diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 35bc167..bb947cd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,4 @@
-name: CI
+name: CI/CD
 
 on:
   push:
@@ -7,13 +7,12 @@ on:
     branches: [main]
 
 jobs:
-  build:
+  # ── 1. 빌드 + 정적 분석 + 테스트 ───────────────────────────────────────────
+  test:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
-      # a301_server depends on tolchain via go.mod replace directive.
-      # Clone tolchain into ../tolchain so the replace path resolves.
       - name: Checkout tolchain dependency
         uses: actions/checkout@v4
         with:
@@ -23,9 +22,78 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version: '1.25'
+          cache: true
+
+      - name: Vet
+        run: go vet ./...
 
       - name: Build
         run: go build ./...
 
-      - name: Test
-        run: go test ./... -v
+      - name: Test (with coverage)
+        run: go test ./... -coverprofile=coverage.out -coverpkg=./...
+
+      - name: Coverage report
+        run: go tool cover -func=coverage.out | tail -1
+
+      - name: Upload coverage artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage.out
+
+  # ── 2. Docker 빌드 & GHCR 푸시 (main 머지 시만) ───────────────────────────
+  docker:
+    needs: test
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      # Dockerfile이 context 루트에 tolchain/ + a301_server/ 를 기대하므로
+      # 각각 하위 디렉토리로 체크아웃
+      - name: Checkout a301_server
+        uses: actions/checkout@v4
+        with:
+          path: a301_server
+
+      - name: Checkout tolchain dependency
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.repository_owner }}/tolchain
+          path: tolchain
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./a301_server/Dockerfile
+          push: true
+          tags: ghcr.io/${{ github.repository_owner }}/a301-server:latest
+          platforms: linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # ── 3. 서버 배포 (Docker 푸시 완료 후) ────────────────────────────────────
+  deploy:
+    needs: docker
+    runs-on: ubuntu-latest
+    steps:
+      - uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ secrets.SERVER_HOST }}
+          username: ${{ secrets.SERVER_USER }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          script: |
+            export PATH=$PATH:/usr/local/bin:/opt/homebrew/bin:$HOME/.docker/bin
+            cd ~/server
+            docker compose pull api
+            docker compose up -d api