diff --git a/.gitea/workflows/code-analysis.yml b/.gitea/workflows/code-analysis.yml
index bbbe5cf..f3fe56c 100644
--- a/.gitea/workflows/code-analysis.yml
+++ b/.gitea/workflows/code-analysis.yml
@@ -1,4 +1,4 @@
-name: Code Analysis (JS/Vue)
+name: Code Analysis and Production Deploy
 
 on:
   pull_request:
@@ -88,3 +88,34 @@ jobs:
           ./osv-scanner --version
           test -f ./package-lock.json
           ./osv-scanner --lockfile ./package-lock.json
+
+  deploy-production:
+    runs-on: ubuntu-latest
+    needs: analyze
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Prepare SSH
+        run: |
+          set -euo pipefail
+
+          mkdir -p ~/.ssh
+          printf "%s" "${{ secrets.PROD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -p "${{ secrets.PROD_PORT }}" "${{ secrets.PROD_HOST }}" >> ~/.ssh/known_hosts
+
+      - name: Test SSH connection
+        run: |
+          ssh -i ~/.ssh/id_ed25519 \
+            -o StrictHostKeyChecking=no \
+            -o BatchMode=yes \
+            -p "${{ secrets.PROD_PORT }}" \
+            "${{ secrets.PROD_USER }}@${{ secrets.PROD_HOST }}" \
+            "echo SSH OK"
+
+      - name: Run production deployment script
+        run: |
+          ssh -i ~/.ssh/id_ed25519 \
+            -o BatchMode=yes \
+            -p "${{ secrets.PROD_PORT }}" \
+            "${{ secrets.PROD_USER }}@${{ secrets.PROD_HOST }}" \
+            "bash -lc 'cd /var/www/harheimertc && ./deploy-production.sh'"