diff --git a/docker/Dockerfile.postgres b/docker/Dockerfile.postgres
index 520c586369..c71f98cecb 100644
--- a/docker/Dockerfile.postgres
+++ b/docker/Dockerfile.postgres
@@ -1,5 +1,5 @@
 FROM postgres:14
 
 RUN apt-get update \
-    && apt-get install -y postgresql-14-partman \
+    && apt-get install -y --no-install-recommends postgresql-14-partman \
     && rm -rf /var/lib/apt/lists/*
diff --git a/internal-packages/clickhouse/Dockerfile b/internal-packages/clickhouse/Dockerfile
index ceb5092021..c4182042cf 100644
--- a/internal-packages/clickhouse/Dockerfile
+++ b/internal-packages/clickhouse/Dockerfile
@@ -1,7 +1,7 @@
-FROM golang
+FROM golang:1.26@sha256:68cb6d68bed024785b69195b89af7ac7a444f27791435f98647edff595aa0479
 
 
-RUN go install github.com/pressly/goose/v3/cmd/goose@latest
+RUN go install github.com/pressly/goose/v3/cmd/goose@v3.27.1
 
 
 COPY ./schema ./schema
@@ -9,4 +9,7 @@ COPY ./schema ./schema
 ENV GOOSE_DRIVER=clickhouse
 ENV GOOSE_DBSTRING="tcp://default:password@clickhouse:9000"
 ENV GOOSE_MIGRATION_DIR=./schema
+
+# Run migrations as non-root (dev-only migration helper; goose needs no root).
+USER nobody
 CMD ["goose", "up"]