diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b27f200..29c033b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,7 +10,7 @@ jobs:
   qa:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
           python-version: "3.9"
@@ -19,7 +19,7 @@ jobs:
     needs: qa
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
           python-version: "3.9"
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..55f72cf
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,66 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - feature/actions_deploy
+  # workflow_run:
+  #   workflows: [Build and Publish] # Only run this once Build and Publish has succeeded (image is available)
+  #   types: [completed]
+  #   branches: [develop, feature/actions_deploy] # Only deploy develop branch to our CI dev instance
+
+permissions:
+  id-token: write
+  contents: read
+  actions: read
+
+jobs:
+  deploy:
+    # if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    environment: develop
+    steps:
+      - name: checkout the Helm charts to deploy our published instance
+        uses: actions/checkout@v4
+        with:
+          repository: ImperialCollegeLondon/helm-invenio
+          path: helm-invenio
+          ref: imperial_deployment
+
+      - name: Login to Azure to deploy our chart
+        uses: azure/login@v2
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Gets K8s context
+        uses: azure/aks-set-context@v4
+        with:
+          resource-group: ${{ vars.RESOURCE_GROUP }}
+          cluster-name: ${{ vars.CLUSTER_NAME }}
+        id: login
+
+      - name: Configure deployment
+        uses: azure/k8s-bake@v3
+        with:
+          renderEngine: "helm"
+          helmChart: ${{ vars.CHART_PATH }}
+          overrideFiles: ${{ vars.CHART_OVERRIDE_PATH }}
+          helm-version: "latest"
+          releaseName: "develop"
+          namespace: invenio
+          overrides: |
+            invenio.secret_key: ${{ secrets.INVENIO_SECRET_KEY }}
+            invenio.security_login_salt: ${{ secrets.INVENIO_SECURITY_LOGIN_SALT }}
+            invenio.csrf_secret_salt: ${{ secrets.INVENIO_CSRF_SECRET_SALT }}
+            invenio.extraConfig.ICL_OAUTH_CLIENT_ID: ${{ vars.ICL_OAUTH_CLIENT_ID }}
+            invenio.extraConfig.ICL_OAUTH_CLIENT_SECRET: ${{ secrets.ICL_OAUTH_CLIENT_SECRET }}
+            invenio.extraConfig.ICL_OAUTH_WELL_KNOWN_URL: ${{ vars.ICL_OAUTH_WELL_KNOWN_URL }}
+            rabbitmq.auth.password: ${{ secrets.RABBITMQ_AUTH_PASSWORD }}
+            postgresql.auth.password: ${{ secrets.POSTGRESQL_AUTH_PASSWORD }}
+            invenio.web.image: ${{ vars.IMAGE_NAME }}
+        id: bake
+      - name: Deploys application
+        uses: Azure/k8s-deploy@v5
+        with:
+          manifests: ${{ steps.bake.outputs.manifestsBundle }}
+          namespace: invenio