From fc89e3773c62988f83af582de45f0d8882f25f82 Mon Sep 17 00:00:00 2001
From: nicktrn <55853254+nicktrn@users.noreply.github.com>
Date: Sat, 6 Jun 2026 20:06:45 +0100
Subject: [PATCH 1/3] chore(docker): add --no-install-recommends to dev
 postgres image

---
 docker/Dockerfile.postgres | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/Dockerfile.postgres b/docker/Dockerfile.postgres
index 520c586369d..c71f98cecb3 100644
--- a/docker/Dockerfile.postgres
+++ b/docker/Dockerfile.postgres
@@ -1,5 +1,5 @@
 FROM postgres:14
 
 RUN apt-get update \
-    && apt-get install -y postgresql-14-partman \
+    && apt-get install -y --no-install-recommends postgresql-14-partman \
     && rm -rf /var/lib/apt/lists/*

From 0d5aa00ea685ae39d7fc0817be23dbe29d010a12 Mon Sep 17 00:00:00 2001
From: nicktrn <55853254+nicktrn@users.noreply.github.com>
Date: Sat, 6 Jun 2026 20:08:52 +0100
Subject: [PATCH 2/3] chore(docker): run dev clickhouse migrator as non-root

---
 internal-packages/clickhouse/Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/internal-packages/clickhouse/Dockerfile b/internal-packages/clickhouse/Dockerfile
index ceb5092021b..73ac4a5ca0e 100644
--- a/internal-packages/clickhouse/Dockerfile
+++ b/internal-packages/clickhouse/Dockerfile
@@ -9,4 +9,7 @@ COPY ./schema ./schema
 ENV GOOSE_DRIVER=clickhouse
 ENV GOOSE_DBSTRING="tcp://default:password@clickhouse:9000"
 ENV GOOSE_MIGRATION_DIR=./schema
+
+# Run migrations as non-root (dev-only migration helper; goose needs no root).
+USER nobody
 CMD ["goose", "up"]

From e6f44f7022c4d7c3bea7f9255abd21d45c93e7d8 Mon Sep 17 00:00:00 2001
From: nicktrn <55853254+nicktrn@users.noreply.github.com>
Date: Sun, 7 Jun 2026 11:57:08 +0100
Subject: [PATCH 3/3] chore(docker): pin clickhouse migrator base image + goose
 version

---
 internal-packages/clickhouse/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal-packages/clickhouse/Dockerfile b/internal-packages/clickhouse/Dockerfile
index 73ac4a5ca0e..c4182042cf9 100644
--- a/internal-packages/clickhouse/Dockerfile
+++ b/internal-packages/clickhouse/Dockerfile
@@ -1,7 +1,7 @@
-FROM golang
+FROM golang:1.26@sha256:68cb6d68bed024785b69195b89af7ac7a444f27791435f98647edff595aa0479
 
 
-RUN go install github.com/pressly/goose/v3/cmd/goose@latest
+RUN go install github.com/pressly/goose/v3/cmd/goose@v3.27.1
 
 
 COPY ./schema ./schema