diff --git a/Dockerfile b/Dockerfile
index 848d6f9..2242136 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,11 +34,14 @@ LABEL \
 #-----------------------------------------------------------------------------
 # Copy artefacts & make the wrapper executable
 #-----------------------------------------------------------------------------
-COPY build.sh /usr/local/bin/build.sh
+COPY --chmod=0755 build.sh /bin/build.sh
 COPY LICENSE  /LICENSE
-RUN chmod +x /usr/local/bin/build.sh
+RUN chmod +x /bin/build.sh
+
+# Drop root privileges (UID 1000 exists in the base image)
+USER 1000
 
 #-----------------------------------------------------------------------------
 # Runtime entrypoint
 #-----------------------------------------------------------------------------
-ENTRYPOINT ["/usr/local/bin/build.sh"]
+ENTRYPOINT ["/bin/build.sh"]
diff --git a/build.sh b/build.sh
index aa80200..d6ffddb 100644
--- a/build.sh
+++ b/build.sh
@@ -1,28 +1,17 @@
-#!/usr/bin/env bash
-set -euo pipefail
+#!/bin/sh
+# BusyBox/dash-friendly: no “pipefail”, no “[[ … ]]”, no “+=”
+
+set -eu   # BusyBox ash does not support “pipefail”
 
 ###############################################################################
 # Mandatory variables – abort if not provided
 ###############################################################################
-if [[ -z "${KANIKO_CONTEXT:-}" ]]; then
-  echo "Error: KANIKO_CONTEXT environment variable is required but not set." >&2
-  exit 1
-fi
-
-if [[ -z "${GITHUB_REF_NAME:-}" ]]; then
-  echo "Error: GITHUB_REF_NAME environment variable is required but not set." >&2
-  exit 1
-fi
-
-if [[ -z "${GIT_USERNAME:-}" ]]; then
-  echo "Error: GIT_USERNAME environment variable is required but not set." >&2
-  exit 1
-fi
-
-if [[ -z "${GIT_PASSWORD:-}" ]]; then
-  echo "Error: GIT_PASSWORD environment variable is required but not set." >&2
-  exit 1
-fi
+for var in KANIKO_CONTEXT GITHUB_REF_NAME GIT_USERNAME GIT_PASSWORD; do
+  eval [ -z \"\${$var:-}\" ] && {
+    echo "Error: $var environment variable is required but not set." >&2
+    exit 1
+  }
+done
 
 ###############################################################################
 # Optional / defaulted variables
@@ -39,7 +28,7 @@ KANIKO_DOCKERFILE="${KANIKO_DOCKERFILE:-./Dockerfile}"
 # Handle registry authentication (only if credentials are present)
 ###############################################################################
 AUTH_ENABLED=false
-if [[ -n "${REGISTRY_USER}" && -n "${REGISTRY_PASS}" ]]; then
+if [ -n "${REGISTRY_USER}" ] && [ -n "${REGISTRY_PASS}" ]; then
   echo "Registry credentials supplied – configuring authentication for ${REGISTRY_HOST}"
   mkdir -p /kaniko/.docker
   cat > /kaniko/.docker/config.json <<EOF
@@ -62,35 +51,29 @@ fi
 ###############################################################################
 DEST_FLAGS=""
 
-# Push is only possible if we have BOTH credentials and at least one destination
-if $AUTH_ENABLED && [[ -n "${KANIKO_DESTINATION// }" ]]; then
+if $AUTH_ENABLED && [ -n "${KANIKO_DESTINATION## }" ]; then
   echo "Building list of --destination flags"
-  OLD_IFS="$IFS"; IFS=','
-
+  old_ifs="$IFS"; IFS=','
   for raw in $KANIKO_DESTINATION; do
-    raw="$(echo "$raw" | xargs)"           # trim whitespace
-    expanded="$(eval echo "$raw")"         # expand variables
-    [[ -n "$expanded" ]] && DEST_FLAGS+=" --destination=${expanded}"
+    raw=$(echo "$raw" | xargs)            # trim
+    expanded=$(eval echo "$raw")          # env-var expansion if any
+    [ -n "$expanded" ] && DEST_FLAGS="$DEST_FLAGS --destination=$expanded"
   done
-
-  IFS="$OLD_IFS"
+  IFS="$old_ifs"
   echo "Image(s) will be pushed to the registry."
 else
   DEST_FLAGS="--no-push"
-  if ! $AUTH_ENABLED; then
-    echo "Image(s) will NOT be pushed because registry credentials are missing."
-  elif [[ -z "${KANIKO_DESTINATION// }" ]]; then
-    echo "KANIKO_DESTINATION not provided – image(s) will be built with --no-push."
-  fi
+  $AUTH_ENABLED  || echo "Registry credentials are missing – image(s) will not be pushed."
+  [ -n "${KANIKO_DESTINATION## }" ] || echo "KANIKO_DESTINATION not provided – using --no-push."
 fi
 
-echo "Kaniko will be called with: ${DEST_FLAGS}"
+echo "Kaniko will be called with:${DEST_FLAGS}"
 
 ###############################################################################
 # Invoke Kaniko
 ###############################################################################
-/kaniko/executor \
+exec /kaniko/executor \
   --verbosity="${KANIKO_VERBOSITY}" \
   --context="${KANIKO_CONTEXT}#${GITHUB_REF_NAME}" \
   --dockerfile="${KANIKO_DOCKERFILE}" \
-  ${DEST_FLAGS}
+  $DEST_FLAGS