diff --git a/Dockerfile b/Dockerfile
index 0af39c86..2d319f9a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,7 +11,7 @@ RUN adduser -u 1001 knorten -D && \
     mkdir -p /home/knorten/.config/helm/registry && \
     chown -R knorten:knorten /home/knorten
 
-FROM gcr.io/distroless/static-debian11
+FROM golang:1.23-alpine
 
 COPY --chown=knorten:knorten --from=builder /etc/passwd /etc/passwd
 COPY --chown=knorten:knorten --from=builder /home/knorten /home/knorten
diff --git a/pkg/helm/helm.go b/pkg/helm/helm.go
index 91f83c48..20ec46bb 100644
--- a/pkg/helm/helm.go
+++ b/pkg/helm/helm.go
@@ -25,7 +25,8 @@ import (
 const (
 	// DefaultHelmDriver is set to secrets, which is the default
 	// for Helm 3: https://helm.sh/docs/topics/advanced/#storage-backends
-	DefaultHelmDriver = "secrets"
+	DefaultHelmDriver   = "secrets"
+	Oauth2BasicAuthUser = "oauth2accesstoken"
 )
 
 type ErrRollback struct {
@@ -313,13 +314,16 @@ func (h *Helm) Fetch(ctx context.Context, repo, chartName, version string) (*cha
 		return nil, fmt.Errorf("creating registry client: %w", err)
 	}
 
-	user := "oauth2accesstoken"
-	password, err := getToken(ctx)
+	token, err := getGoogleAccessToken(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("getting token: %w", err)
 	}
 
-	err = registryClient.Login("https://europe-north1-docker.pkg.dev", registry.LoginOptBasicAuth(user, password), registry.LoginOptInsecure(false))
+	err = registryClient.Login(
+		"https://europe-north1-docker.pkg.dev",
+		registry.LoginOptBasicAuth(Oauth2BasicAuthUser, token),
+		registry.LoginOptInsecure(false),
+	)
 	if err != nil {
 		return nil, fmt.Errorf("logging in to registry: %w", err)
 	}
@@ -344,7 +348,7 @@ func (h *Helm) Fetch(ctx context.Context, repo, chartName, version string) (*cha
 	return ch, nil
 }
 
-func getToken(ctx context.Context) (string, error) {
+func getGoogleAccessToken(ctx context.Context) (string, error) {
 	tokenSource, err := google.DefaultTokenSource(ctx)
 	if err != nil {
 		return "", fmt.Errorf("getting default token source: %w", err)