diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml
new file mode 100644
index 0000000..8efdaff
--- /dev/null
+++ b/.github/workflows/lint-test.yml
@@ -0,0 +1,17 @@
+name: lint
+on:
+  push:
+jobs:
+  run:
+    permissions:
+      contents: read
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+    - uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.5.7
+
+    - name: lint
+      run: terraform fmt **/*.tf
diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml
new file mode 100644
index 0000000..4958b15
--- /dev/null
+++ b/.github/workflows/validate-renovate.yml
@@ -0,0 +1,21 @@
+name: validate renovate.json
+
+on:
+  pull_request:
+
+env:
+  LOG_LEVEL: debug
+
+jobs:
+  renovate-config-validator:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
+        with:
+          node-version: 20
+
+      - run: npx -p renovate renovate-config-validator renovate.json
diff --git a/Dockerfile b/Dockerfile
index eb5bc55..026a38c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,7 @@
-FROM debian:buster as builder
+FROM debian:bookworm as builder
 ARG DEBIAN_FRONTEND=noninteractive
-ARG VAULT_VERSION=1.12.3
+# renovate: datasource=github-releases depName=hashicorp-vault-cli packageName=hashicorp/vault
+ARG VAULT_VERSION=1.18.3
 RUN apt-get update && apt-get install -y wget unzip
 RUN wget -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
 RUN unzip vault_${VAULT_VERSION}_linux_amd64.zip
diff --git a/example/README.md b/example/README.md
deleted file mode 100644
index ab87c3a..0000000
--- a/example/README.md
+++ /dev/null
@@ -1,25 +0,0 @@
-# Full example
-
-This example
-
-- Creates a Vault server in a GCP project, deployed using Cloud Run
-- Creates a GCS bucket with a GSA in the same GCP project that can CRUD objects on the bucket
-- Configures the [GCP secret engine](https://developer.hashicorp.com/vault/docs/secrets/gcp) on the Vault server
-- Configures Vault so it can create service account keys for the GSA. The GSA keys have a [default ttl of 5m, and max ttl of 30d](https://github.com/joecorall/serverless-vault-with-cloud-run/blob/23e0bb6a0d378eb1612cdf8452137ce75f5fb6e6/example/main.tf#L93-L94). After their TTL they will be deleted from Google by Vault
-
-In order to both create the vault server and then apply policies to it, we need to run the terraform in two stages:
-
-1. Create Vault server
-2. Apply policies on the Vault server
-
-In between those two stages we need to define an environment variable `VAULT_TOKEN` so terraform can authenticate to our new Vault server in order to be able to create the policies.
-
-This can be accomplished by running [tf.sh](./tf.sh)
-
-```
-git clone https://github.com/joecorall/serverless-vault-with-cloud-run.git
-cd serverless-vault-with-cloud-run/example
-export TF_VAR_project=YOUR-GCP-PROJECT-ID
-export TF_VAR_region=us-east5
-./tf.sh ${TF_VAR_project}
-```
diff --git a/example/github.tf b/example/github.tf
deleted file mode 100644
index 92cdb19..0000000
--- a/example/github.tf
+++ /dev/null
@@ -1,35 +0,0 @@
-# Allow GitHub actions to get a GSA key from Vault
-
-locals {
-  github_org = "joecorall"
-  github_vault_project = "serverless-vault-with-cloud-run"
-}
-
-resource "vault_policy" "bucket-writer" {
-  name = "bucket-writer"
-
-  policy = <<EOT
-path "gcp/static-account/bucket-admin/key" {
-  capabilities = ["read"]
-}
-EOT
-}
-
-resource "vault_jwt_auth_backend" "github-jwt" {
-  path = "github-jwt"
-  oidc_discovery_url = "https://token.actions.githubusercontent.com"
-}
-
-resource "vault_jwt_auth_backend_role" "github-admin" {
-  backend         = vault_jwt_auth_backend.github-jwt.path
-  role_name       = "github"
-  token_policies  = ["bucket-writer"]
-
-  bound_audiences = [format("https://github.com/%s", local.github_org)]
-  bound_claims = {
-    # TODO: set the claim to whatever you like. This restricts only myself from being able to create GitHub commits/PRs that can kick off this action
-    actor = "joecorall"
-  }
-  user_claim      = "repository"
-  role_type       = "jwt"
-}
diff --git a/example/main.tf b/example/main.tf
deleted file mode 100644
index 6c7c05e..0000000
--- a/example/main.tf
+++ /dev/null
@@ -1,104 +0,0 @@
-terraform {
-  required_providers {
-    docker = {
-      source  = "kreuzwerker/docker"
-      version = "= 3.0.1"
-    }
-    google = {
-      source  = "hashicorp/google"
-      version = "= 4.54.0"
-    }
-    vault = {
-      source  = "hashicorp/vault"
-      version = "= 3.13.0"
-    }
-  }
-
-# TODO: uncomment and configure so state is not saved only on your local machine
-#  terraform {
-#    backend "gcs" {
-#      bucket  = "CHANGE-ME-TO-YOUR-TF-STATE-BUCKET"
-#      prefix  = "CHANGE-TO-YOUR-PREFIX"
-#    }
-#  }
-}
-
-variable "project" {
-  type        = string
-  description = "The GCP project to create Vault inside of"
-}
-
-variable "region" {
-  type        = string
-  description = "The GCP region to create Vault in"
-}
-
-provider "google" {
-  project = var.project
-}
-
-provider "docker" {
-  registry_auth {
-    address     = "us-docker.pkg.dev"
-    config_file = pathexpand("~/.docker/config.json")
-  }
-}
-
-module "vault" {
-  source = "git::https://github.com/joecorall/serverless-vault-with-cloud-run"
-  providers = {
-    docker = docker
-    google = google
-  }
-  project = var.project
-  region  = var.region
-}
-
-# create GSA that can CRUD objects in a new bucket we create
-resource "google_service_account" "ba" {
-  account_id = "bucket-admin"
-}
-
-resource "google_storage_bucket" "bucket" {
-  name          = format("%s-bucket", var.project)
-  location      = "US"
-  force_destroy = false
-
-  uniform_bucket_level_access = true
-}
-resource "google_storage_bucket_iam_member" "member" {
-  bucket = google_storage_bucket.bucket.name
-  role   = "roles/storage.objectAdmin"
-  member = format("serviceAccount:%s", google_service_account.ba.email)
-}
-
-# needed to allow Vault to issue a key for the GSA
-resource "google_service_account_iam_member" "project" {
-  for_each = toset([
-    "roles/iam.serviceAccountAdmin",
-    "roles/iam.serviceAccountKeyAdmin"
-  ])
-
-  service_account_id = google_service_account.ba.name
-  role               = each.value
-  member             = format("serviceAccount:%s", module.vault.gsa)
-}
-
-# Add the GCP secret to Vault
-provider "vault" {
-  address = module.vault.vault-url
-}
-
-resource "vault_gcp_secret_backend" "gcp" {
-  default_lease_ttl_seconds = 300 # 5m
-  max_lease_ttl_seconds     = 86400*30 # 30d
-}
-
-resource "vault_gcp_secret_static_account" "bucket-admin" {
-  backend        = vault_gcp_secret_backend.gcp.path
-  static_account = "bucket-admin"
-  secret_type    = "service_account_key"
-  token_scopes   = ["https://www.googleapis.com/auth/cloud-platform"]
-
-  service_account_email = google_service_account.ba.email
-}
diff --git a/example/tf.sh b/example/tf.sh
deleted file mode 100755
index 2dfaf19..0000000
--- a/example/tf.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-# need to pass the GCP project ID as the first argument to this script
-export TF_VAR_project=$1
-
-# To solve the bootstrapping problem of creating Vault
-# Then being able to apply policies to the Vault instance
-# We first run a targeted apply to just the module that creates the Vault server
-terraform init
-terraform apply -target=module.vault
-
-# Then we fetch the token from KMS and store it in VAULT_TOKEN
-gsutil cp gs://${TF_VAR_project}-key/root-token.enc . > /dev/null 2>&1
-base64 -d root-token.enc > root-token.dc
-gcloud kms decrypt --key=vault --keyring=vault-server --location=global \
-  --project=${TF_VAR_project} \
-  --ciphertext-file=root-token.dc \
-  --plaintext-file=root-token
-export VAULT_TOKEN=$(cat root-token)
-rm root-token root-token.enc root-token.dc
-
-# Now we can apply all of the terraform with a valid Vault token
-terraform apply
diff --git a/main.tf b/main.tf
index 0f2b65a..e3f5f41 100644
--- a/main.tf
+++ b/main.tf
@@ -6,14 +6,14 @@ terraform {
     }
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.54.0"
+      version = "= 6.15.0"
     }
   }
 }
 
 locals {
   image_name = format("%s-docker.pkg.dev/%s/%s/vault-server:latest", var.country, var.project, var.repository)
-  kms_key = "vault"
+  kms_key    = "vault"
 }
 
 ## Create the GSA the Vault CloudRun deployment will run as
@@ -51,7 +51,7 @@ resource "google_artifact_registry_repository" "private" {
 
 data "google_artifact_registry_repository" "my-repo" {
   location      = var.country
-  repository_id = var.create_repository ? google_artifact_registry_repository.private[0].id : var.repository
+  repository_id = var.repository
 }
 
 # docker build vault server image
@@ -76,8 +76,8 @@ resource "docker_registry_image" "vault" {
 
 ## Create KMS keys
 resource "google_kms_key_ring" "vault-server" {
-  name       = "vault-server"
-  location   = "global"
+  name     = "vault-server"
+  location = "global"
 }
 
 resource "google_kms_crypto_key" "key" {
@@ -161,7 +161,7 @@ resource "google_cloud_run_v2_job" "vault-init" {
       service_account = google_service_account.gsa.email
       containers {
         name  = "vault-init"
-        image = "jcorall/vault-init:0.3.0"
+        image = var.init_image
 
         env {
           name  = "GOOGLE_PROJECT"
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..328332e
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,34 @@
+{
+  "extends": [
+    "config:best-practices",
+    ":rebaseStalePrs",
+    "customManagers:dockerfileVersions"
+  ],
+  "enabledManagers": [
+    "custom.regex",
+    "dockerfile",
+    "github-actions",
+    "terraform"
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Update _VERSION variables in Dockerfiles",
+      "fileMatch": [
+        "(^|/|\\.)Dockerfile$",
+        "(^|/)Dockerfile\\.[^/]*$"
+      ],
+      "matchStrings": [
+        "# renovate: datasource=(?<datasource>[a-z-]+?) depName=(?<depName>.+?) packageName=(?<packageName>.+?)(?: versioning=(?<versioning>[a-z-]+?))?\\s(?:ENV|ARG) .+?_VERSION=(?<currentValue>.+?)(\\s|$)"
+      ]
+    }
+  ],
+  "labels": [
+    "dependencies"
+  ],
+  "osvVulnerabilityAlerts": true,
+  "dependencyDashboardOSVVulnerabilitySummary": "unresolved",
+  "vulnerabilityAlerts": {
+    "enabled": true
+  }
+}
diff --git a/variables.tf b/variables.tf
index 2e110ff..319eb59 100644
--- a/variables.tf
+++ b/variables.tf
@@ -15,6 +15,10 @@ variable "repository" {
   default     = "private"
 }
 
+variable "init_image" {
+  type = string
+}
+
 variable "create_repository" {
   type        = bool
   description = "Whether or not the AR repo needs to be created by this terraform"