diff --git a/.github/actions/cue/action.yml b/.github/actions/cue/action.yml
index 82d8d51..857261a 100644
--- a/.github/actions/cue/action.yml
+++ b/.github/actions/cue/action.yml
@@ -1,3 +1,5 @@
+name: cue
+description: check format and validate
 inputs:
   data-file:
     required: true
@@ -9,29 +11,24 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - id: go-env
-      run: |
-        echo "GOCACHE=`go env GOCACHE`" >> $GITHUB_OUTPUT
-        echo "GOMODCACHE=`go env GOMODCACHE`" >> $GITHUB_OUTPUT
-      shell: bash
-
     - uses: actions/cache@v5
       id: cache
       with:
-        path: |
-          ${{ steps.go-env.outputs.GOCACHE }}
-          ${{ steps.go-env.outputs.GOMODCACHE }}
+        path: ~/bin/cue
         key: cue-${{ inputs.cue-version }}
 
-    - run: echo "GOBIN=`go env GOPATH`/bin" >> $GITHUB_ENV
-      shell: bash
-    - run: echo "PATH=$GOBIN:$PATH" >> $GITHUB_ENV
+    - if: steps.cache.outputs.cache-hit != 'true'
+      run: |
+        mkdir -p ~/bin
+        curl -L -o cue.tar.gz https://github.com/cue-lang/cue/releases/download/v${{ inputs.cue-version }}/cue_v${{ inputs.cue-version }}_linux_amd64.tar.gz
+        tar zxf cue.tar.gz
+        cp cue ~/bin/cue
       shell: bash
-    - run: go install cuelang.org/go/cmd/cue@v${{ inputs.cue-version }}
+
+    - run: echo "PATH=~/bin:$PATH" >> $GITHUB_ENV
       shell: bash
 
-    - name: cue fmt
-      run: cue fmt --check ${{ inputs.schema-file }}
+    - run: cue fmt --check ${{ inputs.schema-file }}
       shell: bash
 
     - run: cue vet --concrete ${{ inputs.schema-file }} ${{ inputs.data-file }}
diff --git a/.github/workflows/check-versions.yml b/.github/workflows/check-versions.yml
index c555c0a..c5a7693 100644
--- a/.github/workflows/check-versions.yml
+++ b/.github/workflows/check-versions.yml
@@ -44,7 +44,7 @@ jobs:
       - name: conftest
         uses: ninotosh/check-github-repo-latest-version@v1
         with:
-          release: open-policy-agent/conftest@v0.66
+          release: open-policy-agent/conftest@v0.67
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: setup-terraform
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index a63c534..06850c1 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -24,8 +24,7 @@ jobs:
       run:
         working-directory: terraform
     env:
-      CONFTEST_VERSION: 0.66.0
-      CONFTEST_DOWNLOAD_DIR: ~/conftest
+      CONFTEST_VERSION: 0.67.0
 
     steps:
       - uses: actions/checkout@v6
@@ -33,17 +32,17 @@ jobs:
       - uses: actions/cache@v5
         id: cache
         with:
-          path: ${{ env.CONFTEST_DOWNLOAD_DIR }}
+          path: ~/bin/conftest
           key: conftest-${{ env.CONFTEST_VERSION }}
 
       - if: steps.cache.outputs.cache-hit != 'true'
         run: |
-          mkdir -p ${{ env.CONFTEST_DOWNLOAD_DIR }}
-          cd ${{ env.CONFTEST_DOWNLOAD_DIR }}
+          mkdir -p ~/bin
           curl -L -o conftest.tar.gz https://github.com/open-policy-agent/conftest/releases/download/v${{ env.CONFTEST_VERSION }}/conftest_${{ env.CONFTEST_VERSION }}_Linux_x86_64.tar.gz
           tar zxf conftest.tar.gz
+          cp conftest ~/bin/conftest
 
-      - run: echo "PATH=${{ env.CONFTEST_DOWNLOAD_DIR }}:$PATH" >> $GITHUB_ENV
+      - run: echo "PATH=~/bin:$PATH" >> $GITHUB_ENV
 
       - run: conftest fmt --check policy
 
diff --git a/docker/conftest.Dockerfile b/docker/conftest.Dockerfile
index 062bdcb..35ec74f 100644
--- a/docker/conftest.Dockerfile
+++ b/docker/conftest.Dockerfile
@@ -2,18 +2,20 @@ ARG IMAGE=ubuntu:24.04
 
 FROM ${IMAGE} AS conftest
 ARG CONFTEST_VERSION=0.49.0
+
 RUN apt update && \
     apt install -y --no-install-recommends curl ca-certificates
-RUN curl -L -o conftest.tar.gz \
-    https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz && \
+RUN ARCH="$(uname -m | sed 's/aarch64/arm64/')" && \
+    curl -L -o conftest.tar.gz \
+      https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_${ARCH}.tar.gz && \
     tar zxf conftest.tar.gz && \
     cp conftest /usr/local/bin && \
     conftest --version
 
 FROM ${IMAGE}
 COPY --from=conftest /usr/local/bin/conftest /usr/local/bin
+
 RUN apt update && \
     apt install -y --no-install-recommends bash-completion && \
     echo 'source /usr/share/bash-completion/bash_completion' >> /etc/bash.bashrc && \
     conftest completion bash > /usr/share/bash-completion/completions/conftest
-ENTRYPOINT [ "conftest" ]
diff --git a/docker/cue.Dockerfile b/docker/cue.Dockerfile
index d423f42..37e977b 100644
--- a/docker/cue.Dockerfile
+++ b/docker/cue.Dockerfile
@@ -1,9 +1,21 @@
-FROM golang:1.25-bookworm
+ARG IMAGE=ubuntu:24.04
+
+FROM ${IMAGE} AS cue
 ARG CUE_VERSION=0.16.0
 
+RUN apt update && \
+    apt install -y --no-install-recommends curl ca-certificates
+RUN ARCH="$(uname -m | sed 's/aarch64/arm64/; s/x86_64/amd64/')" && \
+    curl -L -o cue.tar.gz \
+      https://github.com/cue-lang/cue/releases/download/v${CUE_VERSION}/cue_v${CUE_VERSION}_linux_${ARCH}.tar.gz && \
+    tar zxf cue.tar.gz && \
+    cp cue /usr/local/bin && \
+    cue version
+
+FROM ${IMAGE}
+COPY --from=cue /usr/local/bin/cue /usr/local/bin
+
 RUN apt update && \
     apt install -y --no-install-recommends bash-completion && \
-    echo 'source /usr/share/bash-completion/bash_completion' >> /etc/bash.bashrc
-RUN go install cuelang.org/go/cmd/cue@v${CUE_VERSION} && \
-    cue completion bash > /etc/bash_completion.d/cue
-ENTRYPOINT cue
+    echo 'source /usr/share/bash-completion/bash_completion' >> /etc/bash.bashrc && \
+    cue completion bash > /usr/share/bash-completion/completions/cue