diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 538243089f..cfd54ce4a1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -572,7 +572,7 @@ jobs:
       matrix:
         image_name: ["relay"] # Don't publish relay-pop (for now)
 
-    if: github.event_name == 'merge_group' 
+    if: github.event_name == 'merge_group'
 
     env:
       GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}"
@@ -854,6 +854,13 @@ jobs:
           image_url: ghcr.io/getsentry/relay:${{ github.event.pull_request.head.sha || github.sha }}
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
+      - name: Inspect failure
+        if: failure()
+        run: |
+          cd /home/runner/work/_actions/getsentry/self-hosted/master
+          docker compose ps
+          docker compose logs
+
   validate-devservices-config:
       runs-on: ubuntu-24.04
       needs: devservices-files-changed
diff --git a/Dockerfile.release b/Dockerfile.release
index c30999d176..efe353582d 100644
--- a/Dockerfile.release
+++ b/Dockerfile.release
@@ -1,31 +1,21 @@
-FROM debian:bookworm-slim
+FROM gcr.io/distroless/cc-debian12:debug AS builder
 
-ARG TARGETPLATFORM
-
-RUN apt-get update \
-  && apt-get install -y ca-certificates gosu curl --no-install-recommends \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
+RUN ["/busybox/busybox", "mkdir", "/work", "/etc/relay"]
 
-ENV \
-  RELAY_UID=10001 \
-  RELAY_GID=10001
 
-# Create a new user and group with fixed uid/gid
-RUN groupadd --system relay --gid $RELAY_GID \
-  && useradd --system --gid relay --uid $RELAY_UID relay
+FROM gcr.io/distroless/cc-debian12:nonroot
 
-RUN mkdir /work /etc/relay \
-  && chown relay:relay /work /etc/relay
-VOLUME ["/work", "/etc/relay"]
-WORKDIR /work
+ARG TARGETPLATFORM
 
 EXPOSE 3000
 
-COPY $TARGETPLATFORM/relay /bin/relay
-RUN chmod +x /bin/relay
+COPY --from=builder --chown=nonroot:noonroot /etc/relay /etc/relay
+COPY --from=builder --chown=nonroot:noonroot /work /work
 
-COPY ./docker-entrypoint.sh /
-ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]
-CMD ["run"]
+VOLUME ["/etc/relay", "/work"]
+WORKDIR /work
 
+COPY --chmod=755 $TARGETPLATFORM/relay /bin/relay
+
+ENTRYPOINT ["/bin/relay"]
+CMD ["run"]
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
deleted file mode 100644
index e6cd97d798..0000000000
--- a/docker-entrypoint.sh
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# Enable core dumps. Requires privileged mode.
-if [[ "${RELAY_ENABLE_COREDUMPS:-}" == "1" ]]; then
-  mkdir -p /var/dumps
-  chmod a+rwx /var/dumps
-  echo '/var/dumps/core.%h.%e.%t' > /proc/sys/kernel/core_pattern
-  ulimit -c unlimited
-fi
-
-# Sleep for the specified number of seconds before starting.
-# For example, can be helpful to synchronize container startup in Kubernetes environment.
-if [[ -n "${RELAY_DELAY_STARTUP_SECONDS:-}" ]]; then
-  echo "Sleeping for ${RELAY_DELAY_STARTUP_SECONDS}s..."
-  sleep "${RELAY_DELAY_STARTUP_SECONDS}"
-fi
-
-# Make sure that a specified URL (e.g. the upstream or a proxy sidecar) is reachable before starting.
-# Only 200 response is accepted as success.
-if [[ -n "${RELAY_PRESTART_ENDPOINT:-}" ]]; then
-  max_retry="${RELAY_PRESTART_MAX_RETRIES:-120}"
-  curl_timeout="${RELAY_PRESTART_REQUEST_TIMEOUT:-1}"
-  for attempt in $(seq 0 "${max_retry}"); do
-    if [[ "${attempt}" == "${max_retry}" ]]; then
-      echo "The prestart endpoint has not returned 200 after ${max_retry} attempts, exiting!"
-      exit 1
-    fi
-    status=$(curl --max-time "${curl_timeout}" --show-error --silent \
-                  --output /dev/null --write-out "%{http_code}" \
-                  -H 'Connection: close' \
-                  "${RELAY_PRESTART_ENDPOINT}" \
-              || true)
-    if [[ "${status}" == "200" ]]; then
-      break
-    fi
-    echo "Waiting for a 200 response from ${RELAY_PRESTART_ENDPOINT}, got ${status}"
-    sleep 1
-  done
-fi
-
-# For compatibility with older images
-if [ "$1" == "bash" ]; then
-  set -- bash "${@:2}"
-elif [ "$(id -u)" == "0" ]; then
-  set -- gosu relay /bin/relay "$@"
-else
-  set -- /bin/relay "$@"
-fi
-
-exec "$@"
diff --git a/relay-kafka/Cargo.toml b/relay-kafka/Cargo.toml
index 3ff488679e..00f3c79819 100644
--- a/relay-kafka/Cargo.toml
+++ b/relay-kafka/Cargo.toml
@@ -13,7 +13,7 @@ publish = false
 workspace = true
 
 [dependencies]
-rdkafka = { workspace = true, optional = true, features = ["tracing", "ssl"] }
+rdkafka = { workspace = true, optional = true, features = ["tracing", "ssl", "libz-static"] }
 rdkafka-sys = { workspace = true, optional = true }
 relay-log = { workspace = true, optional = true }
 relay-statsd = { workspace = true, optional = true }