diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 53f28b3e..aa0dc969 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,90 +1,20 @@
-stages:
-  - deploy
+workflow:
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+    - if: '$CI_COMMIT_BRANCH == "development"'
+    - if: '$CI_COMMIT_BRANCH == "staging"'
+    - if: '$CI_COMMIT_BRANCH == "production"'
+    - when: never
 
-deploy-dev:
-  stage: deploy
-  image: alpine:3.20
-  variables:
-    DEPLOY_APP: "LTI-MBUGROUP"
-    # Opsional: kalau pakai submodule, ini bikin clone submodule pakai SSH juga
-    GIT_SUBMODULE_STRATEGY: recursive
-    GIT_DEPTH: "1"
+include:
+  - local: "ci/development.yml"
+    rules:
+      - if: '$CI_COMMIT_BRANCH == "development"'
 
-  before_script:
-    - echo "🧰 Installing dependencies..."
-    - apk update && apk add --no-cache openssh git curl bash
+  - local: "ci/staging.yml"
+    rules:
+      - if: '$CI_COMMIT_BRANCH == "staging"'
 
-    # Setup SSH di runner
-    - mkdir -p ~/.ssh
-    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
-    - chmod 600 ~/.ssh/id_rsa
-    - eval "$(ssh-agent -s)"
-    - ssh-add ~/.ssh/id_rsa
-
-    # Trust host keys (server + gitlab) biar SSH gak nanya interaktif
-    - ssh-keyscan -H "$SERVER_IP" >> ~/.ssh/known_hosts
-    - ssh-keyscan -H gitlab.com >> ~/.ssh/known_hosts
-
-  script:
-    - echo "🚀 Deploying latest code to $SERVER_USER@$SERVER_IP"
-
-    - >
-      if ssh -o StrictHostKeyChecking=no "$SERVER_USER@$SERVER_IP" "
-        set -e
-
-        cd /home/devops/docker/deployment/development/lti-api
-
-        # Pastikan remote origin SSH (antisipasi kalau pernah ke-set HTTPS)
-        git remote set-url origin git@gitlab.com:mbugroup/lti-api.git
-
-        # Pastikan server percaya gitlab.com juga (untuk git fetch via SSH)
-        mkdir -p ~/.ssh
-        ssh-keyscan -H gitlab.com >> ~/.ssh/known_hosts
-
-        # Fetch/reset pakai SSH
-        GIT_SSH_COMMAND='ssh -o StrictHostKeyChecking=no' git fetch origin development
-        git reset --hard origin/development
-
-        docker compose restart dev-api-lti || docker compose up -d dev-api-lti
-      "; then
-        STATUS='success';
-      else
-        STATUS='failed';
-      fi;
-
-      RUN_URL="${CI_PROJECT_URL}/-/pipelines/${CI_PIPELINE_ID}";
-
-      if [ "$STATUS" = "success" ]; then
-        COLOR=3066993;
-        TITLE="✅ Deployment API Succeeded";
-        DESC="Deployment job on branch \`${CI_COMMIT_REF_NAME}\` completed successfully.";
-      else
-        COLOR=15158332;
-        TITLE="❌ Deployment API Failed Gaes";
-        DESC="Deployment job on branch \`${CI_COMMIT_REF_NAME}\` failed.";
-      fi;
-
-      echo "{
-        \"username\": \"CI Bot\",
-        \"embeds\": [{
-          \"title\": \"$TITLE\",
-          \"description\": \"$DESC\",
-          \"color\": $COLOR,
-          \"fields\": [
-            {\"name\": \"Repository\", \"value\": \"${CI_PROJECT_PATH}\", \"inline\": true},
-            {\"name\": \"Actor\", \"value\": \"${GITLAB_USER_LOGIN}\", \"inline\": true},
-            {\"name\": \"Commit\", \"value\": \"${CI_COMMIT_SHA}\", \"inline\": false},
-            {\"name\": \"Pipeline\", \"value\": \"[Open run](${RUN_URL})\", \"inline\": false}
-          ]
-        }]
-      }" > payload.json;
-
-      echo "📡 Sending notification to Discord...";
-      curl -sS -H "Content-Type: application/json" \
-        -d @payload.json "$DISCORD_WEBHOOK_URL";
-
-  only:
-    - development
-
-  environment:
-    name: development
\ No newline at end of file
+  - local: "ci/production.yml"
+    rules:
+      - if: '$CI_COMMIT_BRANCH == "production"'
diff --git a/ci/development.yml b/ci/development.yml
new file mode 100644
index 00000000..43d574b9
--- /dev/null
+++ b/ci/development.yml
@@ -0,0 +1,90 @@
+stages:
+  - deploy
+
+deploy-dev:
+  stage: deploy
+  image: alpine:3.20
+  variables:
+    DEPLOY_APP: "LTI-MBUGROUP"
+    # Opsional: kalau pakai submodule, ini bikin clone submodule pakai SSH juga
+    GIT_SUBMODULE_STRATEGY: recursive
+    GIT_DEPTH: "1"
+
+  before_script:
+    - echo "🧰 Installing dependencies..."
+    - apk update && apk add --no-cache openssh git curl bash
+
+    # Setup SSH di runner
+    - mkdir -p ~/.ssh
+    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
+    - chmod 600 ~/.ssh/id_rsa
+    - eval "$(ssh-agent -s)"
+    - ssh-add ~/.ssh/id_rsa
+
+    # Trust host keys (server + gitlab) biar SSH gak nanya interaktif
+    - ssh-keyscan -H "$SERVER_IP" >> ~/.ssh/known_hosts
+    - ssh-keyscan -H gitlab.com >> ~/.ssh/known_hosts
+
+  script:
+    - echo "🚀 Deploying latest code to $SERVER_USER@$SERVER_IP"
+
+    - >
+      if ssh -o StrictHostKeyChecking=no "$SERVER_USER@$SERVER_IP" "
+        set -e
+
+        cd /home/devops/docker/deployment/development/lti-api
+
+        # Pastikan remote origin SSH (antisipasi kalau pernah ke-set HTTPS)
+        git remote set-url origin git@gitlab.com:mbugroup/lti-api.git
+
+        # Pastikan server percaya gitlab.com juga (untuk git fetch via SSH)
+        mkdir -p ~/.ssh
+        ssh-keyscan -H gitlab.com >> ~/.ssh/known_hosts
+
+        # Fetch/reset pakai SSH
+        GIT_SSH_COMMAND='ssh -o StrictHostKeyChecking=no' git fetch origin development
+        git reset --hard origin/development
+
+        docker compose restart dev-api-lti || docker compose up -d dev-api-lti
+      "; then
+        STATUS='success';
+      else
+        STATUS='failed';
+      fi;
+
+      RUN_URL="${CI_PROJECT_URL}/-/pipelines/${CI_PIPELINE_ID}";
+
+      if [ "$STATUS" = "success" ]; then
+        COLOR=3066993;
+        TITLE="✅ Deployment API Succeeded";
+        DESC="Deployment job on branch \`${CI_COMMIT_REF_NAME}\` completed successfully.";
+      else
+        COLOR=15158332;
+        TITLE="❌ Deployment API Failed Gaes";
+        DESC="Deployment job on branch \`${CI_COMMIT_REF_NAME}\` failed.";
+      fi;
+
+      echo "{
+        \"username\": \"CI Bot\",
+        \"embeds\": [{
+          \"title\": \"$TITLE\",
+          \"description\": \"$DESC\",
+          \"color\": $COLOR,
+          \"fields\": [
+            {\"name\": \"Repository\", \"value\": \"${CI_PROJECT_PATH}\", \"inline\": true},
+            {\"name\": \"Actor\", \"value\": \"${GITLAB_USER_LOGIN}\", \"inline\": true},
+            {\"name\": \"Commit\", \"value\": \"${CI_COMMIT_SHA}\", \"inline\": false},
+            {\"name\": \"Pipeline\", \"value\": \"[Open run](${RUN_URL})\", \"inline\": false}
+          ]
+        }]
+      }" > payload.json;
+
+      echo "📡 Sending notification to Discord...";
+      curl -sS -H "Content-Type: application/json" \
+        -d @payload.json "$DISCORD_WEBHOOK_URL";
+
+  only:
+    - development
+
+  environment:
+    name: development
diff --git a/ci/production.yml b/ci/production.yml
new file mode 100644
index 00000000..511a9eff
--- /dev/null
+++ b/ci/production.yml
@@ -0,0 +1,133 @@
+stages:
+  - build
+  - migrate
+  - deploy
+  - seed
+
+default:
+  tags:
+    - self-hosted-prod
+
+workflow:
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "production"'
+      when: always
+    - when: never
+
+variables:
+  DOCKER_BUILDKIT: "1"
+
+  IMAGE_TAG: "production_${CI_COMMIT_SHORT_SHA}"
+  IMAGE_NAME: "${CI_REGISTRY_IMAGE}:${IMAGE_TAG}"
+  IMAGE_LATEST: "${CI_REGISTRY_IMAGE}:production_latest"
+
+  DEPLOY_DIR: "/opt/deploy/lti"
+  COMPOSE_FILE: "docker-compose.yaml"
+
+# =========================
+# BUILD (AUTO) 
+# =========================
+build_production:
+  stage: build
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "production"'
+  script: |
+    set -e
+    docker info
+
+    echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
+
+    echo "✅ Build image: $IMAGE_NAME"
+    docker build -t "$IMAGE_NAME" -f Dockerfile .
+
+    echo "✅ Push image: $IMAGE_NAME"
+    docker push "$IMAGE_NAME"
+
+    echo "✅ Tag latest: $IMAGE_LATEST"
+    docker tag "$IMAGE_NAME" "$IMAGE_LATEST"
+    docker push "$IMAGE_LATEST"
+
+
+# =========================
+# MIGRATE (PRODUCTION - MANUAL)
+# =========================
+migrate_production:
+  stage: migrate
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "production"'
+      when: manual
+      allow_failure: false
+  needs:
+    - job: build_production
+      artifacts: false
+  script: |
+    set -e
+    cd /opt/deploy/lti
+    test -f .env || (echo "❌ .env not found" && exit 1)
+
+    set -a
+    . ./.env
+    set +a
+
+    # Validasi env wajib
+    : "${DB_HOST:?DB_HOST not set}"
+    : "${DB_PORT:?DB_PORT not set}"
+    : "${DB_USER:?DB_USER not set}"
+    : "${DB_PASSWORD:?DB_PASSWORD not set}"
+    : "${DB_NAME:?DB_NAME not set}"
+
+    DB_SSLMODE="${DB_SSLMODE:-require}"
+    export DATABASE_URL="postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?sslmode=${DB_SSLMODE}"
+
+    echo "✅ Running migrations (production)..."
+    docker run --rm \
+      -v "$CI_PROJECT_DIR/internal/database/migrations:/migrations:ro" \
+      migrate/migrate:v4.15.2 \
+      -path=/migrations -database "$DATABASE_URL" up
+
+
+# =========================
+# DEPLOY (AUTO)
+# =========================
+deploy_production:
+  stage: deploy
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "production"'
+  needs:
+    - job: migrate_production
+      artifacts: false
+    - job: build_production
+      artifacts: false
+  script: |
+    set -e
+    docker info
+    echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
+
+    cd "$DEPLOY_DIR"
+    test -f "$COMPOSE_FILE" || (echo "❌ $COMPOSE_FILE not found in $DEPLOY_DIR" && exit 1)
+    test -f .env || (echo "❌ .env not found in $DEPLOY_DIR" && exit 1)
+
+    docker compose -f "$COMPOSE_FILE" pull
+    docker compose -f "$COMPOSE_FILE" up -d --force-recreate
+    docker image prune -f
+
+
+# =========================
+# SEED (MANUAL)
+# =========================
+seed_production:
+  stage: seed
+  rules:
+    - if: '$CI_COMMIT_BRANCH == "production"'
+      when: manual
+  script: |
+    set -e
+    cd /opt/deploy/lti
+    test -f .env || (echo "❌ .env not found" && exit 1)
+
+    echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
+
+    docker compose --env-file .env pull seed
+    docker compose --env-file .env run --rm seed
+
+
diff --git a/ci/staging.yml b/ci/staging.yml
new file mode 100644
index 00000000..511a9eff
--- /dev/null
+++ b/ci/staging.yml
@@ -0,0 +1,133 @@
+stages:
+  - build
+  - migrate
+  - deploy
+  - seed
+
+default:
+  tags:
+    - self-hosted-prod
+
+workflow:
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "production"'
+      when: always
+    - when: never
+
+variables:
+  DOCKER_BUILDKIT: "1"
+
+  IMAGE_TAG: "production_${CI_COMMIT_SHORT_SHA}"
+  IMAGE_NAME: "${CI_REGISTRY_IMAGE}:${IMAGE_TAG}"
+  IMAGE_LATEST: "${CI_REGISTRY_IMAGE}:production_latest"
+
+  DEPLOY_DIR: "/opt/deploy/lti"
+  COMPOSE_FILE: "docker-compose.yaml"
+
+# =========================
+# BUILD (AUTO) 
+# =========================
+build_production:
+  stage: build
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "production"'
+  script: |
+    set -e
+    docker info
+
+    echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
+
+    echo "✅ Build image: $IMAGE_NAME"
+    docker build -t "$IMAGE_NAME" -f Dockerfile .
+
+    echo "✅ Push image: $IMAGE_NAME"
+    docker push "$IMAGE_NAME"
+
+    echo "✅ Tag latest: $IMAGE_LATEST"
+    docker tag "$IMAGE_NAME" "$IMAGE_LATEST"
+    docker push "$IMAGE_LATEST"
+
+
+# =========================
+# MIGRATE (PRODUCTION - MANUAL)
+# =========================
+migrate_production:
+  stage: migrate
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "production"'
+      when: manual
+      allow_failure: false
+  needs:
+    - job: build_production
+      artifacts: false
+  script: |
+    set -e
+    cd /opt/deploy/lti
+    test -f .env || (echo "❌ .env not found" && exit 1)
+
+    set -a
+    . ./.env
+    set +a
+
+    # Validasi env wajib
+    : "${DB_HOST:?DB_HOST not set}"
+    : "${DB_PORT:?DB_PORT not set}"
+    : "${DB_USER:?DB_USER not set}"
+    : "${DB_PASSWORD:?DB_PASSWORD not set}"
+    : "${DB_NAME:?DB_NAME not set}"
+
+    DB_SSLMODE="${DB_SSLMODE:-require}"
+    export DATABASE_URL="postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?sslmode=${DB_SSLMODE}"
+
+    echo "✅ Running migrations (production)..."
+    docker run --rm \
+      -v "$CI_PROJECT_DIR/internal/database/migrations:/migrations:ro" \
+      migrate/migrate:v4.15.2 \
+      -path=/migrations -database "$DATABASE_URL" up
+
+
+# =========================
+# DEPLOY (AUTO)
+# =========================
+deploy_production:
+  stage: deploy
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "production"'
+  needs:
+    - job: migrate_production
+      artifacts: false
+    - job: build_production
+      artifacts: false
+  script: |
+    set -e
+    docker info
+    echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
+
+    cd "$DEPLOY_DIR"
+    test -f "$COMPOSE_FILE" || (echo "❌ $COMPOSE_FILE not found in $DEPLOY_DIR" && exit 1)
+    test -f .env || (echo "❌ .env not found in $DEPLOY_DIR" && exit 1)
+
+    docker compose -f "$COMPOSE_FILE" pull
+    docker compose -f "$COMPOSE_FILE" up -d --force-recreate
+    docker image prune -f
+
+
+# =========================
+# SEED (MANUAL)
+# =========================
+seed_production:
+  stage: seed
+  rules:
+    - if: '$CI_COMMIT_BRANCH == "production"'
+      when: manual
+  script: |
+    set -e
+    cd /opt/deploy/lti
+    test -f .env || (echo "❌ .env not found" && exit 1)
+
+    echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
+
+    docker compose --env-file .env pull seed
+    docker compose --env-file .env run --rm seed
+
+