diff --git a/.dockerignore b/.dockerignore
index 4010e09..63d9bd3 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -3,7 +3,7 @@
 
 # Whitelist required files
 !.env.encrypted
-!codeship/*
+!scripts/*
 !lambda/*
 !server/*
 !u2fsimulator/*
diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml
new file mode 100644
index 0000000..94d8a19
--- /dev/null
+++ b/.github/workflows/test-deploy-publish.yml
@@ -0,0 +1,69 @@
+name: Test, Deploy, Publish
+
+on:
+  push:
+
+jobs:
+  tests:
+    name: Tests
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: ${{ vars.AWS_REGION }}
+      STG_AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }}
+      STG_AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
+      PRD_AWS_ACCESS_KEY_ID: ${{ vars.PRD_AWS_ACCESS_KEY_ID }}
+      PRD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRD_AWS_SECRET_ACCESS_KEY }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Test
+        run: docker-compose -f actions-services.yml run --rm test ./scripts/test.sh
+
+  deploy:
+    name: Deploy to AWS Lambda
+    needs: tests
+    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop'
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: ${{ vars.AWS_REGION }}
+      STG_AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }}
+      STG_AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
+      STG_LAMBDA_ROLE: ${{ vars.STG_LAMBDA_ROLE }}
+      STG_API_KEY_TABLE: ${{ vars.STG_API_KEY_TABLE }}
+      STG_WEBAUTHN_TABLE: ${{ vars.STG_WEBAUTHN_TABLE }}
+      PRD_AWS_ACCESS_KEY_ID: ${{ vars.PRD_AWS_ACCESS_KEY_ID }}
+      PRD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRD_AWS_SECRET_ACCESS_KEY }}
+      PRD_LAMBDA_ROLE: ${{ vars.PRD_LAMBDA_ROLE }}
+      PRD_API_KEY_TABLE: ${{ vars.PRD_API_KEY_TABLE }}
+      PRD_WEBAUTHN_TABLE: ${{ vars.PRD_WEBAUTHN_TABLE }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Deploy
+        run: docker-compose -f actions-services.yml run --rm app ./scripts/deploy.sh
+
+  build-and-publish:
+    name: Build and Publish
+    needs: tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ vars.IMAGE_NAME }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.gitignore b/.gitignore
index 2892832..9adab16 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,10 +8,8 @@ bootstrap
 dockercfg
 
 # credentials and other env files
-aws.env
 *.aes
-local.env
-.env
+*.env
 .cert/
 
 # dev tools metadata
diff --git a/actions-services.yml b/actions-services.yml
new file mode 100644
index 0000000..072df68
--- /dev/null
+++ b/actions-services.yml
@@ -0,0 +1,44 @@
+version: "3"
+
+services:
+  test:
+    build: .
+    environment:
+      AWS_ENDPOINT: dynamo:8000
+      AWS_DISABLE_SSL: "true"
+      API_KEY_TABLE: ApiKey
+      WEBAUTHN_TABLE: WebAuthn
+      LAMBDA_ROLE: placeholder
+      AWS_REGION: $AWS_REGION
+      GITHUB_REF_NAME: $GITHUB_REF_NAME
+      STG_AWS_ACCESS_KEY_ID: $STG_AWS_ACCESS_KEY_ID
+      STG_AWS_SECRET_ACCESS_KEY: $STG_AWS_SECRET_ACCESS_KEY
+      PRD_AWS_ACCESS_KEY_ID: $PRD_AWS_ACCESS_KEY_ID
+      PRD_AWS_SECRET_ACCESS_KEY: $PRD_AWS_SECRET_ACCESS_KEY
+    depends_on:
+      - dynamo
+
+  app:
+    build: .
+    working_dir: /src
+    environment:
+      AWS_REGION: $AWS_REGION
+      GITHUB_REF_NAME: $GITHUB_REF_NAME
+      STG_AWS_ACCESS_KEY_ID: $STG_AWS_ACCESS_KEY_ID
+      STG_AWS_SECRET_ACCESS_KEY: $STG_AWS_SECRET_ACCESS_KEY
+      STG_LAMBDA_ROLE: $STG_LAMBDA_ROLE
+      STG_API_KEY_TABLE: $STG_API_KEY_TABLE
+      STG_WEBAUTHN_TABLE: $STG_WEBAUTHN_TABLE
+      PRD_AWS_ACCESS_KEY_ID: $PRD_AWS_ACCESS_KEY_ID
+      PRD_AWS_SECRET_ACCESS_KEY: $PRD_AWS_SECRET_ACCESS_KEY
+      PRD_LAMBDA_ROLE: $PRD_LAMBDA_ROLE
+      PRD_API_KEY_TABLE: $PRD_API_KEY_TABLE
+      PRD_WEBAUTHN_TABLE: $PRD_WEBAUTHN_TABLE
+
+  dynamo:
+    image: amazon/dynamodb-local
+    environment:
+      AWS_ACCESS_KEY_ID: abc123
+      AWS_SECRET_ACCESS_KEY: abc123
+      AWS_DEFAULT_REGION: us-east-1
+    command: "-jar DynamoDBLocal.jar -sharedDb"
diff --git a/codeship-services.yml b/codeship-services.yml
deleted file mode 100644
index 4285677..0000000
--- a/codeship-services.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-test:
-  build:
-    dockerfile_path: Dockerfile
-  cached: true
-  encrypted_env_file: aws.env.encrypted
-  environment:
-    AWS_ENDPOINT: dynamo:8000
-    AWS_DEFAULT_REGION: us-east-1
-    AWS_DISABLE_SSL: "true"
-    API_KEY_TABLE: ApiKey
-    WEBAUTHN_TABLE: WebAuthn
-    LAMBDA_ROLE: placeholder
-  depends_on:
-    - dynamo
-
-app:
-  build:
-    dockerfile_path: Dockerfile
-  cached: true
-  encrypted_env_file: aws.env.encrypted
-  working_dir: /src
-
-dynamo:
-  image: amazon/dynamodb-local
-  environment:
-    AWS_ACCESS_KEY_ID: abc123
-    AWS_SECRET_ACCESS_KEY: abc123
-    AWS_DEFAULT_REGION: us-east-1
-  command: "-jar DynamoDBLocal.jar -sharedDb"
diff --git a/codeship-steps.yml b/codeship-steps.yml
deleted file mode 100644
index d6e695a..0000000
--- a/codeship-steps.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-- name: test
-  service: test
-  command: ./codeship/test.sh
-
-- name: deploy
-  service: app
-  tag: ^(main|develop)
-  command: ./codeship/deploy.sh
-
-- name: push_develop
-  service: app
-  type: push
-  image_name: silintl/serverless-mfa-api-go
-  image_tag: "{{.Branch}}"
-  exclude: main
-  registry: https://index.docker.io/v1/
-  encrypted_dockercfg_path: dockercfg.encrypted
-
-- name: push_production
-  service: app
-  type: push
-  image_name: silintl/serverless-mfa-api-go
-  image_tag: "latest"
-  tag: main
-  registry: https://index.docker.io/v1/
-  encrypted_dockercfg_path: dockercfg.encrypted
diff --git a/codeship/build.sh b/scripts/build.sh
similarity index 100%
rename from codeship/build.sh
rename to scripts/build.sh
diff --git a/codeship/deploy.sh b/scripts/deploy.sh
similarity index 91%
rename from codeship/deploy.sh
rename to scripts/deploy.sh
index 3002e74..29053b2 100755
--- a/codeship/deploy.sh
+++ b/scripts/deploy.sh
@@ -11,7 +11,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 "$DIR"/build.sh
 
 # export appropriate env vars
-if [ "${CI_BRANCH}" == "develop" ];
+if [ "${GITHUB_REF_NAME}" == "develop" ];
 then
   STAGE="dev"
   export AWS_ACCESS_KEY_ID="${STG_AWS_ACCESS_KEY_ID}"
@@ -21,7 +21,7 @@ then
   export LAMBDA_ROLE="${STG_LAMBDA_ROLE}"
   export API_KEY_TABLE="${STG_API_KEY_TABLE}"
   export WEBAUTHN_TABLE="${STG_WEBAUTHN_TABLE}"
-elif [ "${CI_BRANCH}" == "main" ];
+elif [ "${GITHUB_REF_NAME}" == "main" ];
 then
   STAGE="production"
   export AWS_ACCESS_KEY_ID="${PRD_AWS_ACCESS_KEY_ID}"
@@ -32,7 +32,7 @@ then
   export API_KEY_TABLE="${PRD_API_KEY_TABLE}"
   export WEBAUTHN_TABLE="${PRD_WEBAUTHN_TABLE}"
 else
-    echo "deployments only happen from develop and main branches (branch: ${CI_BRANCH})"
+    echo "deployments only happen from develop and main branches (branch: ${GITHUB_REF_NAME})"
     exit 1
 fi
 
diff --git a/codeship/test.sh b/scripts/test.sh
similarity index 94%
rename from codeship/test.sh
rename to scripts/test.sh
index 4fcb4a5..f0140f0 100755
--- a/codeship/test.sh
+++ b/scripts/test.sh
@@ -7,7 +7,7 @@ set -e
 set -x
 
 # export appropriate AWS credentials for `serverless info`
-if [ "${CI_BRANCH}" == "main" ];
+if [ "${GITHUB_REF_NAME}" == "main" ];
 then
   STAGE="production"
   export AWS_ACCESS_KEY_ID="${PRD_AWS_ACCESS_KEY_ID}"