diff --git a/.forgejo/workflows/release-image.yml b/.forgejo/workflows/release-image.yml
index 7b29b7ca..834b5602 100644
--- a/.forgejo/workflows/release-image.yml
+++ b/.forgejo/workflows/release-image.yml
@@ -11,7 +11,6 @@ on:
       - ".gitignore"
       - "renovate.json"
       - "pkg/**"
-      - "docker/**"
       - "docs/**"
   push:
     branches:
@@ -23,7 +22,6 @@ on:
       - ".gitignore"
       - "renovate.json"
       - "pkg/**"
-      - "docker/**"
       - "docs/**"
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
@@ -199,7 +197,7 @@ jobs:
           context: .
           file: "docker/Dockerfile"
           build-args: |
-            GIT_COMMIT_HASH=${{ github.sha }})
+            GIT_COMMIT_HASH=${{ github.sha }}
             GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }}
             GIT_REMOTE_URL=${{github.event.repository.html_url }}
             GIT_REMOTE_COMMIT_URL=${{github.event.head_commit.url }}
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 55150902..3e1b832b 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -199,14 +199,23 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
 EOF
 
 # Extract dynamically linked dependencies
-RUN <<EOF
+RUN <<'DEPS_EOF'
     set -o xtrace
-    mkdir /out/libs
-    mkdir /out/libs-root
+    mkdir /out/libs /out/libs-root
+
+    # Process each binary
     for BINARY in /out/sbin/*; do
-        lddtree "$BINARY" | awk '{print $(NF-0) " " $1}' | sort -u -k 1,1 | awk '{print "install", "-D", $1, (($2 ~ /^\//) ? "/out/libs-root" $2 : "/out/libs/" $2)}' | xargs -I {} sh -c {}
+        if lddtree_output=$(lddtree "$BINARY" 2>/dev/null) && [ -n "$lddtree_output" ]; then
+            echo "$lddtree_output" | awk '{print $(NF-0) " " $1}' | sort -u -k 1,1 | \
+                awk '{dest = ($2 ~ /^\//) ? "/out/libs-root" $2 : "/out/libs/" $2; print "install -D " $1 " " dest}' | \
+                while read cmd; do eval "$cmd"; done
+        fi
     done
-EOF
+
+    # Show what will be copied to runtime
+    echo "=== Libraries being copied to runtime image:"
+    find /out/libs* -type f 2>/dev/null | sort || echo "No libraries found"
+DEPS_EOF
 
 FROM scratch
 
@@ -215,16 +224,16 @@ WORKDIR /
 # Copy root certs for tls into image
 # You can also mount the certs from the host
 # --volume /etc/ssl/certs:/etc/ssl/certs:ro
-COPY --from=base /etc/ssl/certs /etc/ssl/certs
-
-# Copy our build
-COPY --from=builder /out/sbin/ /sbin/
-# Copy SBOM
-COPY --from=builder /out/sbom/ /sbom/
+COPY --chmod=755 --from=base /etc/ssl/certs /etc/ssl/certs
 
 # Copy dynamic libraries to root
-COPY --from=builder /out/libs-root/ /
-COPY --from=builder /out/libs/ /usr/lib/
+COPY --chmod=755 --from=builder /out/libs-root/ /
+COPY --chmod=755 --from=builder /out/libs/ /usr/lib/
+
+# Copy our build
+COPY --chmod=755 --from=builder /out/sbin/ /sbin/
+# Copy SBOM
+COPY --chmod=755 --from=builder /out/sbom/ /sbom/
 
 # Inform linker where to find libraries
 ENV LD_LIBRARY_PATH=/usr/lib