diff --git a/.github/workflows/nightly_build.yaml b/.github/workflows/nightly_build.yaml
index 25e717ba38..6fce4a437d 100644
--- a/.github/workflows/nightly_build.yaml
+++ b/.github/workflows/nightly_build.yaml
@@ -16,19 +16,19 @@ jobs:
         uses: actions/checkout@v3
       - name: Build images
         run: make images scratch-images
-      - name: Log in to GCR
-        uses: docker/login-action@v2
-        with:
-          registry: gcr.io
-          username: _json_key
-          password: ${{ secrets.GCR_JSON_KEY }}
-      - name: Push images
-        run: ./.github/workflows/scripts/push-images.sh nightly
-      - name: Log in to GHCR
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Push images
-        run: ./.github/workflows/scripts/push-scratch-images.sh nightly
+#      - name: Log in to GCR
+#        uses: docker/login-action@v2
+#        with:
+#          registry: gcr.io
+#          username: _json_key
+#          password: ${{ secrets.GCR_JSON_KEY }}
+#      - name: Push images
+#        run: ./.github/workflows/scripts/push-images.sh nightly
+#      - name: Log in to GHCR
+#        uses: docker/login-action@v2
+#        with:
+#          registry: ghcr.io
+#          username: ${{ github.actor }}
+#          password: ${{ secrets.GITHUB_TOKEN }}
+#      - name: Push images
+#        run: ./.github/workflows/scripts/push-scratch-images.sh nightly
diff --git a/Dockerfile b/Dockerfile
index ba6564eaf7..50f8f2f834 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,10 +13,16 @@ FROM alpine AS spire-base
 RUN apk --no-cache add dumb-init
 RUN apk --no-cache add ca-certificates
 RUN mkdir -p /opt/spire/bin
+ARG user=spire
+ARG id=2001
+RUN apk add libcap shadow
+RUN groupadd -g ${id} ${user}
+RUN useradd -g ${id} -l -M -u ${id} ${user}
 
 # SPIRE Server
 FROM spire-base AS spire-server
 COPY --from=builder /spire/bin/spire-server /opt/spire/bin/spire-server
+RUN /usr/sbin/setcap cap_dac_override=eip /opt/spire/bin/spire-server
 WORKDIR /opt/spire
 ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/spire-server", "run"]
 CMD []
@@ -24,6 +30,7 @@ CMD []
 # SPIRE Agent
 FROM spire-base AS spire-agent
 COPY --from=builder /spire/bin/spire-agent /opt/spire/bin/spire-agent
+RUN /usr/sbin/setcap cap_dac_override=eip /opt/spire/bin/spire-agent
 WORKDIR /opt/spire
 ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/spire-agent", "run"]
 CMD []
@@ -31,6 +38,7 @@ CMD []
 # K8S Workload Registrar
 FROM spire-base AS k8s-workload-registrar
 COPY --from=builder /spire/bin/k8s-workload-registrar /opt/spire/bin/k8s-workload-registrar
+RUN /usr/sbin/setcap cap_dac_override=eip /opt/spire/bin/k8s-workload-registrar
 WORKDIR /opt/spire
 ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/k8s-workload-registrar"]
 CMD []
@@ -38,6 +46,7 @@ CMD []
 # OIDC Discovery Provider
 FROM spire-base AS oidc-discovery-provider
 COPY --from=builder /spire/bin/oidc-discovery-provider /opt/spire/bin/oidc-discovery-provider
+RUN /usr/sbin/setcap cap_dac_override=eip /opt/spire/bin/oidc-discovery-provider
 WORKDIR /opt/spire
 ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/oidc-discovery-provider"]
 CMD []
diff --git a/go.mod b/go.mod
index bc0e2969fb..ec8f1e712a 100644
--- a/go.mod
+++ b/go.mod
@@ -42,7 +42,7 @@ require (
 	github.com/googleapis/gax-go/v2 v2.4.0
 	github.com/gorilla/handlers v1.5.1
 	github.com/hashicorp/go-hclog v1.2.2
-	github.com/hashicorp/go-plugin v1.4.4
+	github.com/hashicorp/go-plugin v1.4.5
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94
 	github.com/hashicorp/vault/api v1.7.2
diff --git a/go.sum b/go.sum
index 88ff857770..983467da44 100644
--- a/go.sum
+++ b/go.sum
@@ -792,8 +792,8 @@ github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHh
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-plugin v1.4.0/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ=
-github.com/hashicorp/go-plugin v1.4.4 h1:NVdrSdFRt3SkZtNckJ6tog7gbpRrcbOjQi/rgF7JYWQ=
-github.com/hashicorp/go-plugin v1.4.4/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s=
+github.com/hashicorp/go-plugin v1.4.5 h1:oTE/oQR4eghggRg8VY7PAz3dr++VwDNBGCcOfIvHpBo=
+github.com/hashicorp/go-plugin v1.4.5/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM=
 github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=