diff --git a/.github/workflows/cd-production.yml b/.github/workflows/cd-production.yml
new file mode 100644
index 0000000..51d004f
--- /dev/null
+++ b/.github/workflows/cd-production.yml
@@ -0,0 +1,35 @@
+name: Deploy Kaapi to EC2 Production
+
+on:
+  push:
+    tags:
+      - "v*" # Deploy only when tags like v1.0.0, v2.1.0, etc., are created
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: AWS_PRODUCTION_ENV
+ 
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v6
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Deploy via SSM
+        run: |
+          aws ssm send-command \
+            --instance-ids "${{ secrets.EC2_INSTANCE_ID }}" \
+            --document-name "AWS-RunShellScript" \
+            --parameters 'commands=["git config --global --add safe.directory ${{ secrets.BUILD_DIRECTORY }} && set -e && cd ${{ secrets.BUILD_DIRECTORY }} && git pull origin release && npm ci && npm run build && pm2 start ${{ secrets.PM2_APP_NAME }}"]' \
+            --region ${{ secrets.AWS_REGION }}
diff --git a/.github/workflows/cd-staging.yml b/.github/workflows/cd-staging.yml
new file mode 100644
index 0000000..2ef7bf9
--- /dev/null
+++ b/.github/workflows/cd-staging.yml
@@ -0,0 +1,35 @@
+name: Deploy Kaapi to EC2 Staging
+
+on:
+  push:
+    branches:
+      - feat/frontend-cicd-deployment
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: AWS_STAGING_ENV
+
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v6
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Deploy via SSM
+        run: |
+          aws ssm send-command \
+            --instance-ids "${{ secrets.EC2_INSTANCE_ID }}" \
+            --document-name "AWS-RunShellScript" \
+            --parameters 'commands=["git config --global --add safe.directory ${{ secrets.BUILD_DIRECTORY }} && set -e && cd ${{ secrets.BUILD_DIRECTORY }} && git pull origin main && npm ci && npm run build && pm2 start ${{ secrets.PM2_APP_NAME }}"]' \
+            --region ${{ secrets.AWS_REGION }}
diff --git a/README.md b/README.md
index 67701c9..6911dbe 100644
--- a/README.md
+++ b/README.md
@@ -137,20 +137,27 @@ Deployments are automated via a GitHub Actions CD pipeline that SSHes into the E
 
 ### Branch Strategy
 
-| Branch    | Environment |
-| --------- | ----------- |
-| `main`    | Staging     |
-| `release` | Production  |
+| Trigger                               | Environment |
+| ------------------------------------- | ----------- |
+| Push to `main`                        | Staging     |
+| Tag matching `v*.*.*` (e.g. `v1.0.0`) | Production  |
 
 ### Pipeline Steps
 
-On every push to `main` or `release`, the pipeline automatically:
+**Staging** — on every push to `main`, the pipeline automatically:
 
 1. SSHes into the EC2 instance
 2. Runs `git pull` to fetch the latest code
 3. Runs `npm run build` to create an optimized production build
 4. Restarts the server to apply the new build
 
+**Production** — on every version tag (e.g. `v1.0.0`, `v2.1.0`), the pipeline automatically:
+
+1. SSHes into the EC2 instance
+2. Runs `git fetch --tags` and checks out the tag
+3. Runs `npm run build` to create an optimized production build
+4. Restarts the server to apply the new build
+
 ---
 
 ## Learn More