++ b/ubuntu:20.04.sha
@@ -0,0 +1 @@
+ubuntu@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba
diff --git a/ubuntu:22.04.sha b/ubuntu:22.04.sha
new file mode 100644
index 0000000..e052622
--- /dev/null
+++ b/ubuntu:22.04.sha
@@ -0,0 +1 @@
+ubuntu@sha256:aabed3296a3d45cede1dc866a24476c4d7e093aa806263c27ddaadbdce3c1054