diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
new file mode 100644
index 0000000..0d1c125
--- /dev/null
+++ b/.github/workflows/deploy-dev.yml
@@ -0,0 +1,133 @@
+name: Deploy to dev environment
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: deploy-dev
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v4
+        # with:
+        #   terraform_wrapper: false
+
+      - name: Terraform init
+        working-directory: terraform/environments/dev
+        run: terraform init
+
+      - name: Terraform apply
+        working-directory: terraform/environments/dev
+        env:
+          TF_VAR_db_password: ${{ secrets.TF_VAR_db_password }}
+          TF_VAR_db_username: ${{ secrets.TF_VAR_db_username }}
+          TF_VAR_redis_auth_token: ${{ secrets.TF_VAR_redis_auth_token }}
+          TF_VAR_route53_record_name: ${{ secrets.TF_VAR_route53_record_name }}
+          TF_VAR_auth0_domain: ${{ secrets.TF_VAR_auth0_domain }}
+          TF_VAR_auth0_client_id: ${{ secrets.TF_VAR_auth0_client_id }}
+          TF_VAR_auth0_client_secret: ${{ secrets.TF_VAR_auth0_client_secret }}
+        run: terraform apply -auto-approve -input=false
+
+  build-api:
+    runs-on: ubuntu-latest
+    needs: terraform
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to ECR
+        run: |
+          AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          aws ecr get-login-password --region us-east-1 | \
+            docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com"
+          echo "ECR_BASE=${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/flexion-notify-dev" >> "$GITHUB_ENV"
+
+      - name: Build and push backend image
+        run: |
+          docker buildx build \
+            --platform linux/arm64 \
+            --push \
+            -t "${{ env.ECR_BASE }}/backend:latest" \
+            ./notifications-api
+
+  build-admin:
+    runs-on: ubuntu-latest
+    needs: terraform
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to ECR
+        run: |
+          AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          aws ecr get-login-password --region us-east-1 | \
+            docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com"
+          echo "ECR_BASE=${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/flexion-notify-dev" >> "$GITHUB_ENV"
+
+      - name: Build and push frontend image
+        run: |
+          docker buildx build \
+            --platform linux/arm64 \
+            --push \
+            -t "${{ env.ECR_BASE }}/frontend:latest" \
+            ./notifications-admin
+
+  deploy-ecs:
+    runs-on: ubuntu-latest
+    needs: [build-api, build-admin]
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Force new ECS deployment
+        run: |
+          aws ecs update-service \
+            --cluster flexion-notify-dev-cluster \
+            --service flexion-notify-dev-notify-service \
+            --force-new-deployment \
+            --region us-east-1 \
+            --output text --query 'service.serviceName'
diff --git a/notifications-admin/Dockerfile b/notifications-admin/Dockerfile
index 0cfcfc2..cb7c144 100644
--- a/notifications-admin/Dockerfile
+++ b/notifications-admin/Dockerfile
@@ -12,8 +12,6 @@ ENV POETRY_VERSION=1.8.5
 RUN curl -sSL https://install.python-poetry.org | python3 - && \
     ln -s /root/.local/bin/poetry /usr/local/bin/poetry
 
-WORKDIR /app
-
 # Copy poetry configuration files
 COPY pyproject.toml poetry.lock ./
 
diff --git a/notifications-api/Dockerfile b/notifications-api/Dockerfile
index d159bb7..ea607a5 100644
--- a/notifications-api/Dockerfile
+++ b/notifications-api/Dockerfile
@@ -21,7 +21,7 @@ COPY . .
 # Don't copy sample.env to .env here - when run via docker-compose, env vars are
 # provided by compose. Copying would override REDIS_URL etc. with localhost values.
 # Create version.py from version.py.dist
-COPY app/version.py.dist app/version.py
+RUN cp app/version.py.dist app/version.py
 
 # Entrypoint runs init-databases.sql (mounted by compose) then flask db upgrade, then CMD.
 # Depends on postgres being up; docker-compose ensures that via depends_on + healthcheck.