diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
index a7c810a3..407e3a21 100644
--- a/.github/workflows/deploy-dev.yml
+++ b/.github/workflows/deploy-dev.yml
@@ -15,10 +15,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
             role-to-assume: ${{ secrets.DEV_ROLE_ARN }}
             aws-region: ${{ secrets.AWS_REGION }}    
diff --git a/.github/workflows/deploy-mainnet.yml b/.github/workflows/deploy-mainnet.yml
new file mode 100644
index 00000000..cb6601e8
--- /dev/null
+++ b/.github/workflows/deploy-mainnet.yml
@@ -0,0 +1,33 @@
+name: CD for flyover-api Mainnet 
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  execute-command:
+    runs-on: ubuntu-latest
+    environment: mainnet
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+            role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+            aws-region: ${{ secrets.AWS_REGION }}    
+
+      - name: Execute deployment command on EC2 instance
+        run: |
+          aws ssm send-command \
+            --document-name "deployBEMainnetDocument" \
+            --instance-ids "$INSTANCE_ID" \
+            --document-version '$LATEST'
+          echo "Deploy sent to EC2 instance"
+        env:
+          INSTANCE_ID: ${{ secrets.MAINNET_INSTANCE_ID }}
diff --git a/.github/workflows/deploy-testnet.yml b/.github/workflows/deploy-testnet.yml
index e430d5c9..39ab9522 100644
--- a/.github/workflows/deploy-testnet.yml
+++ b/.github/workflows/deploy-testnet.yml
@@ -15,10 +15,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
             role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
             aws-region: ${{ secrets.AWS_REGION }}    
diff --git a/deploy/usr/local/libexec/do-deploy b/deploy/usr/local/libexec/do-deploy
new file mode 100644
index 00000000..abce308a
--- /dev/null
+++ b/deploy/usr/local/libexec/do-deploy
@@ -0,0 +1,3 @@
+# deploy script
+/home/ubuntu/flyover-deploy/liquidity-provider-server && docker system prune -f && git fetch --all &&  latestTag=$(git describe --tags "$(git rev-list --tags --max-count=1)")
+&& git checkout $latestTag && docker-compose -f docker-compose.yml -f loki-mainnet.yml --env-file .env.mainnet up -d --build lps