diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 000000000..031924cdb
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,78 @@
+name: deploy
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: 'Docker image tag to deploy'
+        required: true
+        default: 'main'
+      environment:
+        description: 'Environment to deploy to'
+        required: true
+        default: 'stag'
+        options:
+          - stag
+          - prod
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get GHCR package hash
+        id: get_package_hash
+        run: |
+          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+             gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /orgs/MinBZK/packages/container/tad/versions | jq '.[] | select(.metadata.container.tags | contains(["${{ inputs.image_tag }}"])) | .name' >> "$GITHUB_OUTPUT"
+          else
+             gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /orgs/MinBZK/packages/container/tad/versions | jq '.[] | select(.metadata.container.tags | contains(["main"])) | .name' >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get deploy environment
+        id: get_deploy_env
+        run: |
+          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+              if [ "${{ inputs.environment }}" == "prod" ]; then
+                  echo "production" >> "$GITHUB_OUTPUT"
+              else
+                  echo "staging" >> "$GITHUB_OUTPUT"
+              fi
+             echo "" >> "$GITHUB_OUTPUT"
+          else
+             echo "staging" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: check correct name
+        run: |
+            if [ -z "${{steps.get_package_hash.outputs}}" ]; then
+              echo "Variable is empty. Failing the workflow."
+              exit 1
+            fi
+
+
+      - name: Print deploy hash and environment
+        run: |
+           echo ${{ steps.get_package_hash.outputs }}
+           echo ${{ steps.get_deploy_env.outputs }}
+
+      - uses: actions/checkout@v4
+        with:
+          repository: '${{ github.server_url }}/minbzk/ai-validation-infra'
+          ssh-key: ${{ secrets.DEPLOY_KEY }}
+          ref: main
+          path: ai-validation-infra
+
+      - name: Make changes to the file
+        run: |
+          cd ai-validation-infra
+          sed -i 's/newTag: .*$/newTag: ${{ steps.get_package_hash.outputs }}/g' apps/tad/overlays/${{ steps.get_deploy_env.outputs }}/kustomization.yaml
+          git add apps/tad/overlays/${{ steps.get_deploy_env.outputs }}/kustomization.yaml
+          git commit -m "Update apps/tad/overlays/${{ steps.get_deploy_env.outputs }}/kustomization.yaml"
+          git push