diff --git a/.github/actions/terraform-deploy/action.yml b/.github/actions/terraform-deploy/action.yml
new file mode 100644
index 0000000..9d07eab
--- /dev/null
+++ b/.github/actions/terraform-deploy/action.yml
@@ -0,0 +1,75 @@
+name: Deploy
+
+inputs:
+  env_aws_secret_name:
+    required: true
+    type: string
+  env-file:
+    required: true
+    type: string
+  dir:
+    required: false
+    type: string
+    default: "."
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Set up Python
+      if: env.infra_deploy
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.10"
+        cache: "pip"
+
+    - name: Install python dependencies
+      if: env.infra_deploy
+      shell: bash
+      working-directory: ${{ inputs.dir }}
+      run: pip install -r deploy_requirements.txt
+
+    - name: Get relevant environment configuration from aws secrets
+      shell: bash
+      working-directory: ${{ inputs.dir }}
+      run: |
+        ./scripts/sync-env.sh ${{ inputs.env_aws_secret_name }}
+
+    - name: Setup Terraform
+      if: env.infra_deploy
+      uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: 1.3.3
+
+    # - name: Deploy
+    #   if: env.infra_deploy
+    #   shell: bash
+    #   working-directory: ${{ inputs.dir }}
+    #   run: |
+    #     ./scripts/deploy.sh ${{ inputs.env-file }} <<< init
+    #     ./scripts/deploy.sh ${{ inputs.env-file }} <<< deploy
+
+    - name: Docker build, tag, and push image to Amazon ECR
+      shell: bash
+      env:
+        IMAGE_TAG: latest
+        ECR_REGISTRY: ${{ format('{0}.dkr.ecr.{1}.amazonaws.com/{2}-registry-{3}', env.ACCOUNT_ID, env.AWS_REGION, env.APP_NAME, env.STAGE) }}
+      run: |
+        echo $ECR_REGISTRY
+        echo $IMAGE_TAG
+        # aws ecr get-login-password | docker login --username AWS --password-stdin $ECR_REGISTRY
+        # cd veda-wfs3-app
+        # docker build -t $ECR_REGISTRY }}:$IMAGE_TAG }} .
+        # docker push $ECR_REGISTRY }}:$IMAGE_TAG }}
+
+    - name: ECS refresh service
+      shell: bash
+      env:
+        ECS_SERVICE_NAME: ${{ format('{0}-service-{1}', env.APP_NAME, env.STAGE) }}
+      run: |
+        echo $ECS_SERVICE_NAME
+        # aws ecs update-service \
+        #   --cluster $ECS_SERVICE_NAME \
+        #   --service $ECS_SERVICE_NAME \
+        #   --task-definition $ECS_SERVICE_NAME \
+        #   --force-new-deployment
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
new file mode 100644
index 0000000..5a2f99f
--- /dev/null
+++ b/.github/workflows/cicd.yml
@@ -0,0 +1,60 @@
+name: CICD 🚀
+
+permissions:
+  id-token: write
+  contents: read
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+      - production
+      - update-workflows
+
+jobs:
+  define-environment:
+    name: Set ✨ environment ✨
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set the environment based on the branch
+        id: define_environment
+        run: |
+          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
+            echo "env_name=staging" >> $GITHUB_OUTPUT
+          elif [ "${{ github.ref }}" = "refs/heads/dev" ]; then
+            echo "env_name=development" >> $GITHUB_OUTPUT
+          elif [ "${{ github.ref }}" = "refs/heads/production" ]; then
+            echo "env_name=production" >> $GITHUB_OUTPUT
+          elif [ "${{ github.ref }}" = "refs/heads/update-workflows" ]; then
+            echo "env_name=development" >> $GITHUB_OUTPUT
+          fi
+      - name: Print the environment
+        run: echo "The environment is ${{ steps.define_environment.outputs.env_name }}"
+
+    outputs:
+      env_name: ${{ steps.define_environment.outputs.env_name }}
+
+  deploy:
+    name: Deploy to ${{ needs.define-environment.outputs.env_name }} 🚀
+    runs-on: ubuntu-latest
+    needs: [define-environment]
+    if: ${{ needs.define-environment.outputs.env_name }}
+    environment: ${{ needs.define-environment.outputs.env_name }}
+    concurrency: ${{ needs.define-environment.outputs.env_name }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }}
+          role-session-name: "ghgc-features-api-github-${{ needs.define-environment.outputs.env_name }}-deployment"
+          aws-region: "us-west-2"
+
+      - name: Run deployment
+        uses: "./.github/actions/terraform-deploy"
+        with:
+          env_aws_secret_name: ${{ secrets.ENV_AWS_SECRET_NAME }}
diff --git a/scripts/sync-env.sh b/scripts/sync-env.sh
new file mode 100755
index 0000000..3758445
--- /dev/null
+++ b/scripts/sync-env.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+# Use this script to load environment variables for a deployment from AWS Secrets
+
+for s in $(aws secretsmanager get-secret-value --secret-id $1 --query SecretString --output text | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ); do
+    echo "$s" >> $GITHUB_ENV
+done