diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..190e112
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,74 @@
+name: Publish Docker to GHCR
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Target environment"
+        required: true
+        type: choice
+        default: "development"
+        options:
+          - development
+          - production
+          - staging
+      tag:
+        description: "Image tag (e.g. v1.0.0)"
+        required: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  publish:
+    name: Build & Push to GHCR (${{ github.event.inputs.environment }})
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Free disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo docker image prune --all --force
+          df -h
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=${{ github.event.inputs.environment }}-${{ github.event.inputs.tag }}
+            type=raw,value=${{ github.event.inputs.environment }}-latest
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          platforms: linux/amd64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          no-cache: true
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..3a3de2e
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,83 @@
+# ==============================
+# Stage 1: Builder (Bun)
+# ==============================
+FROM oven/bun:1-debian AS builder
+
+WORKDIR /app
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libc6 \
+    git \
+    openssl \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY package.json bun.lockb* ./
+COPY prisma ./prisma
+
+ENV ONNXRUNTIME_NODE_INSTALL_CUDA=0
+ENV SHARP_IGNORE_GLOBAL_LIBVIPS=1
+ENV NEXT_TELEMETRY_DISABLED=1
+
+RUN bun install --ignore-scripts
+
+COPY . .
+
+# Gunakan .env jika ada, fallback ke .env.example.
+# Untuk build dengan .env custom, hapus .env dari .dockerignore
+# atau berikan via: docker build --secret id=env,src=.env (BuildKit)
+RUN if [ -f .env ]; then \
+        echo "INFO: Menggunakan .env"; \
+    elif [ -f .env.example ]; then \
+        cp .env.example .env; \
+        echo "WARNING: .env tidak ditemukan, menggunakan .env.example (isi dengan nilai yang benar)"; \
+    else \
+        echo "WARNING: Tidak ada .env atau .env.example"; \
+    fi
+
+# Generate prisma client
+RUN ./node_modules/.bin/prisma generate
+
+# Build Next.js
+RUN bun run build
+
+
+# ==============================
+# Stage 2: Runner (Bun)
+# ==============================
+FROM oven/bun:1-debian AS runner
+
+WORKDIR /app
+
+ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openssl \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --system --gid 1001 nodejs \
+    && useradd --system --uid 1001 --gid nodejs nextjs
+
+COPY --from=builder /app/public ./public
+COPY --from=builder /app/.next ./.next
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/package.json ./package.json
+COPY --from=builder /app/tsconfig.json ./tsconfig.json
+COPY --from=builder /app/prisma ./prisma
+COPY --from=builder /app/src ./src
+
+# Env vars runtime dikelola oleh Portainer (stack env / container env).
+# Tidak perlu copy .env ke runner — image tetap bersih tanpa secrets.
+
+RUN chown -R nextjs:nodejs /app
+
+USER nextjs
+
+EXPOSE 3000
+
+ENV PORT=3000
+ENV HOSTNAME="0.0.0.0"
+
+CMD ["bun", "run", "start"]
\ No newline at end of file