diff --git a/.github/workflows/build_and_push_docker_images.yaml b/.github/workflows/build_and_push_docker_images.yaml
index 2959615fa..f2b33f136 100644
--- a/.github/workflows/build_and_push_docker_images.yaml
+++ b/.github/workflows/build_and_push_docker_images.yaml
@@ -204,6 +204,7 @@ jobs:
           docker exec -t -u root $CID node_dump
           docker rm -f $CID
       - name: Push docker image
+        if: inputs.publish || github.repository_owner != 'emqx'
         env:
           PROFILE: ${{ matrix.profile[0] }}
           DOCKER_REGISTRY: ${{ matrix.profile[1] }}
diff --git a/deploy/docker/Dockerfile b/deploy/docker/Dockerfile
index 3fd68ad70..d43b4a19f 100644
--- a/deploy/docker/Dockerfile
+++ b/deploy/docker/Dockerfile
@@ -49,19 +49,18 @@ ENV LANG=C.UTF-8
 COPY deploy/docker/docker-entrypoint.sh /usr/bin/
 COPY --from=builder /emqx-rel /opt/
 
-WORKDIR /opt/emqx
-
 RUN set -eu; \
     apt-get update; \
     apt-get install -y --no-install-recommends ca-certificates procps $(echo "${EXTRA_DEPS}" | tr ',' ' '); \
+    rm -rf /var/lib/apt/lists/*; \
     find /opt/emqx -name 'swagger*.js.map' -exec rm {} +; \
+    ln -s /opt/emqx/bin/* /usr/local/bin/; \
     groupadd -r -g 1000 emqx; \
     useradd -r -m -u 1000 -g emqx emqx; \
-    chgrp -Rf emqx /opt/emqx; \
-    chmod -Rf g+w /opt/emqx; \
-    chown -Rf emqx /opt/emqx; \
-    ln -s /opt/emqx/bin/* /usr/local/bin/; \
-    rm -rf /var/lib/apt/lists/*
+    mkdir -p /opt/emqx/log /opt/emqx/data /opt/emqx/plugins; \
+    chown -R emqx:emqx /opt/emqx/log /opt/emqx/data /opt/emqx/plugins
+
+WORKDIR /opt/emqx
 
 USER emqx