diff --git a/.github/workflows/sst.yml b/.github/workflows/sst.yml
new file mode 100644
index 0000000..26130ed
--- /dev/null
+++ b/.github/workflows/sst.yml
@@ -0,0 +1,28 @@
+name: SST
+on:
+  push:
+    branches:
+      - main
+      - sst
+
+concurrency:
+  group: sst-prod
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  prod:
+    runs-on: ubuntu-latest
+    environment:
+      name: production
+      url: https://t.me/bubby_bot
+    steps:
+      - uses: actions/checkout@v4
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::611714419758:role/GitHub
+          aws-region: us-east-1
+      - run: pnpm deploy --stage prod
diff --git a/sst.config.ts b/sst.config.ts
index 6aba7fa..9f6668e 100644
--- a/sst.config.ts
+++ b/sst.config.ts
@@ -1,5 +1,6 @@
 import { SSTConfig } from "sst";
 import { API } from "./stacks/MyStack";
+import { GitHub } from "./stacks/ProdStack";
 
 export default {
   config(_input) {
@@ -9,6 +10,6 @@ export default {
     };
   },
   stacks(app) {
-    app.stack(API);
-  }
+    app.stack(API).stack(GitHub);
+  },
 } satisfies SSTConfig;
diff --git a/stacks/ProdStack.ts b/stacks/ProdStack.ts
new file mode 100644
index 0000000..d8ebdab
--- /dev/null
+++ b/stacks/ProdStack.ts
@@ -0,0 +1,34 @@
+import {
+  ManagedPolicy,
+  OpenIdConnectPrincipal,
+  OpenIdConnectProvider,
+  Role,
+} from "aws-cdk-lib/aws-iam";
+import { StackContext } from "sst/constructs";
+
+export function GitHub({ app, stack }: StackContext) {
+  if (app.stage !== "prod") {
+    return;
+  }
+
+  // https://docs.sst.dev/going-to-production#stacks-setup
+  const provider = new OpenIdConnectProvider(stack, "GitHub", {
+    url: "https://token.actions.githubusercontent.com",
+    clientIds: ["sts.amazonaws.com"],
+  });
+
+  new Role(stack, "GitHubActionsRole", {
+    assumedBy: new OpenIdConnectPrincipal(provider).withConditions({
+      StringLike: {
+        "token.actions.githubusercontent.com:sub":
+          // https://github.com/daohoangson/bubby
+          `repo:daohoangson/bubby:*`,
+      },
+    }),
+    description: "Role assumed for deploying from GitHub CI using AWS CDK",
+    managedPolicies: [
+      ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess"),
+    ],
+    roleName: "GitHub",
+  });
+}