diff --git a/.github/bin/update-lima-dep.sh b/.github/bin/update-lima-dep.sh
deleted file mode 100755
index 48ce1a93f..000000000
--- a/.github/bin/update-lima-dep.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/sh
-
-DEPENDENCY_CLOUDFRONT_URL="https://deps.runfinch.com/"
-AARCH64_FILENAME_PATTERN="aarch64/lima-and-qemu.macos-aarch64.[0-9].*\.gz$"
-AMD64_FILENAME_PATTERN="x86-64/lima-and-qemu.macos-x86_64.[0-9].*\.gz$"
-AARCH64="aarch64"
-X86_64="x86-64"
-
-FINCH_CORE_FILENAME_PATTERN="finch-core-.*\.gz$"
-ARTIFACT_CLOUDFRONT_URL="https://artifact.runfinch.com/"
-
-set -x
-
-while getopts d:a: flag
-do
-        case "${flag}" in
-            d) dependency_bucket=${OPTARG};;
-            a) artifact_bucket=${OPTARG};;
-         esac
-done
-[[ -z "$dependency_bucket" ]] && { echo "Error: Dependency bucket not set"; exit 1; }
-
-[[ -z "$artifact_bucket" ]] && { echo "Error: Artifact bucket not set"; exit 1; }
-
-
-aarch64Deps=$(aws s3 ls s3://${dependency_bucket}/${AARCH64}/ --recursive | grep "$AARCH64_FILENAME_PATTERN" | sort | tail -n 1 | awk '{print $4}')
-
-[[ -z "$aarch64Deps" ]] && { echo "Error: aarch64 dependency not found"; exit 1; }
-
-
-amd64Deps=$(aws s3 ls s3://${dependency_bucket}/${X86_64}/ --recursive | grep "$AMD64_FILENAME_PATTERN" | sort | tail -n 1 | awk '{print $4}')
-
-[[ -z "$amd64Deps" ]] && { echo "Error: x86_64 dependency not found"; exit 1; }
-
-sed -E  -i.bak  's|^([[:blank:]]*LIMA_URL[[:blank:]]*\?=[[:blank:]]*'${DEPENDENCY_CLOUDFRONT_URL}')('${AARCH64_FILENAME_PATTERN}')|\1'$aarch64Deps'|' Makefile
-sed -E  -i.bak  's|^([[:blank:]]*LIMA_URL[[:blank:]]*\?=[[:blank:]]*'${DEPENDENCY_CLOUDFRONT_URL}')('${AMD64_FILENAME_PATTERN}')|\1'$amd64Deps'|'  Makefile
-
-finch_core_artifact=$(aws s3 ls s3://${artifact_bucket} --recursive | grep "$FINCH_CORE_FILENAME_PATTERN" | sort | tail -n 1 | awk '{print $4}')
-
-[[ -z "$finch_core_artifact" ]] && { echo "Error: finch core release not found"; exit 1; }
-
-sed -E  -i.bak  's|^([[:blank:]]*CORE_URL[[:blank:]]*\?=[[:blank:]]*'${ARTIFACT_CLOUDFRONT_URL}')('${FINCH_CORE_FILENAME_PATTERN}')|\1'$finch_core_artifact'|'  Makefile
diff --git a/.github/workflows/sync-submodules.yaml b/.github/workflows/sync-submodules-and-deps.yaml
similarity index 56%
rename from .github/workflows/sync-submodules.yaml
rename to .github/workflows/sync-submodules-and-deps.yaml
index 10a3bfe2f..cc7385c5e 100644
--- a/.github/workflows/sync-submodules.yaml
+++ b/.github/workflows/sync-submodules-and-deps.yaml
@@ -1,4 +1,4 @@
-name: Sync Submodules
+name: Sync Submodules and Dependencies
 
 # Pulls changes from the main branch of submodules daily at 9:00 UTC and opens a PR.
 on:
@@ -15,14 +15,26 @@ jobs:
         with:
           submodules: recursive
           token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Update sub modules
+
+      - name: Update submodules
         run: |
           git submodule update --remote
+
+      - name: Update OS image
+        run: |
           ./.github/bin/update-os-image.sh
 
+      - name: Update lima dependencies url
+        run: |
+          ./deps/finch-core/bin/update-deps.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }}
+
+      - name: Update rootfs
+        run: |
+          ./deps/finch-core/bin/update-rootfs.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }}
+
       - name: Create PR
         uses: peter-evans/create-pull-request@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           signoff: true
-          title: 'build(deps): Bump submodules'
+          title: 'build(deps): Bump submodules and dependencies'
diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml
deleted file mode 100644
index c93dd115d..000000000
--- a/.github/workflows/update-deps.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-name: Update dependencies
-on:
-  schedule:
-    - cron: '0 11 * * 2'
-  workflow_dispatch:
-
-permissions:
-  # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
-  # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
-  id-token: write
-  contents: write
-  pull-requests: write
-
-jobs:
-  update-deps:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v2
-        with:
-          role-to-assume: ${{ secrets.ROLE }}
-          role-session-name: dependency-upload-session
-          aws-region: ${{ secrets.REGION }}
-
-      # This step fetches the latest set of released dependencies from s3 and updates the Makefile to use the same.
-      - name: update dependencies url
-        run: |
-          ./.github/bin/update-lima-dep.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }} -a {{ secrets.ARTIFACT_BUCKET_NAME }}
-
-      - name: create PR
-        uses: peter-evans/create-pull-request@v5
-        with:
-          # A Personal Access Token instead of the default `GITHUB_TOKEN` is required
-          # to trigger the checks (e.g., e2e tests) on the created pull request.
-          # More info: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#workarounds-to-trigger-further-workflow-runs
-          # TODO: Use FINCH_BOT_TOKEN instead of GITHUB_TOKEN.
-          token: ${{ secrets.GITHUB_TOKEN }}
-          signoff: true
-          # TODO: Add updated lima version in the title.
-          title: 'build(deps): Bump lima version'