I had tried && openssl rand -base64 12 but docker assumes if the command hasn’t changed (even though it generates a new random value) then it can rely on the cache for that layer. A comment below the answer on stack overflow points out you could do the same thing using an environment variable (with guid or datetime to ensure no duplicates), that’s a nice approach