diff --git a/.woodpecker/compliance-and-tests.yml b/.woodpecker/compliance-and-tests.yml
index d7cdf80e88..a5619270fc 100644
--- a/.woodpecker/compliance-and-tests.yml
+++ b/.woodpecker/compliance-and-tests.yml
@@ -4,9 +4,13 @@ workspace:
   base: /go
   path: src/codeberg/gitea
 
+variables:
+  - &golang_image 'golang:1.19'
+  - &gitea_test_env_image 'gitea/test_env:linux-amd64'
+
 pipeline:
   deps-backend:
-    image: golang:1.19
+    image: *golang_image
     pull: true
     secrets:
       - goproxy_override
@@ -15,7 +19,7 @@ pipeline:
     - make deps-backend
 
   security-check:
-    image: golang:1.19
+    image: *golang_image
     pull: true
     secrets:
       - goproxy_override
@@ -24,7 +28,7 @@ pipeline:
     - make security-check
 
   lint-backend:
-    image: gitea/test_env:linux-amd64
+    image: *gitea_test_env_image
     pull: true
     secrets:
       - goproxy_override
@@ -36,7 +40,7 @@ pipeline:
     - make lint-backend
 
   checks-backend:
-    image: golang:1.19
+    image: *golang_image
     pull: true
     secrets:
       - goproxy_override
@@ -55,11 +59,10 @@ pipeline:
     image: drone/git
     pull: true
     commands:
-    - git status
     - git update-ref refs/heads/tag_test ${CI_COMMIT_SHA}
 
   prepare-test-env:
-    image: gitea/test_env:linux-amd64
+    image: *gitea_test_env_image
     pull: true
     secrets:
       - goproxy_override
@@ -68,7 +71,7 @@ pipeline:
     - ./build/test-env-prepare.sh
 
   build-test:
-    image: gitea/test_env:linux-amd64
+    image: *gitea_test_env_image
     pull: true
     secrets:
       - goproxy_override
@@ -81,7 +84,7 @@ pipeline:
     - su gitea -c 'make backend'
 
   unit-test:
-    image: gitea/test_env:linux-amd64
+    image: *gitea_test_env_image
     pull: true
     secrets:
       - github_read_token
@@ -94,7 +97,7 @@ pipeline:
     - su gitea -c 'make unit-test-coverage test-check'
 
   test-sqlite:
-    image: gitea/test_env:linux-amd64
+    image: *gitea_test_env_image
     environment:
     - USE_REPO_TEST_DIR=1
     - GOPROXY=off
diff --git a/.woodpecker/release-version.yml b/.woodpecker/release-version.yml
index 5c8d349bb3..9fd199f39e 100644
--- a/.woodpecker/release-version.yml
+++ b/.woodpecker/release-version.yml
@@ -7,6 +7,13 @@ workspace:
   base: /source
   path: /
 
+variables:
+  - &golang_image 'golang:1.19'
+  - &node_image 'node:18'
+  - &xgo_image 'techknowlogick/xgo:go-1.19.x'
+  - &buildx_plugin_image 'woodpeckerci/plugin-docker-buildx'
+  - &gpgsign_plugin_image 'plugins/gpgsign:1'
+
 pipeline:
   fetch-tags:
     image: docker:git
@@ -16,13 +23,13 @@ pipeline:
      - git fetch --tags --force
 
   deps-frontend:
-    image: node:18
+    image: *node_image
     pull: true
     commands:
       - make deps-frontend
 
   deps-backend:
-    image: golang:1.19
+    image: *golang_image
     pull: true
     commands:
       - test "$${GOPROXY_OVERRIDE-}" != "" && export GOPROXY="$${GOPROXY_OVERRIDE}"
@@ -31,7 +38,7 @@ pipeline:
       - goproxy_override
 
   build-static:
-    image: techknowlogick/xgo:go-1.19.x
+    image: *xgo_image
     pull: true
     commands:
       - test "$${GOPROXY_OVERRIDE-}" != "" && export GOPROXY="$${GOPROXY_OVERRIDE}"
@@ -60,7 +67,7 @@ pipeline:
       - goproxy_override
 
   prep-multiarch-binaries:
-    image: golang:1.19 # image reuse to reduce pull times, go not required
+    image: *golang_image # image reuse to reduce pull times, go not required
     pull: true
     environment:
       fallbackversion: main # the fallback version used by make
@@ -72,7 +79,7 @@ pipeline:
       event: tag
 
   build-docker:
-    image: woodpeckerci/plugin-docker-buildx
+    image: *buildx_plugin_image
     pull: true
     settings:
       dockerfile: Dockerfile.ci
@@ -89,7 +96,7 @@ pipeline:
       event: tag
 
   gpg-sign:
-    image: plugins/gpgsign:1
+    image: *gpgsign_plugin_image
     pull: true
     settings:
       detach_sign: true
@@ -103,7 +110,7 @@ pipeline:
       event: tag
 
   release:
-    image: golang:1.19
+    image: *golang_image
     commands:
     - curl -sL https://dl.gitea.io/tea/0.9.0/tea-0.9.0-linux-amd64 > /bin/tea && chmod +x /bin/tea
     - REMOTE=$(echo $CI_REPO_LINK | sed -e 's|.*://||' -e 's|/.*||')
diff --git a/Dockerfile.ci b/Dockerfile.ci
index b03f9f2634..6ea21a49b5 100644
--- a/Dockerfile.ci
+++ b/Dockerfile.ci
@@ -1,3 +1,27 @@
+FROM alpine:3.17.0 as prep
+
+RUN addgroup \
+  -S -g 1000 \
+  git && \
+  adduser \
+  -S -H -D \
+  -h /data/git \
+  -s /bin/bash \
+  -u 1000 \
+  -G git \
+  git && \
+  echo "git:*" | chpasswd -e
+
+ENV USER git
+
+COPY docker/root /root-prep
+COPY docker/bin /bin-prep
+
+RUN chmod 755 /root-prep/usr/bin/entrypoint /root-prep/etc/s6/gitea/* /root-prep/etc/s6/openssh/* /root-prep/etc/s6/.s6-svscan/* && \
+  find /bin-prep -name 'forgejo' -type f | xargs -I{} chmod 0755 {} && \
+  find /bin-prep -name 'environment-to-ini' -type f | xargs -I{} chmod 0755 {}
+
+
 FROM alpine:3.17.0
 LABEL maintainer="contact@forgejo.org"
 
@@ -41,12 +65,6 @@ VOLUME ["/data"]
 ENTRYPOINT ["/usr/bin/entrypoint"]
 CMD ["/bin/s6-svscan", "/etc/s6"]
 
-COPY docker/root /
-COPY docker/bin/$TARGETPLATFORM/forgejo /app/gitea/gitea
-COPY docker/bin/$TARGETPLATFORM/environment-to-ini /usr/local/bin/environment-to-ini
-#
-# s/755/775/ in the following is to avoid the corrupted layer 4f4fb700ef54
-# https://codeberg.org/Codeberg/Community/issues/800#issue-210309
-#
-RUN chmod 775 /usr/bin/entrypoint /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
-RUN chmod 775 /etc/s6/gitea/* /etc/s6/openssh/* /etc/s6/.s6-svscan/*
+COPY --from=prep /root-prep /
+COPY --from=prep /bin-prep/$TARGETPLATFORM/forgejo /app/gitea/gitea
+COPY --from=prep /bin-prep/$TARGETPLATFORM/environment-to-ini /usr/local/bin/environment-to-ini