diff --git a/.golangci.yaml b/.golangci.yaml
index 1f1a377..4cced3d 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -31,8 +31,6 @@ linters:
     - gocritic
     - gofmt
     - goheader
-    - gomoddirectives
-    - gomodguard
     - goprintffuncname
     - gosec
     - gosimple
diff --git a/klone.yaml b/klone.yaml
index 46658da..2ffa679 100644
--- a/klone.yaml
+++ b/klone.yaml
@@ -10,45 +10,45 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 9b0502fdd5860b18fd6a9ddf86f148604a214fe4
+      repo_hash: a3d5edd389774182bc0eb7eff32c9c9acf0254f4
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 9b0502fdd5860b18fd6a9ddf86f148604a214fe4
+      repo_hash: a3d5edd389774182bc0eb7eff32c9c9acf0254f4
       repo_path: modules/cert-manager
     - folder_name: executable
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 9b0502fdd5860b18fd6a9ddf86f148604a214fe4
+      repo_hash: a3d5edd389774182bc0eb7eff32c9c9acf0254f4
       repo_path: modules/executable
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 9b0502fdd5860b18fd6a9ddf86f148604a214fe4
+      repo_hash: a3d5edd389774182bc0eb7eff32c9c9acf0254f4
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 9b0502fdd5860b18fd6a9ddf86f148604a214fe4
+      repo_hash: a3d5edd389774182bc0eb7eff32c9c9acf0254f4
       repo_path: modules/go
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 9b0502fdd5860b18fd6a9ddf86f148604a214fe4
+      repo_hash: a3d5edd389774182bc0eb7eff32c9c9acf0254f4
       repo_path: modules/help
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 9b0502fdd5860b18fd6a9ddf86f148604a214fe4
+      repo_hash: a3d5edd389774182bc0eb7eff32c9c9acf0254f4
       repo_path: modules/klone
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 9b0502fdd5860b18fd6a9ddf86f148604a214fe4
+      repo_hash: a3d5edd389774182bc0eb7eff32c9c9acf0254f4
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 9b0502fdd5860b18fd6a9ddf86f148604a214fe4
+      repo_hash: a3d5edd389774182bc0eb7eff32c9c9acf0254f4
       repo_path: modules/tools
diff --git a/make/_shared/go/.golangci.override.yaml b/make/_shared/go/.golangci.override.yaml
index e569eff..86c2337 100644
--- a/make/_shared/go/.golangci.override.yaml
+++ b/make/_shared/go/.golangci.override.yaml
@@ -25,8 +25,6 @@ linters:
     - gocritic
     - gofmt
     - goheader
-    - gomoddirectives
-    - gomodguard
     - goprintffuncname
     - gosec
     - gosimple
diff --git a/make/_shared/go/01_mod.mk b/make/_shared/go/01_mod.mk
index 70f576b..0e4d418 100644
--- a/make/_shared/go/01_mod.mk
+++ b/make/_shared/go/01_mod.mk
@@ -46,10 +46,11 @@ shared_generate_targets += generate-govulncheck
 # not want new vulnerabilities in existing code to block the merging of PRs.
 # Instead `make verify-govulnecheck` is intended to be run periodically by a CI job.
 verify-govulncheck: | $(NEEDS_GOVULNCHECK)
-	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
-				echo "Running 'GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(bin_dir)/tools/govulncheck ./...' in directory '$${d}'"; \
-				pushd "$${d}" >/dev/null; \
+				target=$$(dirname $${d}); \
+				echo "Running 'GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(bin_dir)/tools/govulncheck ./...' in directory '$${target}'"; \
+				pushd "$${target}" >/dev/null; \
 				GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(GOVULNCHECK) ./... || exit; \
 				popd >/dev/null; \
 				echo ""; \
@@ -73,10 +74,11 @@ shared_generate_targets += generate-golangci-lint-config
 ## Verify all Go modules using golangci-lint
 ## @category [shared] Generate/ Verify
 verify-golangci-lint: | $(NEEDS_GO) $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
-	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
-				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config)' in directory '$${d}'"; \
-				pushd "$${d}" >/dev/null; \
+				target=$$(dirname $${d}); \
+				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config)' in directory '$${target}'"; \
+				pushd "$${target}" >/dev/null; \
 				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout 4m || exit; \
 				popd >/dev/null; \
 				echo ""; \
@@ -87,18 +89,19 @@ shared_verify_targets_dirty += verify-golangci-lint
 .PHONY: fix-golangci-lint
 ## Fix all Go modules using golangci-lint
 ## @category [shared] Generate/ Verify
-fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
-	gci write \
+fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(NEEDS_GCI) $(bin_dir)/scratch
+	$(GCI) write \
 		-s "standard" \
 		-s "default" \
 		-s "prefix($(repo_name))" \
 		-s "blank" \
 		-s "dot" .
 
-	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
-				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix' in directory '$${d}'"; \
-				pushd "$${d}" >/dev/null; \
+				target=$$(dirname $${d}); \
+				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix' in directory '$${target}'"; \
+				pushd "$${target}" >/dev/null; \
 				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix || exit; \
 				popd >/dev/null; \
 				echo ""; \
diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk
index 7a7ed44..550ff5e 100644
--- a/make/_shared/tools/00_mod.mk
+++ b/make/_shared/tools/00_mod.mk
@@ -114,7 +114,7 @@ TOOLS += helm-tool=v0.4.2
 # https://github.com/cert-manager/cmctl
 TOOLS += cmctl=2f75014a7c360c319f8c7c8afe8e9ce33fe26dca
 # https://pkg.go.dev/github.com/cert-manager/release/cmd/cmrel?tab=versions
-TOOLS += cmrel=fa10147dadc8c36718b7b08aed6d8c6418eb2
+TOOLS += cmrel=84daedb44d61d25582e22eca48352012e899d1b2
 # https://github.com/golangci/golangci-lint/releases
 TOOLS += golangci-lint=v1.57.1
 # https://pkg.go.dev/golang.org/x/vuln?tab=versions
@@ -124,7 +124,9 @@ TOOLS += operator-sdk=v1.34.1
 # https://pkg.go.dev/github.com/cli/cli/v2?tab=versions
 TOOLS += gh=v2.47.0
 # https:///github.com/redhat-openshift-ecosystem/openshift-preflight/releases
-TOOLS += preflight=1.9.1
+TOOLS += preflight=1.9.2
+# https://github.com/daixiang0/gci/releases/
+TOOLS += gci=v0.13.4
 
 # https://pkg.go.dev/k8s.io/code-generator/cmd?tab=versions
 K8S_CODEGEN_VERSION=v0.29.1
@@ -167,22 +169,11 @@ $(bin_dir)/scratch/%_VERSION: FORCE | $(bin_dir)/scratch
 # --retry-connrefused = retry even if the initial connection was refused
 CURL = curl --silent --show-error --fail --location --retry 10 --retry-connrefused
 
-# In Prow, the pod has the folder "$(bin_dir)/downloaded" mounted into the
-# container. For some reason, even though the permissions are correct,
-# binaries that are mounted with hostPath can't be executed. When in CI, we
-# copy the binaries to work around that. Using $(LN) is only required when
-# dealing with binaries. Other files and folders can be symlinked.
-#
-# Details on how "$(bin_dir)/downloaded" gets cached are available in the
-# description of the PR https://github.com/jetstack/testing/pull/651.
-#
-# We use "printenv CI" instead of just "ifeq ($(CI),)" because otherwise we
-# would get "warning: undefined variable 'CI'".
-ifeq ($(shell printenv CI),)
-LN := ln -f -s
-else
-LN := cp -f -r
-endif
+# LN is expected to be an atomic action, meaning that two Make processes
+# can run the "link $(DOWNLOAD_DIR)/tools/xxx@$(XXX_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+# to $(bin_dir)/tools/xxx" operation simulatiously without issues (both
+# will perform the action and the second time the link will be overwritten).
+LN := ln -fs
 
 UC = $(shell echo '$1' | tr a-z A-Z)
 LC = $(shell echo '$1' | tr A-Z a-z)
@@ -204,8 +195,8 @@ TOOL_NAMES :=
 #        in targets or in scripts, because it is agnostic to the
 #        working directory
 # - an unversioned target $(bin_dir)/tools/xxx is generated that
-#   creates a copy/ link to the corresponding versioned target:
-#   $(bin_dir)/tools/xxx@$(XXX_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+#   creates a link to the corresponding versioned target:
+#   $(DOWNLOAD_DIR)/tools/xxx@$(XXX_VERSION)_$(HOST_OS)_$(HOST_ARCH)
 define tool_defs
 TOOL_NAMES += $1
 
@@ -275,7 +266,6 @@ $(bin_dir)/tools/go: $(bin_dir)/scratch/VENDORED_GO_VERSION | $(bin_dir)/tools/g
 
 # The "_" in "_bin" prevents "go mod tidy" from trying to tidy the vendored goroot.
 $(bin_dir)/tools/goroot: $(bin_dir)/scratch/VENDORED_GO_VERSION | $(GOVENDOR_DIR)/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH)/goroot $(bin_dir)/tools
-	@rm -rf $(bin_dir)/tools/goroot
 	@cd $(dir $@) && $(LN) $(patsubst $(bin_dir)/%,../%,$(word 1,$|)) $(notdir $@)
 	@touch $@ # making sure the target of the symlink is newer than *_VERSION
 
@@ -324,7 +314,7 @@ GO_DEPENDENCIES += golangci-lint=github.com/golangci/golangci-lint/cmd/golangci-
 GO_DEPENDENCIES += govulncheck=golang.org/x/vuln/cmd/govulncheck
 GO_DEPENDENCIES += operator-sdk=github.com/operator-framework/operator-sdk/cmd/operator-sdk
 GO_DEPENDENCIES += gh=github.com/cli/cli/v2/cmd/gh
-GO_DEPENDENCIES += preflight=github.com/redhat-openshift-ecosystem/openshift-preflight/cmd/preflight
+GO_DEPENDENCIES += gci=github.com/daixiang0/gci
 
 #################
 # go build tags #
@@ -560,6 +550,29 @@ $(DOWNLOAD_DIR)/tools/rclone@$(RCLONE_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWN
 		chmod +x $(outfile); \
 		rm -f $(outfile).zip
 
+PREFLIGHT_linux_amd64_SHA256SUM=20f31e4af2004e8e3407844afea4e973975069169d69794e0633f0cb91d45afd
+PREFLIGHT_linux_arm64_SHA256SUM=c42cf4132027d937da88da07760e8fd9b1a8836f9c7795a1b60513d99c6939fe
+
+# Currently there are no offical releases for darwin, you cannot submit results
+# on non-official binaries, but we can still run tests.
+#
+# Once https://github.com/redhat-openshift-ecosystem/openshift-preflight/pull/942 is merged
+# we can remove this darwin specific hack
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/preflight@$(PREFLIGHT_VERSION)_darwin_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/preflight@$(PREFLIGHT_VERSION)_darwin_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		mkdir -p $(outfile).dir; \
+		GOWORK=off GOBIN=$(outfile).dir $(GO) install github.com/redhat-openshift-ecosystem/openshift-preflight/cmd/preflight@$(PREFLIGHT_VERSION); \
+		mv $(outfile).dir/preflight $(outfile); \
+		rm -rf $(outfile).dir
+
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/preflight@$(PREFLIGHT_VERSION)_linux_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/preflight@$(PREFLIGHT_VERSION)_linux_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		$(CURL) https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/$(PREFLIGHT_VERSION)/preflight-linux-$(HOST_ARCH) -o $(outfile); \
+		$(checkhash_script) $(outfile) $(PREFLIGHT_linux_$(HOST_ARCH)_SHA256SUM); \
+		chmod +x $(outfile)
+
 #################
 # Other Targets #
 #################
@@ -604,7 +617,7 @@ tools-learn-sha: | $(bin_dir)
 	HOST_OS=linux HOST_ARCH=arm64 $(MAKE) tools
 	HOST_OS=darwin HOST_ARCH=amd64 $(MAKE) tools
 	HOST_OS=darwin HOST_ARCH=arm64 $(MAKE) tools
-	
+
 	HOST_OS=linux HOST_ARCH=amd64 $(MAKE) vendor-go
 	HOST_OS=linux HOST_ARCH=arm64 $(MAKE) vendor-go
 	HOST_OS=darwin HOST_ARCH=amd64 $(MAKE) vendor-go
diff --git a/make/_shared/tools/util/lock.sh b/make/_shared/tools/util/lock.sh
index d3c437e..22564f7 100755
--- a/make/_shared/tools/util/lock.sh
+++ b/make/_shared/tools/util/lock.sh
@@ -28,8 +28,6 @@ set -o pipefail
 
 finalfile="$1"
 lockfile="$finalfile.lock"
-# Timeout in seconds.
-timeout=60
 
 # On OSX, flock is not installed, we just skip locking in that case,
 # this means that running verify in parallel without downloading all
@@ -42,8 +40,8 @@ if [[ "$flock_installed" == "yes" ]]; then
   exec {FD}<>"$lockfile"
 
   # wait for the file to be unlocked
-  if ! flock -x -w $timeout $FD; then
-    echo "Failed to obtain a lock for $lockfile within $timeout seconds"
+  if ! flock -x $FD; then
+    echo "Failed to obtain a lock for $lockfile"
     exit 1
   fi
 fi