diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 3300c80..e9eab90 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -31,6 +31,13 @@ jobs:
             exit 0
           fi
         shell: bash
+      - name: Check for makefile change with blank spaces/tabs
+        shell: bash
+        run: |
+          if git diff --quiet HEAD -- testfiles/Makefile; then
+              echo "testfiles/Makefile has not changed."
+              exit 1
+          fi
 
   test-working-dir:
     runs-on: ubuntu-latest
diff --git a/action.yml b/action.yml
index ca89b78..35c9543 100644
--- a/action.yml
+++ b/action.yml
@@ -72,14 +72,14 @@ runs:
             echo "Skipping testdata ${file}"
             continue
           fi
-          
+
           # Extract all image references and their digests
           mapfile -t image_lines < <(grep -i -E '[a-z0-9]+([._-][a-z0-9]+)*(/[a-z0-9]+([._-][a-z0-9]+)*)*@sha256:[a-z0-9]+' "$file" || true)
-          
+
           for line in "${image_lines[@]}"; do
-            image=$(echo "$line" | cut -d @ -f1 | rev | cut -d = -f1 | cut -d ' ' -f1 | cut -d '"' -f1 | rev | sed -e "s/^docker:\/\///")
-            digest=$(echo "$line" | cut -d @ -f2 | cut -d ' ' -f1 | cut -d '"' -f1)
-            
+            image=$(echo "$line" | cut -d @ -f1 | rev | cut -d = -f1 | cut -d ' ' -f1 | cut -d '"' -f1 | rev | sed -e "s/^docker:\/\///" | tr -d '' | tr -d '\t')
+            digest=$(echo "$line"| cut -d @ -f2 | cut -d ' ' -f1 | cut -d '"' -f1 | tr -d '' | tr -d '\t')
+
             if [[ "$image" != *":"* ]]; then
               echo "Image $image in file $file does not have a tag, ignoring..."
               continue
@@ -88,9 +88,9 @@ runs:
               echo "Skipping local registry image $image"
               continue
             fi
-            
+
             echo "Processing $image in file $file"
-            
+
             updated_digest=
             crane digest "$image" > digest.log 2> logerror.txt
             if [ $? -eq 0 ]; then
@@ -103,7 +103,7 @@ runs:
             fi
             rm -f logerror.txt
             rm -f digest.log
-            
+
             if [ "$updated_digest" != "$digest" ] && [ -n "$updated_digest" ]; then
               echo "Digest $digest for image $image is different, new digest is $updated_digest, updating..."
               sed -i -e "s|$image@$digest|$image@$updated_digest|g" "$file"
diff --git a/testfiles/Makefile b/testfiles/Makefile
new file mode 100644
index 0000000..0ed671b
--- /dev/null
+++ b/testfiles/Makefile
@@ -0,0 +1,48 @@
+dev-container:
+	docker run --privileged --rm -it \
+			-v "${PWD}:${PWD}" \
+			-v "${HOME}/.cache/wolfictl/dev-container-enterprise/root:/root" \
+			-v "${HOME}/.config/chainctl:/root/.config/chainctl" \
+			-w "${PWD}" \
+			ghcr.io/wolfi-dev/sdk:latest@sha256:16e05ea526a250ddb3e24167ecc6494b29961d0e5fc02b716b9eea31e82439f8
+
+# The next two targets are mostly copies from the local-wolfi and
+# dev-container-wolfi targets from wolfi-dev/os:
+# https://github.com/wolfi-dev/os/blob/main/Makefile
+
+PACKAGES_CONTAINER_FOLDER ?= /work/packages
+TMP_REPOSITORIES_DIR := $(shell mktemp -d)
+TMP_REPOSITORIES_FILE := $(TMP_REPOSITORIES_DIR)/repositories
+# This target spins up a docker container that is helpful for testing local
+# changes to the packages. It mounts the local packages folder as a read-only,
+# and sets up the necessary keys for you to run `apk add` commands, and then
+# test the packages however you see fit.
+local-wolfi: ${KEY}
+	@echo "https://packages.wolfi.dev/os" > $(TMP_REPOSITORIES_FILE)
+	@echo "https://apk.cgr.dev/chainguard-private" >> $(TMP_REPOSITORIES_FILE)
+	@echo "https://packages.cgr.dev/extras" >> $(TMP_REPOSITORIES_FILE)
+	@echo "$(PACKAGES_CONTAINER_FOLDER)" >> $(TMP_REPOSITORIES_FILE)
+	@mkdir -p ${PWD}/packages
+	docker run --rm -it \
+		-e HTTP_AUTH="basic:apk.cgr.dev:user:$(shell chainctl auth token --audience apk.cgr.dev)" \
+		--mount type=bind,source="${PWD}/packages",destination="$(PACKAGES_CONTAINER_FOLDER)",readonly \
+		--mount type=bind,source="${PWD}/local-melange-enterprise.rsa.pub",destination="/etc/apk/keys/local-melange-enterprise.rsa.pub",readonly \
+		--mount type=bind,source="$(TMP_REPOSITORIES_FILE)",destination="/etc/apk/repositories",readonly \
+		-w "$(PACKAGES_CONTAINER_FOLDER)" \
+		cgr.dev/chainguard-private/chainguard-base:latest
+	@rm "$(TMP_REPOSITORIES_FILE)"
+	@rmdir "$(TMP_REPOSITORIES_DIR)"
+
+dev-container-wolfi:
+	@echo "https://packages.wolfi.dev/os" > $(TMP_REPOSITORIES_FILE)
+	@echo "$(PACKAGES_CONTAINER_FOLDER)" >> $(TMP_REPOSITORIES_FILE)
+	docker run --rm -it \
+		--mount type=bind,source="${OUT_DIR}",destination="$(OUT_LOCAL_DIR)" \
+		--mount type=bind,source="${OS_DIR}",destination="$(OS_LOCAL_DIR)",readonly \
+		--mount type=bind,source="${PWD}/packages",destination="$(PACKAGES_CONTAINER_FOLDER)",readonly \
+		--mount type=bind,source="${PWD}/local-melange-enterprise.rsa.pub",destination="/etc/apk/keys/local-melange-enterprise.rsa.pub",readonly \
+		--mount type=bind,source="$(TMP_REPOSITORIES_FILE)",destination="/etc/apk/repositories",readonly \
+		-w "$(PACKAGES_CONTAINER_FOLDER)" \
+		ghcr.io/wolfi-dev/sdk:latest@sha256:16e05ea526a250ddb3e24167ecc6494b29961d0e5fc02b716b9eea31e82439f8
+	@rm "$(TMP_REPOSITORIES_FILE)"
+	@rmdir "$(TMP_REPOSITORIES_DIR)"