diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..e5282f7
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,54 @@
+name: Deploy application
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - template.yml
+      - package.json
+      - yarn.lock
+      - src/**
+
+concurrency:
+  group: ${{ github.workflow }}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  check-project-std:
+    uses: ./.github/workflows/check-project-std.yml
+
+  deploy-application:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - uses: aws-actions/setup-sam@v2
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::127213743756:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-zendesk-toolkit
+
+      - name: Deploy CloudFormation stack
+        run: |
+          rm samconfig.toml
+          sam build && sam deploy \
+            --debug \
+            --region us-east-2 \
+            --no-confirm-changeset \
+            --no-fail-on-empty-changeset \
+            --stack-name zendesk-toolkit \
+            --resolve-s3 \
+            --no-progressbar \
+            --s3-prefix zendesk-toolkit \
+            --capabilities CAPABILITY_IAM \
+            --role-arn arn:aws:iam::127213743756:role/PRX-GHA-ServiceRoleForCloudFormation