diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 180c745..7107d4a 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -1,52 +1,73 @@
 name: Deploy App
 on:
-  workflow_run:
-    workflows: ["Build and Lint"]
-    types: [requested]
+  pull_request:
+    types: [opened, reopened, synchronize]
 
 concurrency: 
-  group: cd-${{ github.workflow }}-${{ github.ref }}
+  group: cd-${{ github.ref }}
   cancel-in-progress: true
 
 env:
-  VAULT_ADDR: "https://localhost:8200"
+  VAULT_ADDR: "http://localhost:8200"
 
 jobs:
 
-  deploy-vault:
-    uses: ./.github/workflows/vault.yml
-    secrets: inherit
-
   deploy-app:
-    needs: [deploy-vault]
-    defaults:
-      run:
-        working-directory: "${{ github.workspace }}/tf"
     runs-on: ubuntu-22.04
 
     steps:
+      - name: set env
+        shell: bash
+        run: |
+         if [ ${GITHUB_REF##*/} = "main" ]; then
+           echo "VAULT_TOKEN=${{ secrets.STAGING_VAULT_ROOT_TOKEN }}" >> $GITHUB_ENV
+         elif [[ ${GITHUB_REF##*/} =~ ^v[0-9]+\.[0-9]+\.[0-9] ]]; then
+           echo "VAULT_TOKEN=${{ secrets.PROD_VAULT_ROOT_TOKEN }}" >> $GITHUB_ENV
+         else
+           echo "VAULT_TOKEN=${{secrets.DEV_VAULT_ROOT_TOKEN}}" >> $GITHUB_ENV
+         fi
+
       - uses: actions/checkout@v3
 
+      - name: deploy vault instance
+        uses: sudo-bot/action-docker-compose@latest
+        with:
+          cli-args: "up -d"
+
+      - uses: eLco/setup-vault@v1
+        with:
+          vault_version: 1.8.7
+
       - name: debug
         run: |
           docker ps
           docker images
           docker network ls
+          docker logs workspace-vault-1
+
+      - name: check vault secrets
+        run: |
+          vault secrets list
 
       - uses: hashicorp/setup-terraform@v2
 
-      - id: init
+      - name: init
+        working-directory: tf
         run: |
           terraform init
 
-      - id: plan
+      - name: plan
+        working-directory: tf
         run: |
-          terraform plan -no-color
+          terraform plan -no-color -out=/tmp/tfplan.tfplan
 
-      - id: apply
+      - name: apply
+        working-directory: tf
         run: |
-          terraform apply -auto-approve -no-color ${{ steps.plan.outputs.stdout }}
+          terraform apply -auto-approve -no-color /tmp/tfplan.tfplan
 
-      - run: |
+      - name: debug
+        working-directory: tf
+        run: |
           terraform show
           docker ps
diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml
new file mode 100644
index 0000000..a73c9ed
--- /dev/null
+++ b/.github/workflows/checkov.yml
@@ -0,0 +1,24 @@
+name: Checkov
+on:
+  workflow_call:
+
+concurrency:
+  group: checkov-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  checkov:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v3
+
+      - uses: bridgecrewio/checkov-action@v12
+        name: scan-terraform
+        with:
+          directory: tf/
+          framework: terraform
+          output_format: github_failed_only
+          download_external_modules: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1c3fc79..ecc8b41 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,56 +1,28 @@
-name: Build and Lint
+name: CI Pipeline
 on:
   pull_request:
-    type: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize]
   push:
     branches:
       - main
     tags:
       - v\d+\.\d+\.\d+
 
-concurrency: 
-  group: ci-${{ github.workflow }}-${{ github.ref }}
+concurrency:
+  group: ci-${{ github.ref }}
   cancel-in-progress: true
 
-env:
-  VAULT_ADDR: "http://localhost:8200"
-
 jobs:
 
   checkov:
-    runs-on: ubuntu-22.04
-
-    steps:
-      - name: checkout repo
-        uses: actions/checkout@v3
-
-      - uses: bridgecrewio/checkov-action@v12
-        name: scan-terraform
-        with:
-          directory: tf/
-          framework: terraform
-          output_format: github_failed_only
-          download_external_modules: true
+    uses: "./.github/workflows/checkov.yml"
 
   lint:
-    defaults:
-      run:
-        working-directory: "${{ github.workspace }}/tf"
-    runs-on: ubuntu-22.04
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: hashicorp/setup-terraform@v2
-
-      - id: init
-        run: |
-          terraform init
-
-      - id: validate
-        run: |
-          terraform validate -no-color
-
-      - id: plan
-        run: |
-          terraform plan -no-color
+    uses: "./.github/workflows/lint.yml"
+
+  tfsec:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: "./.github/workflows/tfsec.yml"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..db02fe3
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,42 @@
+name: Lint
+on:
+  workflow_call:
+
+concurrency:
+  group: lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  lint:
+    defaults:
+      run:
+        working-directory: "tf"
+
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v3
+
+      - uses: bridgecrewio/checkov-action@v12
+        name: scan-terraform
+        with:
+          directory: tf/
+          framework: terraform
+          output_format: github_failed_only
+          download_external_modules: true
+
+      - uses: hashicorp/setup-terraform@v2
+
+      - id: init
+        run: |
+          terraform init
+
+      - id: validate
+        run: |
+          terraform validate -no-color
+
+      - id: plan
+        run: |
+          terraform plan -no-color
diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml
index 2fb0ba5..2cde846 100644
--- a/.github/workflows/tfsec.yml
+++ b/.github/workflows/tfsec.yml
@@ -1,39 +1,27 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 name: tfsec
-
 on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-  schedule:
-    - cron: '20 8 * * 0'
+  workflow_call:
 
 jobs:
+
   tfsec:
-    name: Run tfsec sarif report
-    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: "tf"
     permissions:
       actions: read
       contents: read
       security-events: write
+    runs-on: ubuntu-22.04
 
     steps:
-      - name: Clone repo
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v3
 
-      - name: Run tfsec
-        uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
+      - uses: aquasecurity/tfsec-sarif-action@v0.1.4
         with:
-          working_directory: tf/
           sarif_file: tfsec.sarif
 
-      - name: Upload SARIF file
+      - name: upload sarif file
         uses: github/codeql-action/upload-sarif@v2
         with:
-          # Path to SARIF file relative to the root of the repository
           sarif_file: tfsec.sarif
diff --git a/.github/workflows/vault.yml b/.github/workflows/vault.yml
index 3fb8d05..a38eebe 100644
--- a/.github/workflows/vault.yml
+++ b/.github/workflows/vault.yml
@@ -1,14 +1,9 @@
 name: Deploy Vault
 on:
-  pull_request:
-    type: [opened, reopened, synchronize]
   workflow_call:
 
-env:
-  VAULT_ADDR: "http://localhost:8200"
-
 concurrency: 
-  group: vault-${{ github.workflow }}-${{ github.ref }}
+  group: vault-${{ github.ref }}
   cancel-in-progress: true
 
 jobs: