diff --git a/custom-domain/dstack-ingress/Dockerfile b/custom-domain/dstack-ingress/Dockerfile
index ac31456..9e11a34 100644
--- a/custom-domain/dstack-ingress/Dockerfile
+++ b/custom-domain/dstack-ingress/Dockerfile
@@ -1,8 +1,7 @@
 FROM nginx@sha256:b6653fca400812e81569f9be762ae315db685bc30b12ddcdc8616c63a227d3ca
 
-COPY pinned-packages.txt /tmp/
-
-RUN set -e; \
+RUN --mount=type=bind,source=pinned-packages.txt,target=/tmp/pinned-packages.txt,ro \
+    set -e; \
     # Create a sources.list file pointing to a specific snapshot
     echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20250411T024939Z bookworm main' > /etc/apt/sources.list && \
     echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20250411T024939Z bookworm-security main' >> /etc/apt/sources.list && \
@@ -28,7 +27,7 @@ RUN set -e; \
         curl \
         jq \
         coreutils && \
-        rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache /tmp/pinned-packages.txt
+        rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache
 
 RUN mkdir -p \
     /etc/letsencrypt \
@@ -37,11 +36,29 @@ RUN mkdir -p \
     /etc/nginx/conf.d \
     /var/log/nginx
 
-COPY ./scripts /scripts/
-RUN chmod +x /scripts/*.sh /scripts/*.py
+# Install scripts with deterministic permissions via bind mount
+RUN --mount=type=bind,source=scripts,target=/tmp/scripts,ro \
+    /bin/bash -o pipefail -c 'set -euo pipefail; \
+        rm -rf /scripts && mkdir -p /scripts && chmod 755 /scripts && \
+        cd /tmp/scripts && \
+        find . -type d -print0 | while IFS= read -r -d "" dir; do \
+            rel="${dir#./}"; \
+            [[ -z "$rel" ]] && continue; \
+            install -d -m 755 "/scripts/$rel"; \
+        done && \
+        find . -type f -print0 | while IFS= read -r -d "" file; do \
+            rel="${file#./}"; \
+            perm=644; \
+            case "$rel" in \
+                *.sh) perm=755 ;; \
+                *.py) case "$rel" in */*) perm=644 ;; *) perm=755 ;; esac ;; \
+            esac; \
+            install -m "$perm" "$file" "/scripts/$rel"; \
+        done'
+
 ENV PATH="/scripts:$PATH"
 ENV PYTHONPATH="/scripts"
-COPY .GIT_REV /etc/
+COPY --chmod=666 .GIT_REV /etc/
 
 ENTRYPOINT ["/scripts/entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/custom-domain/dstack-ingress/build-image.sh b/custom-domain/dstack-ingress/build-image.sh
index 36bcd0f..7ccad4d 100755
--- a/custom-domain/dstack-ingress/build-image.sh
+++ b/custom-domain/dstack-ingress/build-image.sh
@@ -22,6 +22,19 @@ while [[ $# -gt 0 ]]; do
             ;;
     esac
 done
+
+require_command() {
+    local cmd="$1"
+    if ! command -v "$cmd" >/dev/null 2>&1; then
+        echo "Error: required command '$cmd' not found in PATH" >&2
+        exit 1
+    fi
+}
+
+for required in docker skopeo jq git; do
+    require_command "$required"
+done
+
 # Check if buildkit_20 already exists before creating it
 if ! docker buildx inspect buildkit_20 &>/dev/null; then
     docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20