diff --git a/.github/workflows/on_merge.yaml b/.github/workflows/on_merge.yaml
new file mode 100644
index 00000000..333f905b
--- /dev/null
+++ b/.github/workflows/on_merge.yaml
@@ -0,0 +1,85 @@
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release-docker:
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+      packages: write
+
+    strategy:
+      matrix:
+        platform:
+          - { earthly: linux/arm64, suffix: linux-arm64 }
+          - { earthly: linux/amd64, suffix: linux-amd64 }
+
+    steps:
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v1
+        with:
+          image: tonistiigi/binfmt:latest
+          platforms: all
+        if: matrix.platform == 'linux/arm64'
+
+      - uses: actions/checkout@v3
+
+      - uses: wistia/parse-tool-versions@v1.0
+
+      - uses: earthly/actions-setup@v1
+        with: { version: "v${{ env.EARTHLY_TOOL_VERSION }}" }
+
+      - name: extract sha
+        run: |
+          echo "GIT_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+
+      - name: login to registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push the Docker image
+        run: |
+          earthly \
+            --platform ${{ matrix.platform.earthly }} \
+            --push \
+            +docker-dev \
+              --HELM_VERSION=${{ env.HELM_TOOL_VERSION }} \
+              --KUSTOMIZE_VERSION=${{ env.KUSTOMIZE_TOOL_VERSION }} \
+              --GIT_TAG=main-${{ matrix.platform.suffix }} \
+              --GIT_COMMIT=${{ env.GIT_COMMIT }} \
+              --CI_REGISTRY_IMAGE=ghcr.io/${{ github.repository_owner }}/kubechecks
+
+  release-multiarch:
+    runs-on: ubuntu-22.04
+
+    needs:
+      - release-docker
+
+    permissions:
+      packages: write
+
+    steps:
+      - name: extract sha
+        run: |
+          echo "GIT_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+
+      - name: login to registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: int128/docker-manifest-create-action@v1
+        with:
+          tags: ghcr.io/${{ github.repository_owner }}/kubechecks:${{ env.GIT_RELEASE_TAG }}
+          suffixes: |
+            -linux-amd64
+            -linux-arm64
diff --git a/.github/workflows/on_pull-request_helm.yaml b/.github/workflows/on_pull-request_helm.yaml
index f3efe2b2..4823e185 100644
--- a/.github/workflows/on_pull-request_helm.yaml
+++ b/.github/workflows/on_pull-request_helm.yaml
@@ -6,10 +6,6 @@ on:
       - 'Earthfile'
       - 'charts/**'
 
-env:
-  EARTHLY_TOOL_VERSION: 0.7
-  GOLANG_TOOL_VERSION: 1.19.3
-  
 jobs:
   ci-helm:
     runs-on: ubuntu-22.04
@@ -21,4 +17,9 @@ jobs:
       - uses: earthly/actions-setup@v1
         with: { version: "v${{ env.EARTHLY_TOOL_VERSION }}" }
 
-      - run: earthly +ci-helm
\ No newline at end of file
+      - run: |
+          earthly \
+            +ci-helm \
+            --HELM_VERSION=${{ env.HELM_TOOL_VERSION }} \
+            --CHART_TESTING_VERSION=${{ env.HELM-CT_TOOL_VERSION }} \
+            --KUBECONFORM_VERSION=${{ env.KUBECONFORM_TOOL_VERSION }}
diff --git a/.github/workflows/on_tag.yaml b/.github/workflows/on_tag.yaml
index 2e0834f8..8a2775e5 100644
--- a/.github/workflows/on_tag.yaml
+++ b/.github/workflows/on_tag.yaml
@@ -49,9 +49,9 @@ jobs:
         with:
           image: tonistiigi/binfmt:latest
           platforms: all
+        if: matrix.platform == 'linux/arm64'
 
-      - name: checkout the source code
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v3
 
       - uses: wistia/parse-tool-versions@v1.0
 
@@ -60,7 +60,7 @@ jobs:
 
       - name: extract tag and sha
         run: |
-          echo "GIT_SHA_SHORT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+          echo "GIT_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
           echo "GIT_RELEASE_TAG=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
 
       - name: login to registry
@@ -75,9 +75,11 @@ jobs:
           earthly \
             --platform ${{ matrix.platform.earthly }} \
             --push \
-            +docker \
+            +docker-tag \
+              --HELM_VERSION=${{ env.HELM_TOOL_VERSION }} \
+              --KUSTOMIZE_VERSION=${{ env.KUSTOMIZE_TOOL_VERSION }} \
               --GIT_TAG=${{ env.GIT_RELEASE_TAG }}-${{ matrix.platform.suffix }} \
-              --GIT_COMMIT=${{ env.GIT_SHA_SHORT }} \
+              --GIT_COMMIT=${{ env.GIT_COMMIT }} \
               --CI_REGISTRY_IMAGE=ghcr.io/${{ github.repository_owner }}/kubechecks
 
   release-multiarch:
diff --git a/.tool-versions b/.tool-versions
index dbb00c57..8f571f07 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1,4 +1,7 @@
-tilt 0.33.1
+earthly 0.7.12
 golang 1.19.11
-kustomize 4.5.7
-earthly 0.7.4
+helm 3.12.2
+helm-ct 3.8.0
+kubeconform 0.6.3
+kustomize 5.1.0
+tilt 0.33.2
diff --git a/Earthfile b/Earthfile
index 6e2bbacd..574cd8d9 100644
--- a/Earthfile
+++ b/Earthfile
@@ -70,6 +70,7 @@ docker:
     RUN apt update && apt install -y ca-certificates curl git
 
     WORKDIR /tmp
+    ARG KUSTOMIZE_VERSION=4.5.7
     RUN \
         curl \
             --fail \
@@ -79,7 +80,9 @@ docker:
             "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" \
             --output install_kustomize.sh && \
         chmod 700 install_kustomize.sh && \
-        ./install_kustomize.sh 4.5.7 /usr/local/bin
+        ./install_kustomize.sh ${KUSTOMIZE_VERSION} /usr/local/bin
+
+    ARG HELM_VERSION=3.10.0
     RUN \
         curl \
             --fail \
@@ -89,7 +92,7 @@ docker:
             "https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3" \
             --output get-helm-3.sh && \
         chmod 700 get-helm-3.sh && \
-        ./get-helm-3.sh -v v3.10.0
+        ./get-helm-3.sh -v v${HELM_VERSION}
 
     RUN mkdir /app
 
@@ -102,12 +105,19 @@ docker:
 
     CMD ["./kubechecks", "controller"]
 
+docker-dev:
+    FROM +docker
+
+    ARG CI_REGISTRY_IMAGE="ghcr.io/zapier/kubechecks"
+    SAVE IMAGE --push $CI_REGISTRY_IMAGE:dev
+
+docker-tag:
+    FROM +docker
+
     ARG CI_REGISTRY_IMAGE="ghcr.io/zapier/kubechecks"
     ARG --required GIT_TAG
-    ARG --required GIT_COMMIT
 
     SAVE IMAGE --push $CI_REGISTRY_IMAGE:latest
-    SAVE IMAGE --push $CI_REGISTRY_IMAGE:$GIT_COMMIT
     SAVE IMAGE --push $CI_REGISTRY_IMAGE:$GIT_TAG
 
 dlv:
@@ -120,7 +130,7 @@ dlv:
 
 docker-debug:
     ARG CI_REGISTRY_IMAGE="kubechecks"
-    FROM +docker --GIT_TAG=debug --GIT_COMMIT=abcdef --CI_REGISTRY_IMAGE=$CI_REGISTRY_IMAGE
+    FROM +docker --GIT_TAG=debug --GIT_COMMIT=abcdef
 
     COPY (+dlv/dlv --GOARCH=$GOARCH --VARIANT=$TARGETVARIANT) /usr/local/bin/dlv
 
@@ -152,12 +162,10 @@ lint-golang:
 
 test-helm:
     ARG CHART_TESTING_VERSION="3.7.1"
-    ARG HELM_VERSION="3.8.1"
-    ARG HELM_UNITTEST_VERSION="0.3.3"
-    ARG KUBECONFORM_VERSION="0.5.0"
     FROM quay.io/helmpack/chart-testing:v${CHART_TESTING_VERSION}
 
     # install kubeconform
+    ARG KUBECONFORM_VERSION="0.5.0"
     RUN FILE=kubeconform.tgz \
         && URL=https://github.com/yannh/kubeconform/releases/download/v${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz \
         && wget ${URL} \
@@ -169,9 +177,11 @@ test-helm:
             --file ${FILE} \
         && kubeconform -v
 
+    ARG HELM_UNITTEST_VERSION="0.3.3"
     RUN apk add --no-cache bash git \
         && helm plugin install --version "${HELM_UNITTEST_VERSION}" https://github.com/helm-unittest/helm-unittest \
         && helm unittest --help
+
     # actually lint the chart
     WORKDIR /src
     COPY . /src
@@ -180,10 +190,9 @@ test-helm:
 
 release-helm:
     ARG CHART_RELEASER_VERSION="1.6.0"
-    ARG HELM_VERSION="3.8.1"
-    ARG token=""
     FROM quay.io/helmpack/chart-releaser:v${CHART_RELEASER_VERSION}
 
+    ARG HELM_VERSION="3.8.1"
     RUN FILE=helm.tgz \
         && URL=https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz \
         && wget ${URL} \
diff --git a/pkg/affected_apps/best_effort_test.go b/pkg/affected_apps/best_effort_test.go
index 2fd24661..0fb3ce82 100644
--- a/pkg/affected_apps/best_effort_test.go
+++ b/pkg/affected_apps/best_effort_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/zapier/kubechecks/pkg/app_directory"
 )
 
@@ -158,13 +159,40 @@ func TestBestEffortMatcher(t *testing.T) {
 
 			matcher := NewBestEffortMatcher(tt.args.repoName, testRepoFiles)
 			got, err = matcher.AffectedApps(context.TODO(), tt.args.fileList)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 
-			assert.Equal(t, tt.want, got, "GenerateListOfAffectedApps not equal")
+			assert.Equal(t, len(tt.want.Applications), len(got.Applications))
+			assert.Equal(t, len(tt.want.ApplicationSets), len(got.ApplicationSets))
+
+			// ordering doesn't matter, we just want to make sure the items all exist
+			wantAppsMap := listToMap(tt.want.Applications, appStubKey)
+			gotAppsMap := listToMap(got.Applications, appStubKey)
+			assert.Equal(t, wantAppsMap, gotAppsMap, "Applications not equal")
+
+			wantAppSetsMap := listToMap(tt.want.ApplicationSets, appSetKey)
+			gotAppSetsMap := listToMap(got.ApplicationSets, appSetKey)
+			assert.Equal(t, wantAppSetsMap, gotAppSetsMap, "ApplicationSets not equal")
 		})
 	}
 }
 
+func appSetKey(item ApplicationSet) string {
+	return item.Name
+}
+
+func appStubKey(stub app_directory.ApplicationStub) string {
+	return stub.Name
+}
+
+func listToMap[T any](items []T, makeKey func(T) string) map[string]T {
+	result := make(map[string]T)
+	for _, item := range items {
+		key := makeKey(item)
+		result[key] = item
+	}
+	return result
+}
+
 var testRepoFiles = []string{
 	"apps/echo-server/foo-eks-01/Chart.yaml",
 	"apps/echo-server/foo-eks-01/values.yaml",