diff --git a/.dockerignore b/.dockerignore
index 2de01c2c..5f44c094 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,5 +1,38 @@
-# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
-# Ignore build and test binaries.
+# Version control
+.git
+.gitignore
+
+# Documentation
+*.md
+docs/
+
+# Tests
+*_test.go
+internal/testhelpers
+internal/tests
+
+# Development
+.env
+.env.*
+*.log
+skaffold.yaml
+skaffold.example.env
+
+# Build artifacts
 bin/
 helm/
 internal/demo
+
+# IDE
+.vscode
+.idea
+*.swp
+
+# CI/CD
+.github
+.goreleaser.yml
+.goreleaser.main.yml
+
+# Go
+go.work
+go.work.sum
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f3d67661..3cc8d1b8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -35,7 +35,7 @@ jobs:
           check-latest: true
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Hub
         uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
@@ -51,6 +51,7 @@ jobs:
           args: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BUILDKIT_INLINE_CACHE: 1
 
   helm:
     needs: release
diff --git a/.github/workflows/test-integration.yml b/.github/workflows/test-integration.yml
index 411e6d8c..1ca48f4c 100644
--- a/.github/workflows/test-integration.yml
+++ b/.github/workflows/test-integration.yml
@@ -34,16 +34,25 @@ jobs:
     - name: Build worker-controller image
       run: |
         skaffold build --profile worker-controller --push=false
+      env:
+        DOCKER_BUILDKIT: 1
+        BUILDKIT_PROGRESS: plain
 
     - name: Build helloworld worker image
       run: |
         skaffold build --profile helloworld-worker --push=false
+      env:
+        DOCKER_BUILDKIT: 1
+        BUILDKIT_PROGRESS: plain
 
     # Verify that the demo worker patch applies successfully and builds.
     - name: Build helloworld worker image patch
       run: |
         git apply internal/demo/helloworld/changes/no-version-gate.patch
         skaffold build --profile helloworld-worker --push=false
+      env:
+        DOCKER_BUILDKIT: 1
+        BUILDKIT_PROGRESS: plain
 
   test-integration:
     name: Run Integration Tests
diff --git a/.goreleaser.main.yml b/.goreleaser.main.yml
index 471ca149..6e5b4260 100644
--- a/.goreleaser.main.yml
+++ b/.goreleaser.main.yml
@@ -42,6 +42,8 @@ dockers:
     use: buildx
     build_flag_templates:
       - --platform=linux/amd64
+      - --cache-from=type=gha,scope=amd64
+      - --cache-to=type=gha,mode=max,scope=amd64
       - --label=org.opencontainers.image.title={{ .ProjectName }}
       - --label=org.opencontainers.image.description=Temporal Worker Controller for Kubernetes
       - --label=org.opencontainers.image.url=https://github.com/temporalio/temporal-worker-controller
@@ -63,6 +65,8 @@ dockers:
     use: buildx
     build_flag_templates:
       - --platform=linux/arm64
+      - --cache-from=type=gha,scope=arm64
+      - --cache-to=type=gha,mode=max,scope=arm64
       - --label=org.opencontainers.image.title={{ .ProjectName }}
       - --label=org.opencontainers.image.description=Temporal Worker Controller for Kubernetes
       - --label=org.opencontainers.image.url=https://github.com/temporalio/temporal-worker-controller
diff --git a/Dockerfile b/Dockerfile
index 0bbe3f77..5a637340 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,17 +1,12 @@
-# Build the manager binary
 FROM golang:1.25 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
 WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
+
+COPY go.mod go.sum ./
 RUN go mod download
 
-# Copy the go source
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
 COPY internal/k8s internal/k8s
@@ -20,7 +15,6 @@ COPY internal/controller internal/controller
 COPY internal/planner internal/planner
 COPY internal/defaults internal/defaults
 
-# Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
diff --git a/Dockerfile.goreleaser b/Dockerfile.goreleaser
index 9ebdfc6f..6942aa86 100644
--- a/Dockerfile.goreleaser
+++ b/Dockerfile.goreleaser
@@ -1,5 +1,9 @@
 FROM gcr.io/distroless/static-debian12:nonroot
 
-COPY temporal-worker-controller /usr/local/bin/temporal-worker-controller
+WORKDIR /app
+
+COPY --chown=nonroot:nonroot temporal-worker-controller /usr/local/bin/temporal-worker-controller
+
+USER nonroot
 
 ENTRYPOINT ["temporal-worker-controller"]
\ No newline at end of file