diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
index 1cc14658ca..72f5e33dde 100644
--- a/.docker/Dockerfile-alpine
+++ b/.docker/Dockerfile-alpine
@@ -24,6 +24,7 @@ HEREDOC
 
 COPY hydra /usr/bin/hydra
 
+USER ory
+
 ENTRYPOINT ["hydra"]
 CMD ["serve", "all"]
-USER ory
diff --git a/.docker/Dockerfile-hsm b/.docker/Dockerfile-hsm
deleted file mode 100644
index 8c51e3fcda..0000000000
--- a/.docker/Dockerfile-hsm
+++ /dev/null
@@ -1,88 +0,0 @@
-FROM golang:1.22 AS builder
-
-WORKDIR /go/src/github.com/ory/hydra
-
-RUN apt-get update && apt-get upgrade -y &&\
-    mkdir -p /var/lib/sqlite &&\
-    mkdir -p ./internal/httpclient
-
-COPY go.mod go.sum ./
-COPY internal/httpclient/go.* ./internal/httpclient
-
-ENV GO111MODULE on
-ENV CGO_ENABLED 1
-
-RUN go mod download
-COPY . .
-
-###############################
-
-FROM builder AS build-hydra
-RUN go build -tags sqlite,hsm -o /usr/bin/hydra
-
-###############################
-
-FROM builder AS test-hsm
-ENV HSM_ENABLED=true
-ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
-ENV HSM_TOKEN_LABEL=hydra
-ENV HSM_PIN=1234
-
-RUN apt-get -y install softhsm opensc
-RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
-RUN go test -p 1 -failfast -short -tags=sqlite,hsm ./...
-
-
-FROM builder AS test-refresh-hsm
-ENV HSM_ENABLED=true
-ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
-ENV HSM_TOKEN_LABEL=hydra
-ENV HSM_PIN=1234
-ENV UPDATE_SNAPSHOTS=true
-
-RUN apt-get -y install softhsm opensc
-RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
-RUN go test -p 1 -failfast -short -tags=sqlite,hsm,refresh ./...
-
-###############################
-
-FROM gcr.io/distroless/base-nossl-debian12:debug-nonroot AS runner
-
-ENV HSM_ENABLED=true
-ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
-ENV HSM_TOKEN_LABEL=hydra
-ENV HSM_PIN=1234
-
-# NOTE: This is broken already. Even though this image provides a shell, you'd need to configure it with
-# `SHELL ["/busybox/sh", "-c"]`, however `apt-get` does not exist either in a distroless image.
-# This was original an Alpine image, the refactoring was not verified properly in this commit:
-# https://github.com/ory/hydra/commit/c1e1a569621d88365dceee7372ca49ecd119f939#diff-ae54bef08e3587b28ad8e93eb253a9a5cd9ea6f4251977e35b88dc6b42329e25L31
-RUN apt-get -y install softhsm opensc &&\
-    pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
-
-RUN <<HEREDOC
-    # Add a user/group for Ory with a stable UID + GID:
-    addgroup --system --gid 500 ory
-    adduser --system --uid 500 \
-        --gecos "Ory User" \
-        --home /home/ory \
-        --ingroup ory \
-        --shell /sbin/nologin \
-        ory
-
-    # Create the sqlite directory with ownership to that user and group:
-    # NOTE: This is required for read/write by SQLite.
-    install --owner ory --group ory --directory /var/lib/sqlite
-
-    # NOTE: Presumably this was already created by the prior RUN directive
-    chown -R ory:ory /var/lib/softhsm/tokens
-HEREDOC
-
-COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra
-
-# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
-EXPOSE 4444 4445
-
-ENTRYPOINT ["hydra"]
-CMD ["serve"]
-USER ory
diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch
deleted file mode 100644
index 2ada6f06eb..0000000000
--- a/.docker/Dockerfile-scratch
+++ /dev/null
@@ -1,41 +0,0 @@
-# TODO: Remove this file in favor of distroless-static variant:
-# https://github.com/ory/hydra/blob/master/.docker/Dockerfile-distroless-static
-# However if published to any registry, continue to publish the variant tag but as an alias to `-distroless` tags:
-# https://github.com/ory/hydra/pull/3914#pullrequestreview-2527315326
-
-FROM alpine:3.20 AS base-files
-
-RUN <<HEREDOC
-    apk upgrade --no-cache
-    apk add --no-cache --upgrade ca-certificates
-
-    # Add a user/group for Ory with a stable UID + GID:
-    # NOTE: This only appears relevant for supporting hydra as non-root, otherwise unnecessary.
-    addgroup --system --gid 500 ory
-    adduser --system --uid 500 \
-      --gecos "Ory User" \
-      --home /home/ory \
-      --ingroup ory \
-      --shell /sbin/nologin \
-      ory
-
-    # Create the sqlite directory with ownership to that user and group:
-    # NOTE: This is required for read/write by SQLite.
-    # - Path may be a default value somewhere, or only explicitly provided via DSN?
-    # - Owner/Group is only relevant to permissions allowing the hydra process to read/write to the location.
-    install --owner ory --group ory --directory /var/lib/sqlite
-HEREDOC
-
-FROM scratch
-COPY --from=base-files /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=base-files /etc/nsswitch.conf /etc/nsswitch.conf
-# NOTE: /etc/group and /etc/shadow were not copied over, only user lookup is valid for `USER`:
-COPY --from=base-files /etc/passwd /etc/passwd
-# NOTE: This COPY defaults to 0:0 for ownership, voiding the requirement conveyed above
-COPY --from=base-files /var/lib/sqlite /var/lib/sqlite
-
-COPY hydra /usr/bin/hydra
-
-ENTRYPOINT ["hydra"]
-CMD ["serve", "all"]
-USER ory
diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite
deleted file mode 100644
index d537b202a9..0000000000
--- a/.docker/Dockerfile-sqlite
+++ /dev/null
@@ -1,36 +0,0 @@
-# TODO: Remove this file in favor of the main/default Alpine image. The sqlite package is no longer required:
-# https://github.com/ory/hydra/blob/master/.docker/Dockerfile-alpine
-# However if published to any registry, continue to publish the variant tag but as an alias to standard Alpine image tags:
-# https://github.com/ory/hydra/pull/3914#pullrequestreview-2527315326
-
-FROM alpine:3.20
-RUN <<HEREDOC
-    # NOTE: The sqlite package is not required when the later copied hydra binary is built with statically linked sqlite?
-    apk upgrade --no-cache
-    apk add --no-cache --upgrade --latest ca-certificates sqlite
-
-    # Add a user/group for Ory with a stable UID + GID:
-    # NOTE: This only appears relevant for supporting hydra as non-root, otherwise unnecessary.
-    addgroup --system --gid 500 ory
-    adduser --system --uid 500 \
-      --gecos "Ory User" \
-      --home /home/ory \
-      --ingroup ory \
-      --shell /sbin/nologin \
-      ory
-
-    # Create the sqlite directory with ownership to that user and group:
-    # NOTE: This is required for read/write by SQLite.
-    # - Path may be a default value somewhere, or only explicitly provided via DSN?
-    # - Owner/Group is only relevant to permissions allowing the hydra process to read/write to the location.
-    install --owner ory --group ory --directory /var/lib/sqlite
-HEREDOC
-
-COPY hydra /usr/bin/hydra
-
-# Declare the standard ports used by Hydra (4444 for public service endpoint, 4445 for admin service endpoint)
-EXPOSE 4444 4445
-
-ENTRYPOINT ["hydra"]
-CMD ["serve"]
-USER ory
diff --git a/.docker/Dockerfile-test-hsm b/.docker/Dockerfile-test-hsm
new file mode 100644
index 0000000000..cf0f60164d
--- /dev/null
+++ b/.docker/Dockerfile-test-hsm
@@ -0,0 +1,36 @@
+# This file is only used for testing the HSM feature of Hydra. It is not used in production nor is it being
+# distributed.
+FROM golang:1.22-alpine3.21 AS builder
+
+RUN apk -U --no-cache --upgrade --latest add build-base git gcc bash
+
+WORKDIR /go/src/github.com/ory/hydra
+RUN mkdir -p ./internal/httpclient
+
+COPY go.mod go.sum ./
+COPY internal/httpclient/go.* ./internal/httpclient
+
+ENV CGO_ENABLED 1
+
+RUN go mod download
+
+COPY . .
+
+FROM builder as build-hydra
+
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
+ENV UPDATE_SNAPSHOTS=true
+
+RUN apt-get -y install softhsm opensc
+RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
+
+FROM builder as test-hsm
+
+RUN go test -p 1 -failfast -short -tags=sqlite,hsm ./...
+
+FROM builder AS test-refresh-hsm
+
+RUN go test -p 1 -failfast -short -tags=sqlite,hsm,refresh ./...
diff --git a/Makefile b/Makefile
index 49c66ec5a7..4fe5c1ce15 100644
--- a/Makefile
+++ b/Makefile
@@ -71,7 +71,7 @@ test-resetdb: node_modules
 # Build local docker images
 .PHONY: docker
 docker:
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG}-sqlite .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG} .
 
 .PHONY: e2e
 e2e: node_modules test-resetdb
@@ -88,12 +88,12 @@ quicktest:
 
 .PHONY: quicktest-hsm
 quicktest-hsm:
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-test-hsm  --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm .
 
 .PHONY: test-refresh
 test-refresh:
 	UPDATE_SNAPSHOTS=true go test -failfast -short -tags sqlite,sqlite_omit_load_extension ./...
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-refresh-hsm -t oryd/hydra:${IMAGE_TAG} --target test-refresh-hsm .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-test-hsm  --target test-refresh-hsm -t oryd/hydra:${IMAGE_TAG} --target test-refresh-hsm .
 
 authors:  # updates the AUTHORS file
 	curl https://raw.githubusercontent.com/ory/ci/master/authors/authors.sh | env PRODUCT="Ory Hydra" bash
diff --git a/README.md b/README.md
index 5e41be64e2..15a7579590 100644
--- a/README.md
+++ b/README.md
@@ -609,7 +609,7 @@ that your company deserves a spot here, reach out to
                 </picture>
             </td>
             <td><a href="https://pinniped.dev/">pinniped.dev</a></td>
-        </tr>         
+        </tr>
         <tr>
             <td>Adopter *</td>
             <td>Pvotal</td>
@@ -835,7 +835,9 @@ make quicktest
 
 # regular tests
 make test
-test-resetdb
+
+# updates all snapshots
+make test-refresh
 
 # end-to-end tests
 make e2e
@@ -977,10 +979,12 @@ If you wish to check your code changes against any of the docker-compose
 quickstart files, run:
 
 ```shell script
-make docker
-docker compose -f quickstart.yml up # ....
+docker compose -f quickstart.yml up --build # ....
 ```
 
+Warning, this will override your local image tag with the latest build and can
+lead to unexpected or confusing behavior.
+
 #### Add a new migration
 
 1. `mkdir persistence/sql/src/YYYYMMDD000001_migration_name/`
diff --git a/quickstart.yml b/quickstart.yml
index c521a273f9..4c229232d8 100644
--- a/quickstart.yml
+++ b/quickstart.yml
@@ -12,6 +12,9 @@
 services:
   hydra:
     image: oryd/hydra:v2.2.0
+    build:
+      context: .
+      dockerfile: .docker/Dockerfile-build
     ports:
       - "4444:4444" # Public port
       - "4445:4445" # Admin port
@@ -25,18 +28,25 @@ services:
       - type: bind
         source: ./contrib/quickstart/5-min
         target: /etc/config/hydra
+    pull_policy: missing
     environment:
       - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
     restart: unless-stopped
+    user: 500:500
     depends_on:
       - hydra-migrate
     networks:
       - intranet
   hydra-migrate:
     image: oryd/hydra:v2.2.0
+    build:
+      context: .
+      dockerfile: .docker/Dockerfile-build
     environment:
       - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
     command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes
+    user: 500:500
+    pull_policy: missing
     volumes:
       - type: volume
         source: hydra-sqlite