diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 00000000..003d8b57
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,69 @@
+name: Deploy
+
+on:
+  workflow_run:
+    workflows: [Docker build and publish]
+    types:
+      - completed
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: "Configure"
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{vars.AWS_REGION}}
+          aws-access-key-id: ${{ secrets.DEPLOY_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.DEPLOY_ACCESS_KEY }}
+
+      - name: install oathtool
+        run: sudo apt-get install -y oathtool jq
+
+      - id: auth
+        name: Authenticate to STS
+        run: |
+          mfa_serial="arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:mfa/${{vars.MFA_ID}}"
+          mfa_code=$(oathtool -b --totp ${{secrets.MFA_KEY}})
+          STS=$(aws sts get-session-token --region "${{vars.AWS_REGION}}" --serial-number "$mfa_serial" --token-code "$mfa_code")
+
+          aws_access_key_id=$(echo "$STS" | jq -r '.Credentials.AccessKeyId')
+          echo "::add-mask::$aws_access_key_id"
+          aws_secret_access_key=$(echo "$STS" | jq -r '.Credentials.SecretAccessKey') 
+          echo "::add-mask::$aws_secret_access_key"
+          aws_session_token=$(echo "$STS" | jq -r '.Credentials.SessionToken') 
+          echo "::add-mask::$aws_session_token"
+
+          echo "AWS_ACCESS_KEY_ID=$aws_access_key_id" >> "$GITHUB_OUTPUT"
+          echo "AWS_SECRET_ACCESS_KEY=$aws_secret_access_key" >> "$GITHUB_OUTPUT"
+          echo "AWS_SESSION_TOKEN=$aws_session_token" >> "$GITHUB_OUTPUT"
+
+      - name: Assume role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{vars.AWS_REGION}}
+          aws-access-key-id: ${{ steps.auth.outputs.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ steps.auth.outputs.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ steps.auth.outputs.AWS_SESSION_TOKEN }}
+          role-skip-session-tagging: true
+          role-to-assume: "arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:role/eks-${{vars.AWS_USER}}"
+
+      - uses: actions/checkout@v2
+
+      - name: Update kubeconfig
+        run: |
+          aws eks update-kubeconfig --name ${{vars.CLUSTER}} --region ${{vars.AWS_REGION}}
+          helm repo add medic https://docs.communityhealthtoolkit.org/helm-charts
+
+      - name: Upgrade users-chis-civ
+        run: |
+          helm upgrade --namespace ${{vars.NAMESPACE}} --values scripts/deploy/values/users-chis-civ.yaml users-chis-civ medic/cht-user-management
+
+      - name: Upgrade users-chis-tg
+        run: |
+          helm upgrade --namespace ${{vars.NAMESPACE}} --values scripts/deploy/values/users-chis-tg.yaml users-chis-tg medic/cht-user-management
+
+      - name: Upgrade users-chis-ke
+        run: |
+          helm upgrade --namespace ${{vars.NAMESPACE}} --values scripts/deploy/values/users-chis-ke.yaml users-chis-ke medic/cht-user-management