diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 641fa4c8..656a20ae 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -351,3 +351,50 @@ jobs:
           INGRESS_DOMAIN: ${{ secrets.INGRESS_DOMAIN }}
           HELM_GH_USER: ${{ secrets.HELM_GH_USER }}
           HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }}
+
+  deploy-mainnet:
+    if: github.event_name == 'release' && !github.event.release.prerelease
+    runs-on: ubuntu-latest
+    needs:
+      - push-docker-image
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787
+        with:
+          version: 2
+      - name: Setup helmfile and helm
+        uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184
+        with:
+          helm-diff-plugin-version: 'v3.1.3'
+          helmfile-version: 'v0.144.0'
+          helm-version: 'v3.11.0'
+          install-kubectl: no
+      - name: Install kubectl
+        uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2
+        with:
+          version: 'v1.25.6'
+      - name: Configure AWS credentials for deployment
+        uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3
+        with:
+          role-to-assume: ${{ secrets.DEPLOY_MAINNET_IAM_ROLE }}
+          aws-region: eu-west-2
+      - name: Deploy application
+        working-directory: deploy/helm
+        run: |
+          aws eks update-kubeconfig --name ${{ secrets.MAINNET_CLUSTER_NAME }} \
+                                    --alias ${{ secrets.MAINNET_CLUSTER_NAME }} \
+                                    --region eu-west-2
+
+          helmfile --environment mainnet --namespace radix-dapp-toolkit-mainnet \
+                    --state-values-set "ci.tag=${{ env.CI_TAG }}" \
+                    --state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \
+                    apply
+        env:
+          CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }}
+          INGRESS_DOMAIN: ${{ secrets.MAINNET_INGRESS_DOMAIN }}
+          HELM_GH_USER: ${{ secrets.HELM_GH_USER }}
+          HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }}
diff --git a/deploy/helm/environments/mainnet/values.yaml.gotmpl b/deploy/helm/environments/mainnet/values.yaml.gotmpl
new file mode 100644
index 00000000..b7d06778
--- /dev/null
+++ b/deploy/helm/environments/mainnet/values.yaml.gotmpl
@@ -0,0 +1,35 @@
+autoscaling:
+  enabled: true
+  minReplicas: 3
+  maxReplicas: 15
+  targetCPUUtilizationPercentage: 70
+  targetMemoryUtilizationPercentage: 70
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    cpu: 150m
+    memory: 256Mi
+
+ingress:
+  enabled: true
+  hosts:
+    - host: {{ .StateValues.ci.ingressDomain }}
+      paths:
+        - path: /
+          pathType: Prefix
+  basic_auth: true
+  annotations:
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: radix-dapp-toolkit-basic-auth
+    nginx.ingress.kubernetes.io/auth-realm: 'Auth Required - Mainnet'
+
+alertmanager:
+  env: "mainnet"
+  nameOverride: "radix-dapp-toolkit-amcfg"
+  slackConfig:
+    channel: "feed--alerts-dapps-mainnet"
+  secrets:
+    region: eu-west-2
+    name: "rtlj-prod/eks/dapps/mainnet/alertmanager-integration-keys"
+  enable_pagerduty_notifications: true
\ No newline at end of file
diff --git a/deploy/helm/helmfile.yaml b/deploy/helm/helmfile.yaml
index cf7e2d9e..f0ae7536 100644
--- a/deploy/helm/helmfile.yaml
+++ b/deploy/helm/helmfile.yaml
@@ -13,6 +13,7 @@ repositories:
 environments:
   dev: {}
   pr: {}
+  mainnet: {}
 releases:
   - name: radix-dapp-toolkit
     chart: ./radix-dapp-toolkit
@@ -26,3 +27,10 @@ releases:
     values:
       - environments/common/values.yaml.gotmpl
       - environments/{{ .Environment.Name }}/values.yaml.gotmpl
+
+  - name: alertmanager
+    chart: rdx-works/alertmanager-configs
+    version: 1.1.0
+    installed: {{ eq .Environment.Name "mainnet" }}
+    values:
+      - environments/{{ .Environment.Name }}/values.yaml.gotmpl
diff --git a/deploy/helm/radix-dapp-toolkit/templates/basic-auth-secret.yaml b/deploy/helm/radix-dapp-toolkit/templates/basic-auth-secret.yaml
new file mode 100644
index 00000000..19fc684f
--- /dev/null
+++ b/deploy/helm/radix-dapp-toolkit/templates/basic-auth-secret.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.ingress.basic_auth }}
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: radix-dapp-toolkit-basic-auth
+spec:
+  backendType: secretsManager
+  region: eu-west-2
+  data:
+    - key: rtlj-prod/eks/dapps/mainnet/temp-basic-auth
+      name: auth
+      property: auth
+{{- end }}