diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..94c3d6b6
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,3 @@
+.git
+.github
+
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index f14309b2..a507aebc 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -25,6 +25,7 @@ jobs:
         with:
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
       
       - id: determine_tag
         name: determine tag
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 6dad4957..aac28330 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -32,6 +32,8 @@ jobs:
           --health-retries 5
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install poetry
         run: pipx install poetry
@@ -57,6 +59,8 @@ jobs:
 
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Build production image
         uses: docker/build-push-action@v6
@@ -70,6 +74,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install poetry
         run: pipx install poetry
@@ -96,6 +102,8 @@ jobs:
 
     - name: Checkout
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Install poetry
       run: pipx install poetry