diff --git a/.env.in b/.env.in
index e1a42a29..084f0e52 100644
--- a/.env.in
+++ b/.env.in
@@ -27,7 +27,7 @@ DOCKER_NAMESPACE=${DOCKER_NAMESPACE}
 # Build host variables, used only for reproducing CI/CD locally:
 DOCKER_GID=${DOCKER_GID}
 # Pin container image versions to avoid failures from external changes:
-DOCKER_BUILD_HOST_DIGEST=@sha256:179fab5b975255247e0a23b3d79c3503d00173aee369ec56dd41b1b695b1f0c7
+DOCKER_BUILD_HOST_DIGEST=@sha256:2a90e773265622fc47b125d3591f5b761c6df6ba6c9fec5611d72ee39c90e00f
 DOCKER_DOCKER_PUSHRM_DIGEST=@sha256:812a950e5be7dca26cef33b61eb2076bfcfb6c2a8ec96c126371fc049c3b6608
 DOCKER_GITLAB_RELEASE_CLI_DIGEST=@sha256:5a71acbadc47c1971100f5246b09f88ba09e84ebe7769e425475dce85245a2bf
 DOCKER_HADOLINT_DIGEST=@sha256:9cef74a390694cdc01dd119cbba9adac5bb6671ce67d8d79eb7ec68f497a3684
diff --git a/build-host/Dockerfile b/build-host/Dockerfile
index de4f17ed..226989c2 100644
--- a/build-host/Dockerfile
+++ b/build-host/Dockerfile
@@ -4,7 +4,7 @@
 
 ## Container image in which to build, test, and release projects.
 
-FROM docker:dind
+FROM docker:cli
 
 # Least volatile layers first:
 
@@ -48,6 +48,7 @@ CMD [ "make", "-e", "build-docker" ]
 # hadolint ignore=DL3018
 RUN \
     apk add --no-cache \
+    "shadow" \
     "coreutils" \
     "make" \
     "bash" \
@@ -64,6 +65,8 @@ RUN \
     "texlive" \
     "tar" \
     "github-cli" \
+    && groupdel "docker" \
+    && apk del --no-cache "shadow" \
     && rm -rf /var/cache/apk/*
 
 # Bake external build dependencies into the image:
diff --git a/build-host/bin/init-job.sh b/build-host/bin/init-job.sh
index b4490832..39fdf95d 100755
--- a/build-host/bin/init-job.sh
+++ b/build-host/bin/init-job.sh
@@ -55,8 +55,12 @@ main() {
         # Ensure the user can talk to `# dockerd`:
         if test -e "/var/run/docker.sock"
         then
-            if ! id -G "${user_name}" |
-		    grep -qw "$(stat -c "%g" "/var/run/docker.sock")"
+            docker_gid=$(stat -c "%g" "/var/run/docker.sock")
+            if ! getent group ${docker_gid} >"/dev/null"
+            then
+                addgroup -g "${docker_gid}" "docker"
+            fi
+            if ! id -G "${user_name}" | grep -qw "${docker_gid}"
             then
                 adduser "${user_name}" "$(stat -c "%G" "/var/run/docker.sock")"
             fi