diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
index 35017ed1..85613eda 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yaml
@@ -8,4 +8,4 @@ on:
 jobs:
   validate:
     name: Validate
-    uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+    uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@2536a06363d50a160421105b2df86aacf69388c1 # v0.11.1
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index b214c499..26f22c8a 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -12,6 +12,7 @@ jobs:
     name: Lint
     permissions:
       contents: read # Allows reading the repo contents
+      id-token: write
 
     steps:
       - name: Checkout
@@ -20,11 +21,12 @@ jobs:
           fetch-depth: 0
 
       - name: Environment setup
-        uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/setup@2536a06363d50a160421105b2df86aacf69388c1 # v0.11.1
         with:
           registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
           ghToken: ${{ secrets.GITHUB_TOKEN }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
 
       - name: Install lint deps
         run: |
diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml
index 4a3282b0..42f485a5 100644
--- a/.github/workflows/tag-and-release.yaml
+++ b/.github/workflows/tag-and-release.yaml
@@ -25,10 +25,10 @@ jobs:
   publish-package:
     needs: tag-new-version
     if: ${{ needs.tag-new-version.outputs.release_created == 'true' }}
-    runs-on: ${{ matrix.architecture == 'arm64' && 'uds-swf-ubuntu-arm64-4-core' || matrix.flavor == 'registry1' && 'uds-swf-ubuntu-big-boy-4-core' || 'ubuntu-latest' }}
+    runs-on: ${{ matrix.architecture == 'arm64' && 'uds-swf-ubuntu-arm64-4-core' || 'uds-swf-ubuntu-big-boy-4-core' }}
     strategy:
       matrix:
-        flavor: [upstream, registry1]
+        flavor: [upstream, unicorn, registry1]
         architecture: [amd64, arm64]
         exclude:
           - flavor: registry1
@@ -38,16 +38,18 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
 
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Environment setup
-        uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/setup@2536a06363d50a160421105b2df86aacf69388c1 # v0.11.1
         with:
           registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
           ghToken: ${{ secrets.GITHUB_TOKEN }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
 
       - uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
 
@@ -63,10 +65,10 @@ jobs:
 
       - name: Debug Output
         if: ${{ always() }}
-        uses: defenseunicorns/uds-common/.github/actions/debug-output@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/debug-output@2536a06363d50a160421105b2df86aacf69388c1 # v0.11.1
 
       - name: Save logs
         if: always()
-        uses: defenseunicorns/uds-common/.github/actions/save-logs@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/save-logs@2536a06363d50a160421105b2df86aacf69388c1 # v0.11.1
         with:
           suffix: ${{ matrix.flavor }}-${{ matrix.architecture }}-${{ github.run_id }}-${{ github.run_attempt }}
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 580ef12c..becabd11 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -30,43 +30,50 @@ concurrency:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   run-test:
     name: ${{ matrix.type }} ${{ matrix.flavor }}
-    runs-on: ${{ matrix.flavor == 'registry1' && matrix.type == 'upgrade' && 'uds-swf-ubuntu-big-boy-4-core' || 'ubuntu-latest' }}
+    runs-on: 'uds-swf-ubuntu-big-boy-4-core'
     timeout-minutes: 20
     strategy:
       matrix:
-        flavor: [upstream, registry1]
+        flavor: [upstream, unicorn, registry1]
         type: [install, upgrade]
+        # do not run upgrade tests for unicorn
+        # TODO @WSTARR: remove after first unicorn release
+        exclude:
+          - flavor: unicorn
+            type: upgrade
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Environment setup
-        uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/setup@2536a06363d50a160421105b2df86aacf69388c1 # v0.11.1
         with:
           registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
           ghToken: ${{ secrets.GITHUB_TOKEN }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
 
       - uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
 
       - name: Test
-        uses: defenseunicorns/uds-common/.github/actions/test@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/test@2536a06363d50a160421105b2df86aacf69388c1 # v0.11.1
         with:
           flavor: ${{ matrix.flavor }}
           type: ${{ matrix.type }}
 
       - name: Debug Output
         if: ${{ always() }}
-        uses: defenseunicorns/uds-common/.github/actions/debug-output@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/debug-output@2536a06363d50a160421105b2df86aacf69388c1 # v0.11.1
 
       - name: Save logs
         if: always()
-        uses: defenseunicorns/uds-common/.github/actions/save-logs@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/save-logs@2536a06363d50a160421105b2df86aacf69388c1 # v0.11.1
         with:
           suffix: ${{ matrix.type }}-${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}
 
diff --git a/common/zarf.yaml b/common/zarf.yaml
index 81e52b95..277a748e 100644
--- a/common/zarf.yaml
+++ b/common/zarf.yaml
@@ -32,3 +32,10 @@ components:
                 name: mattermost
                 namespace: mattermost
                 condition: "'{.status.phase}'=Ready"
+          - description: Mattermost to be Healthy
+            wait:
+              cluster:
+                kind: Deployment
+                name: mattermost-enterprise-edition
+                namespace: mattermost
+                condition: Available
diff --git a/plugins/Dockerfile b/plugins/Dockerfile
index 23ddd489..0de2de3f 100644
--- a/plugins/Dockerfile
+++ b/plugins/Dockerfile
@@ -7,7 +7,9 @@ ENV MATTERMOST_GITLAB_PLUGIN_VERSION=1.9.1
 
 USER root
 
+# We build this as a multi-arch image so that it can be used more easily across architectures (i.e. under faux86 paradigms like Rosetta)
 ADD https://github.com/mattermost/mattermost-plugin-ai/releases/download/v$MATTERMOST_AI_PLUGIN_VERSION/mattermost-plugin-ai-v$MATTERMOST_AI_PLUGIN_VERSION-linux-amd64.tar.gz /extra-plugins/
+ADD https://github.com/mattermost/mattermost-plugin-ai/releases/download/v$MATTERMOST_AI_PLUGIN_VERSION/mattermost-plugin-ai-v$MATTERMOST_AI_PLUGIN_VERSION-linux-arm64.tar.gz /extra-plugins/
 ADD https://github.com/mattermost/mattermost-plugin-gitlab/releases/download/v$MATTERMOST_GITLAB_PLUGIN_VERSION/com.github.manland.mattermost-plugin-gitlab-$MATTERMOST_GITLAB_PLUGIN_VERSION.tar.gz /extra-plugins/
 
 COPY ./entrypoint.sh /bin/entrypoint.sh
diff --git a/plugins/zarf.yaml b/plugins/zarf.yaml
index e006b818..b08a7420 100644
--- a/plugins/zarf.yaml
+++ b/plugins/zarf.yaml
@@ -15,7 +15,5 @@ components:
     actions:
       onCreate:
         before:
-          # we always build on amd64 because that is the target architecture for the plugin binaries
-          # but we still need fake arm64 images because @zachariahmiller said so
           - cmd: |
-              docker buildx build --load . -t uds-package-mattermost/mattermost-extra-plugins:latest --platform linux/amd64
+              docker buildx build --load . -t uds-package-mattermost/mattermost-extra-plugins:latest --platform linux/###ZARF_PKG_ARCH###
diff --git a/tasks.yaml b/tasks.yaml
index 4192e2b2..61c7605b 100644
--- a/tasks.yaml
+++ b/tasks.yaml
@@ -2,11 +2,11 @@ includes:
   - cleanup: ./tasks/cleanup.yaml
   - dependencies: ./tasks/dependencies.yaml
   - test: ./tasks/test.yaml
-  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/create.yaml
-  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/lint.yaml
-  - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/pull.yaml
-  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/deploy.yaml
-  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/setup.yaml
+  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.11.1/tasks/create.yaml
+  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.11.1/tasks/lint.yaml
+  - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.11.1/tasks/pull.yaml
+  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.11.1/tasks/deploy.yaml
+  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.11.1/tasks/setup.yaml
 
 tasks:
   - name: default
diff --git a/tasks/cleanup.yaml b/tasks/cleanup.yaml
deleted file mode 100644
index 6407fe2e..00000000
--- a/tasks/cleanup.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-tasks:
-  - name: destroy
-    actions:
-      - description: Destroy k3d cluster
-        cmd: k3d cluster delete uds
diff --git a/tasks/publish.yaml b/tasks/publish.yaml
index 51f0a7da..3798d82b 100644
--- a/tasks/publish.yaml
+++ b/tasks/publish.yaml
@@ -1,11 +1,11 @@
 includes:
   - dependencies: ./dependencies.yaml
   - test: ./test.yaml
-  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/create.yaml
-  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/deploy.yaml
+  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.11.1/tasks/create.yaml
+  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.11.1/tasks/deploy.yaml
   # TODO: @marshall007 - upstream logic into uds-common, tracking: https://github.com/defenseunicorns/uds-common/issues/178
-  # - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/publish.yaml
-  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/setup.yaml
+  # - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.11.1/tasks/publish.yaml
+  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.11.1/tasks/setup.yaml
 
 tasks:
   # Slightly modified version of uds-common `publish:package`:
diff --git a/tasks/test.yaml b/tasks/test.yaml
index b2eb49f6..44186d50 100644
--- a/tasks/test.yaml
+++ b/tasks/test.yaml
@@ -1,20 +1,9 @@
 tasks:
   - name: all
     actions:
-      - task: health-check
       - task: ingress
       - task: ui
 
-  - name: health-check
-    actions:
-      - description: Mattermost Health Check
-        wait:
-          cluster:
-            kind: Deployment
-            name: mattermost-enterprise-edition
-            namespace: mattermost
-            condition: Available
-
   - name: ingress
     actions:
       - description: Mattermost UI Health Check
@@ -27,9 +16,10 @@ tasks:
   - name: ui
     description: Mattermost UI Checks
     actions:
-      - cmd: npm ci
-        dir: tests
-      - cmd: npx playwright install --with-deps
-        dir: tests
-      - cmd: npx playwright test
+      - cmd: |
+          docker run --rm --ipc=host --net=host --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.43.1-jammy sh -c " \
+            cd app && \
+            npm ci && \
+            npx playwright test \
+            "
         dir: tests
diff --git a/values/unicorn-values.yaml b/values/unicorn-values.yaml
new file mode 100644
index 00000000..f67a765b
--- /dev/null
+++ b/values/unicorn-values.yaml
@@ -0,0 +1,7 @@
+mattermostApp:
+  image:
+    repository: cgr.dev/du-uds-defenseunicorns/mattermost
+    tag: 9.10.1
+initContainerImage:
+  repository: cgr.dev/du-uds-defenseunicorns/curl-fips
+  tag: 8.9.1
diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml
index 41e1720d..a4cfe151 100644
--- a/values/upstream-values.yaml
+++ b/values/upstream-values.yaml
@@ -2,3 +2,6 @@ mattermostApp:
   image:
     repository: mattermost/mattermost-enterprise-edition
     tag: 9.10.1
+initContainerImage:
+  repository: curlimages/curl
+  tag: 8.9.1
diff --git a/zarf.yaml b/zarf.yaml
index 1a6438a6..0efbfe97 100644
--- a/zarf.yaml
+++ b/zarf.yaml
@@ -36,7 +36,7 @@ components:
         valuesFiles:
           - values/upstream-values.yaml
     images:
-      - appropriate/curl:latest
+      - curlimages/curl:8.9.1
       - mattermost/mattermost-enterprise-edition:9.10.1
 
   - name: mattermost
@@ -55,3 +55,18 @@ components:
     images:
       - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4
       - registry1.dso.mil/ironbank/opensource/mattermost/mattermost:9.10.1
+
+  - name: mattermost
+    required: true
+    description: "Deploy Mattermost"
+    import:
+      path: common
+    only:
+      flavor: unicorn
+    charts:
+      - name: mattermost-enterprise-edition
+        valuesFiles:
+          - values/unicorn-values.yaml
+    images:
+      - cgr.dev/du-uds-defenseunicorns/curl-fips:8.9.1
+      - cgr.dev/du-uds-defenseunicorns/mattermost:9.10.1