diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index b1f8997..a840b34 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -5,9 +5,56 @@ on:
     branches:
       - deploytest
 
+permissions:
+  packages: write
+
 jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22.x'
+      - name: Install dependencies
+        run: go get .
+      - name: Build
+        run: go build -v ./...
+      - name: Test with the Go CLI
+        run: go test
+
+  build-and-push-image:
+    needs: build-and-test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: https://ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: true
+          tags: ghcr.io/dreamsofcode-io/guestbook:$COMMIT_SHORT_SHA
+
   deploy:
     runs-on: ubuntu-latest
+    needs: build-and-push-image
 
     steps:
     - name: Checkout code
@@ -34,6 +81,7 @@ jobs:
 
     - name: Run Docker Compose
       run: |
+        export GIT_COMMIT_HASH=$COMMIT_SHORT_SHA
         export DB_PASSWORD_PATH="/home/deploytest/db-password.txt"
         export DOCKER_HOST=ssh://deploytest@zenful.cloud
         docker-compose -f ./compose.prod.yaml up -d
diff --git a/compose.prod.yaml b/compose.prod.yaml
index 54c0420..9cfd990 100644
--- a/compose.prod.yaml
+++ b/compose.prod.yaml
@@ -1,13 +1,4 @@
 services:
-  watchtower:
-    image: containrrr/watchtower
-    command:
-      - "--label-enable"
-      - "--interval"
-      - "30"
-      - "--rolling-restart"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
   reverse-proxy:
     image: traefik:v3.1
     command:
@@ -27,7 +18,7 @@ services:
       - letsencrypt:/letsencrypt
       - /var/run/docker.sock:/var/run/docker.sock
   guestbook:
-    image: ghcr.io/dreamsofcode-io/guestbook:prod
+    image: ghcr.io/dreamsofcode-io/guestbook:${GIT_COMMIT_HASH:-prod}
     labels:
       - "traefik.enable=true"
       - "traefik.http.middlewares.guestbook-ratelimit.ratelimit.average=20"
@@ -75,7 +66,6 @@ services:
     environment:
       - POSTGRES_DB=guestbook
       - POSTGRES_PASSWORD_FILE=/run/secrets/db-password
-      #- POSTGRES_PASSWORD=${DB_PASSWORD}
     expose:
       - 5432
     healthcheck: