diff --git a/deploy.sh b/deploy.sh
new file mode 100644
index 0000000..0caa03a
--- /dev/null
+++ b/deploy.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# eCert MBIP — Production Deploy Script
+# Dipanggil oleh webhook selepas git push ke GitHub
+set -e
+
+PROJECT_DIR="/srv/ecert"
+LOG="$PROJECT_DIR/deploy.log"
+
+log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG"; }
+
+log "=== Deploy dimulakan ==="
+
+cd "$PROJECT_DIR"
+
+log "git pull..."
+git pull origin main
+
+log "migrate database..."
+docker exec ecert_app php artisan migrate --force
+
+log "optimize cache..."
+docker exec ecert_app php artisan optimize
+
+log "restart queue worker..."
+docker restart ecert_queue
+
+log "=== Deploy selesai ==="
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 5d9714b..4df66c9 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -62,6 +62,22 @@ services:
       APP_ENV: production
     extra_hosts: []
 
+  # ── Webhook Deploy (GitHub → auto pull + migrate) ──────────────────────────
+  webhook:
+    build:
+      context: ./docker/webhook
+    container_name: ecert_webhook
+    restart: always
+    environment:
+      WEBHOOK_SECRET: ${WEBHOOK_SECRET}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /root/.ssh:/root/.ssh:ro
+      - ./docker/webhook/hooks.json:/etc/webhook/hooks.json:ro
+      - ./deploy.sh:/deploy.sh:ro
+      - .:/srv/ecert
+    command: -hooks=/etc/webhook/hooks.json -template -verbose
+
 ###############################################################################
 volumes:
   storage_data:
diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf
index 8c94ca6..64339b2 100644
--- a/docker/nginx/default.conf
+++ b/docker/nginx/default.conf
@@ -62,6 +62,13 @@ server {
         try_files  $uri =404;
     }
 
+    # ── GitHub Webhook Deploy ─────────────────────────────────────────────────
+    location /hooks/ {
+        proxy_pass         http://ecert_webhook:9000/hooks/;
+        proxy_set_header   Host $host;
+        proxy_read_timeout 60s;
+    }
+
     # ── Halang akses fail tersembunyi ─────────────────────────────────────────
     location ~ /\. {
         deny all;
diff --git a/docker/webhook/Dockerfile b/docker/webhook/Dockerfile
new file mode 100644
index 0000000..5d9caa5
--- /dev/null
+++ b/docker/webhook/Dockerfile
@@ -0,0 +1,6 @@
+FROM alpine:3.21
+RUN apk add --no-cache git docker-cli curl && \
+    curl -fsSL https://github.com/adnanh/webhook/releases/download/2.8.1/webhook-linux-amd64.tar.gz \
+    | tar xz -C /usr/local/bin --strip-components=1
+EXPOSE 9000
+ENTRYPOINT ["/usr/local/bin/webhook"]
diff --git a/docker/webhook/hooks.json b/docker/webhook/hooks.json
new file mode 100644
index 0000000..a333a8a
--- /dev/null
+++ b/docker/webhook/hooks.json
@@ -0,0 +1,18 @@
+[
+  {
+    "id": "deploy",
+    "execute-command": "/deploy.sh",
+    "command-working-directory": "/srv/ecert",
+    "response-message": "Deploy dimulakan.",
+    "trigger-rule": {
+      "match": {
+        "type": "payload-hmac-sha256",
+        "secret": "{{ .Env.WEBHOOK_SECRET }}",
+        "parameter": {
+          "source": "header",
+          "name": "X-Hub-Signature-256"
+        }
+      }
+    }
+  }
+]