diff --git a/Dockerfile.updater-core b/Dockerfile.updater-core
index d660e56a841..a6ca855c0c3 100644
--- a/Dockerfile.updater-core
+++ b/Dockerfile.updater-core
@@ -1,105 +1,3 @@
-FROM ubuntu:20.04 as builder
-
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-
-### SYSTEM DEPENDENCIES
-
-ENV DEBIAN_FRONTEND="noninteractive" \
-  LC_ALL="en_US.UTF-8" \
-  LANG="en_US.UTF-8"
-
-RUN apt-get update \
-  && apt-get upgrade -y \
-  && apt-get install -y --no-install-recommends \
-    build-essential \
-    ca-certificates \
-    curl \
-    zlib1g-dev \
-    libyaml-dev \
-    libgdbm-dev \
-    bison \
-    tzdata \
-    zip \
-    unzip \
-    locales \
-    make \
-    libssl-dev \
-    libbz2-dev \
-    libffi-dev \
-    libreadline-dev \
-    libncurses5-dev \
-    xz-utils \
-    tk-dev \
-  && locale-gen en_US.UTF-8
-
-### RUBY
-
-# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v{1,2}/monkey_patches/definition_ruby_version_patch.rb`
-ARG RUBY_VERSION=3.1.4
-ARG RUBY_INSTALL_VERSION=0.9.0
-
-# When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle update --bundler`
-# Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install.
-# This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions.
-ARG BUNDLER_V2_VERSION=2.4.10
-
-# Install Ruby, update RubyGems, and install Bundler
-RUN mkdir -p /tmp/ruby-install \
- && cd /tmp/ruby-install \
- && curl -fsSL "https://github.com/postmodern/ruby-install/archive/v$RUBY_INSTALL_VERSION.tar.gz" -o ruby-install-$RUBY_INSTALL_VERSION.tar.gz  \
- && tar -xzvf ruby-install-$RUBY_INSTALL_VERSION.tar.gz \
- && cd ruby-install-$RUBY_INSTALL_VERSION/ \
- && make \
- && ./bin/ruby-install -j4 --system --cleanup ruby $RUBY_VERSION -- --disable-install-doc \
- && gem install bundler -v $BUNDLER_V2_VERSION --no-document \
- && rm -rf /var/lib/gems/*/cache/* \
- && rm -rf /tmp/ruby-install
-
-ENV HOME="/home/dependabot"
-WORKDIR ${HOME}
-
-# Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
-ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-amd64.tar.gz"
-RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz
-
-COPY .rubocop.yml .rubocop.yml
-COPY .ruby-version .ruby-version
-COPY omnibus omnibus
-COPY updater/Gemfile updater/Gemfile.lock dependabot-updater/
-
-COPY common/Gemfile common/dependabot-common.gemspec common/
-COPY common/lib/dependabot.rb common/lib/dependabot.rb
-COPY bundler/Gemfile bundler/dependabot-bundler.gemspec bundler/
-COPY cargo/Gemfile cargo/dependabot-cargo.gemspec cargo/
-COPY composer/Gemfile composer/dependabot-composer.gemspec composer/
-COPY docker/Gemfile docker/dependabot-docker.gemspec docker/
-COPY elm/Gemfile elm/dependabot-elm.gemspec elm/
-COPY git_submodules/Gemfile git_submodules/dependabot-git_submodules.gemspec git_submodules/
-COPY github_actions/Gemfile github_actions/dependabot-github_actions.gemspec github_actions/
-COPY go_modules/Gemfile go_modules/dependabot-go_modules.gemspec go_modules/
-COPY gradle/Gemfile gradle/dependabot-gradle.gemspec gradle/
-COPY hex/Gemfile hex/dependabot-hex.gemspec hex/
-COPY maven/Gemfile maven/dependabot-maven.gemspec maven/
-COPY npm_and_yarn/Gemfile npm_and_yarn/dependabot-npm_and_yarn.gemspec npm_and_yarn/
-COPY nuget/Gemfile nuget/dependabot-nuget.gemspec nuget/
-COPY pub/Gemfile pub/dependabot-pub.gemspec pub/
-COPY python/Gemfile python/dependabot-python.gemspec python/
-COPY terraform/Gemfile terraform/dependabot-terraform.gemspec terraform/
-
-# prevent having all the source in every ecosystem image
-RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler; do \
-      mkdir -p $ecosystem/lib/dependabot; \
-      touch $ecosystem/lib/dependabot/$ecosystem.rb; \
-    done
-
-WORKDIR $HOME/dependabot-updater
-
-RUN bundle config set --local path 'vendor' && \
-bundle config set --local frozen 'true' && \
-bundle config set --local without 'development' && \
-bundle install && \
-rm -rf ~/.bundle
-
 FROM ubuntu:20.04
 
 LABEL org.opencontainers.image.source="https://github.com/dependabot/dependabot-core"
@@ -144,24 +42,75 @@ RUN if ! getent group "$USER_GID"; then groupadd --gid "$USER_GID" dependabot ;
   && useradd --uid "${USER_UID}" --gid "${USER_GID}" -m dependabot \
   && mkdir -p /opt && chown dependabot:dependabot /opt && chgrp dependabot /etc/ssl/certs && chmod g+w /etc/ssl/certs
 
+USER dependabot
+ENV DEPENDABOT_HOME="/home/dependabot"
+WORKDIR $DEPENDABOT_HOME
+
 # Disable automatic pulling of files stored with Git LFS
 # This avoids downloading large files not necessary for the dependabot scripts
 ENV GIT_LFS_SKIP_SMUDGE=1
 
-COPY --from=builder /opt /opt
-COPY --from=builder --chown=dependabot:dependabot /usr/local /usr/local
-COPY --from=builder --chown=dependabot:dependabot /home/dependabot /home/dependabot
+# Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
+ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-amd64.tar.gz"
+RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz
 
-ENV DEPENDABOT_HOME /home/dependabot
+COPY --chown=dependabot:dependabot .rubocop.yml .rubocop.yml
+COPY --chown=dependabot:dependabot .ruby-version .ruby-version
+COPY --chown=dependabot:dependabot omnibus omnibus
+COPY --chown=dependabot:dependabot updater/Gemfile updater/Gemfile.lock dependabot-updater/
+
+COPY --chown=dependabot:dependabot common/Gemfile common/dependabot-common.gemspec common/
+COPY --chown=dependabot:dependabot common/lib/dependabot.rb common/lib/dependabot.rb
+COPY --chown=dependabot:dependabot bundler/Gemfile bundler/dependabot-bundler.gemspec bundler/
+COPY --chown=dependabot:dependabot cargo/Gemfile cargo/dependabot-cargo.gemspec cargo/
+COPY --chown=dependabot:dependabot composer/Gemfile composer/dependabot-composer.gemspec composer/
+COPY --chown=dependabot:dependabot docker/Gemfile docker/dependabot-docker.gemspec docker/
+COPY --chown=dependabot:dependabot elm/Gemfile elm/dependabot-elm.gemspec elm/
+COPY --chown=dependabot:dependabot git_submodules/Gemfile git_submodules/dependabot-git_submodules.gemspec git_submodules/
+COPY --chown=dependabot:dependabot github_actions/Gemfile github_actions/dependabot-github_actions.gemspec github_actions/
+COPY --chown=dependabot:dependabot go_modules/Gemfile go_modules/dependabot-go_modules.gemspec go_modules/
+COPY --chown=dependabot:dependabot gradle/Gemfile gradle/dependabot-gradle.gemspec gradle/
+COPY --chown=dependabot:dependabot hex/Gemfile hex/dependabot-hex.gemspec hex/
+COPY --chown=dependabot:dependabot maven/Gemfile maven/dependabot-maven.gemspec maven/
+COPY --chown=dependabot:dependabot npm_and_yarn/Gemfile npm_and_yarn/dependabot-npm_and_yarn.gemspec npm_and_yarn/
+COPY --chown=dependabot:dependabot nuget/Gemfile nuget/dependabot-nuget.gemspec nuget/
+COPY --chown=dependabot:dependabot pub/Gemfile pub/dependabot-pub.gemspec pub/
+COPY --chown=dependabot:dependabot python/Gemfile python/dependabot-python.gemspec python/
+COPY --chown=dependabot:dependabot terraform/Gemfile terraform/dependabot-terraform.gemspec terraform/
 
-# Add project
+# prevent having all the source in every ecosystem image
+RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler; do \
+    mkdir -p $ecosystem/lib/dependabot; \
+    touch $ecosystem/lib/dependabot/$ecosystem.rb; \
+  done
+
+WORKDIR $DEPENDABOT_HOME/dependabot-updater
+
+# Install Ruby from official Docker image
+# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v{1,2}/monkey_patches/definition_ruby_version_patch.rb`
+COPY --from=ruby:3.1.4 --chown=dependabot:dependabot /usr/local /usr/local
+
+# When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle update --bundler`
+# Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install.
+# This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions.
+ARG BUNDLER_V2_VERSION=2.4.10
+
+RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \
+ rm -rf /var/lib/gems/*/cache/* && \
+ bundle config set --local path 'vendor' && \
+ bundle config set --local frozen 'true' && \
+ bundle config set --local without 'development' && \
+ bundle install && \
+ rm -rf ~/.bundle
+
+# Add project after bundle install to avoid re-installing gems when only the project code changes
 COPY --chown=dependabot:dependabot LICENSE $DEPENDABOT_HOME
 COPY --chown=dependabot:dependabot common $DEPENDABOT_HOME/common
 COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updater
 
-ENV PATH="$HOME/bin:$PATH"
+ENV PATH="$DEPENDABOT_HOME/bin:$PATH"
 ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"
 
-WORKDIR $DEPENDABOT_HOME/dependabot-updater
+USER root
 
 CMD ["bin/run"]