diff --git a/justfile b/justfile
index 4be05e92..dce52a12 100644
--- a/justfile
+++ b/justfile
@@ -127,11 +127,12 @@ compile-env *args: fill-out-dev-env-template
     ln -s /nix "${tmp_link}/nix"
     docker run \
       --rm \
+      --read-only \
       --name dataplane-compile-env \
       --tmpfs /tmp:uid=$(id -u),gid=$(id -g),nodev,noexec,nosuid \
       --mount type=tmpfs,destination=${HOME},tmpfs-mode=1777 \
-      --mount type=bind,source="$(pwd),destination=/work,bind-propagation=rprivate" \
-      --mount type=bind,source="${tmp_link},destination=/work/compile-env,bind-propagation=rprivate" \
+      --mount type=bind,source="$(pwd),destination=/work,bind-propagation=rprivate,readonly" \
+      --mount type=bind,source="${tmp_link},destination=/work/compile-env,bind-propagation=rprivate,readonly" \
       --mount type=bind,source=$(pwd)/dev-env-template/etc/passwd,destination=/etc/passwd,readonly \
       --mount type=bind,source=$(pwd)/dev-env-template/etc/group,destination=/etc/group,readonly \
       --mount type=bind,source="${tmp_targetdir},destination=/work/target,bind-propagation=rprivate" \
@@ -282,6 +283,7 @@ fill-out-dev-env-template:
     declare -rxi UID
     GID="$(id -g)"
     declare -rxi GID
+    declare -rx USER="${USER:-builder}"
     envsubst < dev-env-template/etc.template/group.template > dev-env-template/etc/group
     envsubst < dev-env-template/etc.template/passwd.template > dev-env-template/etc/passwd