diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..799173a
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,33 @@
+name: Continuous Integration
+
+on:
+  push:
+
+env:
+  AWS_REGION: ${{ vars.AWS_REGION }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  APP_ID: ${{ secrets.APP_ID }}
+  ENV_ID: ${{ secrets.ENV_ID }}
+  CONFIG_ID: ${{ secrets.CONFIG_ID }}
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run tests
+        run: docker-compose -f "action-services.yml" run app bash -c "./scripts/test.sh"
+
+  deploy:
+    name: Deploy
+    if: github.ref_name == 'main'
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Deploy lambda
+        run: docker-compose -f "action-services.yml" run app
diff --git a/Makefile b/Makefile
index 2bf9006..9a126ad 100644
--- a/Makefile
+++ b/Makefile
@@ -5,7 +5,7 @@ bash:
 	docker-compose run --rm app bash
 
 test:
-	docker-compose run --rm app ./codeship/test.sh
+	docker-compose run --rm app ./scripts/test.sh
 
 clean:
 	docker-compose kill
diff --git a/README.md b/README.md
index 221f23f..18b5660 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,5 @@
 # cloudflare-scanner
+
 Look through Cloudflare records to find the ones that contain a certain substring in their name and
 then send emails with that list via AWS SES.
 
@@ -6,17 +7,11 @@ then send emails with that list via AWS SES.
 
 ### AWS Serverless User
 
-1. Copy the aes key from Codeship
-2. Paste it in a new file `codeship.aes`
-3. Run `jet decrypt aws.env.encrypted aws.env`
-4. (Optional) Compare the key in `aws.env` with the key in the most recent Terraform Cloud output
-5. Use the Terraform CLI to taint the old access key
-6. Run a new plan on Terraform Cloud
-7. Review the new plan and apply if it is correct
-8. Copy the new key and secret from the Terraform output into the aws.env file, overwriting the old values
-9. Run `jet encrypt aws.env aws.env.encrypted`
-10. Commit the new `aws.env.encrypted` file on the `develop` branch and push it to Github
-11. Submit a PR to release the change to the `main` branch
+1. Use the Terraform CLI to taint the old access key
+2. Run a new plan on Terraform Cloud
+3. Review the new plan and apply if it is correct
+4. Copy the new key and secret from the Terraform output into Github Repository Secrets, overwriting the old values
+5. Manually rerun a past run on the main branch
 
 ### Cloudflare
 
diff --git a/action-services.yml b/action-services.yml
new file mode 100644
index 0000000..a25296c
--- /dev/null
+++ b/action-services.yml
@@ -0,0 +1,18 @@
+version: "3"
+
+services:
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    environment:
+      AWS_REGION: $AWS_REGION
+      AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
+      AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
+      APP_ID: $APP_ID
+      ENV_ID: $ENV_ID
+      CONFIG_ID: $CONFIG_ID
+    volumes:
+      - ./:/app
+    working_dir: /app
+    command: bash -c "scripts/deploy-prod.sh"
diff --git a/aws.env.encrypted b/aws.env.encrypted
deleted file mode 100644
index 82b9f9e..0000000
--- a/aws.env.encrypted
+++ /dev/null
@@ -1,2 +0,0 @@
-cloudbees:v1
-3qTawtryB/ASUiqgDXF0mNuh2nWPbkt8/nmYh1l582qbYgJ2/z/sDOb4fwSOjf8MFlBAUhf+xPkNeBhC5RPneNl4lyOi/FffUEl9kZiRfZnCL/simi3gN/aQlXdXsCYkC5dxp7seBljJ7WdiYhiMy+jo11QuZeEMvfDY/fjq1egADoXpOR5m+mCArke9SEivsILI/YxCBr6aeUAJrvDoUaQ1H1Mo/xzWRZ4Mvbuyqwqot71UMT0aHQNIPrKrNiGUJgizwNlvmqXSKOLEdkLUIZxxYwsPyOM2xEtEFs79ba3+A5KA1jQLd/a4e8BCqkxZZKILKSFpQ7UF6EjLUO/GVK5u/3dSqV0gUQVDbpQFF6zXmc7Frv3m5o4GmDX8MZzXrXjWb8AEBJSx4BmZAeYRETtl5Gww1WQYNvImqGy5bLg0yIHFVU1FllaqNjNwUi/gj+i3pesLdQ==
\ No newline at end of file
diff --git a/aws.env.example b/aws.env.example
deleted file mode 100644
index b7d167a..0000000
--- a/aws.env.example
+++ /dev/null
@@ -1,11 +0,0 @@
-AWS_ACCESS_KEY_ID=AKABCDEFGHIJKLMNOPQ
-AWS_SECRET_ACCESS_KEY=aBcDeFgHiJkLmNoPqRsTuVwXyZAbCdEfGhIjKlMn
-AWS_REGION=us-east-1
-
-# AppConfig Identifers
-# Application ID
-APP_ID=0123abc
-# Environment ID
-ENV_ID=0123abc
-# Configuration Profile ID
-CONFIG_ID=0123abc
diff --git a/codeship-services.yml b/codeship-services.yml
deleted file mode 100644
index 62f8a94..0000000
--- a/codeship-services.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-app:
-  build:
-    dockerfile_path: Dockerfile
-  encrypted_env_file: aws.env.encrypted
-  cached: true
-  working_dir: /app
\ No newline at end of file
diff --git a/codeship-steps.yml b/codeship-steps.yml
deleted file mode 100644
index b0ab77e..0000000
--- a/codeship-steps.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-- name: test
-  service: app
-  command: ./codeship/test.sh
-
-- name: deploy_prod
-  service: app
-  tag: main
-  command: ./codeship/deploy-prod.sh
-
diff --git a/docker-compose.yml b/docker-compose.yml
index fd271e5..31a3ead 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,6 @@
 version: "3"
 
 services:
-
   app:
     build:
       context: ./
@@ -11,4 +10,4 @@ services:
     volumes:
       - ./:/app
     working_dir: /app
-    command: bash -c "codeship/build.sh"
+    command: bash -c "scripts/build.sh"
diff --git a/codeship/build.sh b/scripts/build.sh
similarity index 100%
rename from codeship/build.sh
rename to scripts/build.sh
diff --git a/codeship/deploy-prod.sh b/scripts/deploy-prod.sh
similarity index 100%
rename from codeship/deploy-prod.sh
rename to scripts/deploy-prod.sh
diff --git a/codeship/test.sh b/scripts/test.sh
similarity index 100%
rename from codeship/test.sh
rename to scripts/test.sh