diff --git a/.github/workflows/k8s-deploy.yml b/.github/workflows/k8s-deploy.yml
new file mode 100644
index 0000000..b9b9910
--- /dev/null
+++ b/.github/workflows/k8s-deploy.yml
@@ -0,0 +1,81 @@
+name: k8s-deploy
+
+on:
+  push:
+    branches:
+      - main
+      - k8s-deploy
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  production-deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out latest commit
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: osuAkatsuki/akatsuki-api
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/akatsuki-api:latest
+            ${{ secrets.DOCKERHUB_USERNAME }}/akatsuki-api:${{ github.sha }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Get kubeconfig from github secrets
+        run: |
+            mkdir -p $HOME/.kube
+            echo "${{ secrets.KUBECONFIG }}" > $HOME/.kube/config
+            sudo chown $(id -u):$(id -g) $HOME/.kube/config
+      - name: Install helm
+        uses: azure/setup-helm@v3
+        with:
+          version: "latest"
+          token: ${{ secrets.GITHUB_TOKEN }}
+        id: install
+
+      - name: Install helm-diff
+        run: helm plugin install https://github.com/databus23/helm-diff
+
+      - name: Checkout common-helm-charts repo
+        uses: actions/checkout@v3
+        with:
+          repository: osuAkatsuki/common-helm-charts
+          token: ${{ secrets.COMMON_HELM_CHARTS_PAT }}
+          path: common-helm-charts
+
+      - name: Show manifest diff since previous release
+        run: |
+          helm diff upgrade \
+          --allow-unreleased \
+          --values chart/values.yaml \
+          akatsuki-api-production \
+          common-helm-charts/microservice-base/
+      - name: Deploy service to production cluster
+        run: |
+          helm upgrade \
+            --install \
+            --atomic \
+            --wait --timeout 480s \
+            --values chart/values.yaml \
+            akatsuki-api-production \
+            common-helm-charts/microservice-base/
diff --git a/chart/values.yaml b/chart/values.yaml
index c40edac..b1577c6 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1,11 +1,19 @@
-app:
-  name: akatsuki-api
-  environment: staging
-  group: backend
-  container:
-    image:
-      repository: registry.digitalocean.com/akatsuki/akatsuki-api
-      tag: latest
-    imagePullSecrets:
-      - name: akatsuki
-    port: 80
+apps:
+  - name: akatsuki-api
+    environment: production
+    codebase: akatsuki-api
+    replicaCount: 1
+    container:
+      image:
+        repository: osuakatsuki/akatsuki-api
+        tag: latest
+      port: 80
+      env:
+        - name: APP_COMPONENT
+          value: api
+      imagePullSecrets:
+        - name: osuakatsuki-registry-secret
+        # - name: registry-akatsuki
+    service:
+      type: ClusterIP
+      port: 80
diff --git a/scripts/start.sh b/scripts/start.sh
index d4afa2a..c7429b4 100755
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -14,7 +14,8 @@ fi
 if [[ $PULL_SECRETS_FROM_VAULT -eq 1 ]]; then
   # TODO: is there a better way to deal with this?
   pip install --break-system-packages -i $PYPI_INDEX_URL akatsuki-cli
-  akatsuki vault get akatsuki-api $APP_ENV -o .env
+  # TODO: revert to $APP_ENV
+  akatsuki vault get akatsuki-api production-k8s -o .env
   source .env
 fi