diff --git a/.github/workflows/build-and-push-templates.yaml b/.github/workflows/build-and-push-templates.yaml
index 7e45a90b..20ed2805 100644
--- a/.github/workflows/build-and-push-templates.yaml
+++ b/.github/workflows/build-and-push-templates.yaml
@@ -30,7 +30,7 @@ env:
   PYTHON_VERSION: 3.13.7
   TASK_VERSION: 3.45.5
   TASK_X_REMOTE_TASKFILES: 1
-  WARPGATE_VERSION: "v4.6.0"
+  WARPGATE_VERSION: "v4.7.0"
 
 jobs:
   discover-templates:
diff --git a/.github/workflows/test-template-builds.yaml b/.github/workflows/test-template-builds.yaml
index 8e2c4c6c..e70c0453 100644
--- a/.github/workflows/test-template-builds.yaml
+++ b/.github/workflows/test-template-builds.yaml
@@ -24,7 +24,7 @@ concurrency:
 env:
   DEBIAN_FRONTEND: noninteractive
   PYTHON_VERSION: "3.13.7"
-  WARPGATE_VERSION: "v4.6.0"
+  WARPGATE_VERSION: "v4.7.0"
 
 jobs:
   detect-changes:
diff --git a/.github/workflows/validate-templates.yaml b/.github/workflows/validate-templates.yaml
index 2ab8dd2b..220d87a0 100644
--- a/.github/workflows/validate-templates.yaml
+++ b/.github/workflows/validate-templates.yaml
@@ -21,7 +21,7 @@ on:
   workflow_dispatch:
 
 env:
-  WARPGATE_VERSION: "v4.6.0"
+  WARPGATE_VERSION: "v4.7.0"
   PYTHON_VERSION: "3.13.7"
   TASK_VERSION: "3.45.5"
   TASK_X_REMOTE_TASKFILES: 1
diff --git a/warpgate-templates/templates/ares-golden-image/warpgate.yaml b/warpgate-templates/templates/ares-golden-image/warpgate.yaml
index 65b43f0f..d56af8af 100644
--- a/warpgate-templates/templates/ares-golden-image/warpgate.yaml
+++ b/warpgate-templates/templates/ares-golden-image/warpgate.yaml
@@ -33,13 +33,12 @@ base:
     most_recent: true
 
 sources:
+  # Use the in-repo ansible/ tree directly so builds match the working copy
+  # (no GITHUB_TOKEN, no branch ref drift). Path is relative to this template's
+  # directory; requires warpgate >= v4.7.0 (local source type).
   - name: ares
-    git:
-      repository: https://github.com/dreadnode/ares.git
-      ref: feat/more-attack-cov
-      depth: 1
-      auth:
-        token: ${GITHUB_TOKEN}
+    local:
+      path: ../../../ansible
 
 provisioners:
   # Install pipx and Ansible
@@ -52,7 +51,7 @@ provisioners:
       - pipx install --force ansible-core
       - pipx ensurepath
 
-  # Copy ansible collection from source (cloned securely by warpgate without embedding token in shell commands).
+  # Copy ansible collection from the local source (the in-repo ansible/ tree).
   # The destination keeps the `nimbus_range` name because the ansible collection is published as
   # `dreadnode.nimbus_range`; subsequent steps install it under that namespace.
   - type: file
@@ -62,7 +61,7 @@ provisioners:
   - type: shell
     inline:
       - mkdir -p /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range
-      - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/
+      - cp -r /tmp/nimbus_range/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/
       - rm -rf /tmp/nimbus_range
 
   # Install NVIDIA drivers for GPU-accelerated hashcat on g4dn (T4 GPU)