Based on the simplicity of the build it's doing, there's basically no reason to invoke Docker to produce the image at all. You could use a tool like ko[0] to simply build the Go binary and place it on top of a base image (or keep it based on scratch) without requiring privileges at all, using `ko publish`.