diff --git a/.github/workflows/rootfs.yaml b/.github/workflows/rootfs.yaml
index 36316453..7cab7b47 100644
--- a/.github/workflows/rootfs.yaml
+++ b/.github/workflows/rootfs.yaml
@@ -5,66 +5,121 @@ on:
     branches:
       - main
     paths:
-      - 'Dockerfile'
+      - 'rootfs/Dockerfile'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'rootfs/Dockerfile'
   workflow_dispatch:
 
 permissions:
-  # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
-  # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
-  id-token: write
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   build-rootfs-image:
     runs-on: ubuntu-latest
+
     strategy:
       matrix:
         # finch only supports amd64 for windows
         arch: ['amd64']
-        platform: ['common']
+
+    outputs:
+      timestamp: ${{ steps.vars.outputs.timestamp }}
+
     steps:
-      - name: Generate Timestamp
-        id: timestamp
-        run: echo "value=$(date +%s)" >> $GITHUB_OUTPUT
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
-        with:
-          aws-region: ${{ secrets.REGION }}
-          role-to-assume: ${{ secrets.ROLE }}
-          role-session-name: rootfs-ecr-image-upload-session
-      - name: Login to Amazon ECR
-        uses: aws-actions/amazon-ecr-login@v2
-      - name: checkout repo
+      - name: Checkout repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          sparse-checkout: |
+            rootfs/
           fetch-depth: 0
           persist-credentials: false
+
+      - name: Set build variables
+        id: vars
+        run: |
+          echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+
       - name: Build Image
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
+          context: rootfs/
+          file: rootfs/Dockerfile
           platforms: linux/${{ matrix.arch }}
           push: false
-          load: true # load the image into Docker so we can create a container from it
           tags: finch-rootfs-image-production:intermediate
-      - name: Tag and Push Container Image
+          outputs: type=docker,dest=finch-rootfs-${{ matrix.arch }}-${{ steps.vars.outputs.timestamp }}.tar
+    
+      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: finch-rootfs-${{ matrix.arch }}-image
+          path: finch-rootfs-${{ matrix.arch }}-${{ steps.vars.outputs.timestamp }}.tar
+          if-no-files-found: error
+
+  push-rootfs-image:
+    if: github.repository == 'runfinch/finch-core' && github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    needs: build-rootfs-image
+
+    permissions:
+      # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
+      # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+      id-token: write
+      contents: write
+      pull-requests: write
+
+    strategy:
+      matrix:
+        # finch only supports amd64 for windows
+        arch: ['amd64']
+
+    env:
+      TIMESTAMP: ${{ needs.build-rootfs-image.outputs.timestamp }}
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: ${{ secrets.REGION }}
+          role-to-assume: ${{ secrets.ROLE }}
+          role-session-name: rootfs-ecr-image-upload-session
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Download container image
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: finch-rootfs-${{ matrix.arch }}-image
+
+      - name: Load container image
+        run: docker load -i finch-rootfs-${{ matrix.arch }}-${{ env.TIMESTAMP }}.tar
+
+      - name: Tag and push container image to Amazon ECR
         run: |
-          TIMESTAMP=${{ steps.timestamp.outputs.value }}
+          docker tag finch-rootfs-image-production:intermediate ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-${{ env.TIMESTAMP }}
+          docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-${{ env.TIMESTAMP }}
+
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
 
-          docker tag finch-rootfs-image-production:intermediate ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-"$TIMESTAMP"
-          docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-"$TIMESTAMP"
       - name: Create, Compress, and Upload Rootfs
         run: |
-          TIMESTAMP=${{ steps.timestamp.outputs.value }}
-
           docker container create --platform linux/${{ matrix.arch }} --name ${{ matrix.arch }}-rootfs finch-rootfs-image-production:intermediate
           docker container export -o finch-rootfs-production-${{ matrix.arch }}.tar ${{ matrix.arch }}-rootfs
 
-          compressed_archive=finch-rootfs-production-${{ matrix.arch }}-"$TIMESTAMP".tar.gz
+          compressed_archive=finch-rootfs-production-${{ matrix.arch }}-${{ env.TIMESTAMP }}.tar.gz
           gzip -9 -c finch-rootfs-production-${{ matrix.arch }}.tar > $compressed_archive
           sha512_digest=$(sha512sum $compressed_archive | cut -d " " -f 1)
           echo $sha512_digest > $compressed_archive.sha512sum
@@ -77,7 +132,7 @@ jobs:
           fi
 
           # Upload tarball and shasum to S3
-          aws s3 cp . s3://${{ secrets.DEPENDENCY_BUCKET_NAME }}/${{ matrix.platform }}/$ARCHPATH/ --recursive --exclude "*" --include "finch-rootfs-production-${{ matrix.arch }}-"$TIMESTAMP".tar.gz*"
+          aws s3 cp . s3://${{ secrets.DEPENDENCY_BUCKET_NAME }}/common/$ARCHPATH/ --recursive --exclude "*" --include "finch-rootfs-production-${{ matrix.arch }}-${{ env.TIMESTAMP }}.tar.gz*"
 
           cat <<EOL > deps/rootfs.conf
           ARTIFACT_BASE_URL=https://deps.runfinch.com
@@ -87,12 +142,12 @@ jobs:
           ${ARTIFACT_KEY}_512_DIGEST=$sha512_digest
           EOL
 
-      - name: create pr
+      - name: Create PR
         uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           signoff: true
-          branch: create-rootfs-${{ matrix.arch }}-${{ steps.timestamp.outputs.value }}
+          branch: create-rootfs-${{ matrix.arch }}-${{ needs.build-rootfs-image.outputs.timestamp }}
           delete-branch: true
           title: 'build(deps): Update windows rootfs'
           add-paths: deps/rootfs.conf
diff --git a/Dockerfile b/rootfs/Dockerfile
similarity index 100%
rename from Dockerfile
rename to rootfs/Dockerfile