diff --git a/.clusterfuzzlite/build.sh b/.clusterfuzzlite/build.sh
index 7539c1f..e99d770 100755
--- a/.clusterfuzzlite/build.sh
+++ b/.clusterfuzzlite/build.sh
@@ -7,6 +7,11 @@ apt-get install -y --no-install-recommends \
 
 cd "$SRC/kingfisher"
 
+# OSS-Fuzz's clang/libc++ toolchain builds vendored Vectorscan against Ubuntu
+# 20.04's Boost headers. Re-enable the removed unary_function/binary_function
+# compatibility shims so Boost 1.71 still compiles in C++17 mode.
+export CXXFLAGS="${CXXFLAGS:-} -D_LIBCPP_ENABLE_CXX17_REMOVED_UNARY_BINARY_FUNCTION"
+
 # Build all fuzz targets in release mode with debug assertions
 cargo fuzz build -O --debug-assertions
 
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index d736380..8995f6b 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -34,7 +34,7 @@ jobs:
           elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
             TAG="${INPUT_TAG}"
           else
-            TAG=$(gh release view --json tagName --jq .tagName)
+            TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
           fi
           if [[ ! "${TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
             echo "Invalid tag format: ${TAG}" >&2
@@ -87,7 +87,7 @@ jobs:
           done
 
       - name: Install build tooling
-        run: python -m pip install --upgrade --require-hashes -r .github/requirements/pypi-build.txt
+        run: python -m pip install --upgrade --only-binary :all: --require-hashes -r .github/requirements/pypi-build.txt
 
       - name: Build wheels
         shell: bash
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index 3b84799..bad32f7 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -38,7 +38,6 @@ jobs:
         # populated only for workflow_dispatch
         MANUAL_TAG: ${{ github.event.inputs.tag }}
         RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         set -euo pipefail
         if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
@@ -47,9 +46,12 @@ jobs:
           RAW_TAG="${MANUAL_TAG}"
         else
           # manual w/o tag → ask GitHub API for latest release tag
-          RAW_TAG=$(curl -sSL -H "Authorization: Bearer ${GH_TOKEN}" \
-                   "https://api.github.com/repos/${{ github.repository }}/releases/latest" \
-                   | jq -r .tag_name)
+          RAW_TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
+        fi
+
+        if [[ ! "${RAW_TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
+          echo "Invalid tag format: ${RAW_TAG}" >&2
+          exit 1
         fi
 
         # Strip a leading "v" so v1.2.3 → 1.2.3
diff --git a/docker/Dockerfile b/docker/Dockerfile
index ee70fbc..d5fc02d 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -32,6 +32,10 @@ RUN set -eux; \
     # optional cleanup to keep the image small
     rm -rf /app/*
 
+RUN addgroup -S app && adduser -S -G app -h /app app && chown -R app:app /app
+
+USER app
+
 # quick smoke-test so the build fails early if something’s wrong
 RUN kingfisher --version