diff --git a/ci/production.yml b/ci/production.yml
index 930d15f4..48bf64fb 100644
--- a/ci/production.yml
+++ b/ci/production.yml
@@ -49,40 +49,80 @@ build_production:
 
 
 # =========================
-# MIGRATE (PRODUCTION - MANUAL)
+# MIGRATE (PRODUCTION)
 # =========================
 migrate_production:
   stage: migrate
   rules:
-    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "production"' 
-      allow_failure: false
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "production"'
   needs:
     - job: build_production
       artifacts: false
   script: |
     set -e
-    cd /opt/deploy/lti
-    test -f .env || (echo "❌ .env not found" && exit 1)
+    echo "✅ Running migrations (production) ..."
 
+    cd "$DEPLOY_DIR"
+    test -f "$COMPOSE_FILE" || (echo "❌ $COMPOSE_FILE not found in $DEPLOY_DIR" && exit 1)
+    test -f .env || (echo "❌ .env not found in $DEPLOY_DIR" && exit 1)
+
+    # ✅ load env dari server
     set -a
     . ./.env
     set +a
 
-    # Validasi env wajib
-    : "${DB_HOST:?DB_HOST not set}"
-    : "${DB_PORT:?DB_PORT not set}"
-    : "${DB_USER:?DB_USER not set}"
-    : "${DB_PASSWORD:?DB_PASSWORD not set}"
-    : "${DB_NAME:?DB_NAME not set}"
+    # ✅ validasi
+    test -n "$DB_HOST" || (echo "❌ DB_HOST empty" && exit 1)
+    test -n "$DB_PORT" || (echo "❌ DB_PORT empty" && exit 1)
+    test -n "$DB_USER" || (echo "❌ DB_USER empty" && exit 1)
+    test -n "$DB_PASSWORD" || (echo "❌ DB_PASSWORD empty" && exit 1)
+    test -n "$DB_NAME" || (echo "❌ DB_NAME empty" && exit 1)
 
-    DB_SSLMODE="${DB_SSLMODE:-require}"
-    export DATABASE_URL="postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?sslmode=${DB_SSLMODE}"
+    export DATABASE_URL="postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?sslmode=${DB_SSLMODE:-disable}"
+    echo "✅ DATABASE_URL=$DATABASE_URL"
 
-    echo "✅ Running migrations (production)..."
-    docker run --rm \
-      -v "/opt/deploy/lti/internal/database/migrations:/migrations:ro" \
+    # ✅ Pastikan postgres & redis ON (sesuaikan nama service compose kamu!)
+    echo "✅ Ensuring postgres & redis running ..."
+    docker compose -f "$COMPOSE_FILE" up -d stg-postgres-lti stg-redis-lti || true
+
+    # ✅ Ambil network key dari compose
+    COMPOSE_NETWORK_KEY="$(docker compose -f "$COMPOSE_FILE" config | awk '/networks:/ {getline; print $1}' | tr -d ':')"
+    echo "✅ Compose network key: $COMPOSE_NETWORK_KEY"
+
+    # ✅ Cari network name yang dipakai docker
+    NETWORK_NAME="$(docker network ls --format '{{.Name}}' | grep "_${COMPOSE_NETWORK_KEY}$" | head -n 1)"
+    test -n "$NETWORK_NAME" || (echo "❌ Cannot find docker network for compose ($COMPOSE_NETWORK_KEY)" && exit 1)
+
+    echo "✅ Docker network detected: $NETWORK_NAME"
+
+    # ✅ Migrations dari repo (CI workspace)
+    echo "✅ Checking migrations from repo..."
+    ls -lah "$CI_PROJECT_DIR/internal/database/migrations"
+
+    echo "✅ Running migrations via migrate/migrate container"
+    set +e
+    out=$(docker run --rm \
+      --network "$NETWORK_NAME" \
+      -v "$CI_PROJECT_DIR/internal/database/migrations:/migrations:ro" \
       migrate/migrate:v4.15.2 \
-      -path=/migrations -database "$DATABASE_URL" up
+      -path=/migrations -database "$DATABASE_URL" up 2>&1)
+    code=$?
+    set -e
+
+    echo "$out"
+
+    # ✅ Handle no change dengan benar (tidak false-success)
+    if echo "$out" | grep -qi "no change"; then
+      echo "✅ No change (already up to date)"
+      exit 0
+    fi
+
+    if [ $code -ne 0 ]; then
+      echo "❌ Migration failed with exit code $code"
+      exit $code
+    fi
+
+    echo "✅ Migration applied successfully"
 
 
 # =========================