diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e4038dd..22abb91 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -52,9 +52,9 @@ jobs:
         if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev'
         run: docker build -t clintsharp/gogen .
 
-      # Deployment steps run on both master and dev branches
+      # Deployment steps only run on dev branch; production deploys are handled by release.yml
       - name: Configure AWS Credentials
-        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev'
+        if: github.ref == 'refs/heads/dev'
         uses: aws-actions/configure-aws-credentials@v1
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -62,76 +62,52 @@ jobs:
           aws-region: us-east-1
 
       - name: Deploy Build Artifacts to S3
-        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev'
-        run: |
-          if [ "${{ github.ref }}" = "refs/heads/master" ]; then
-            aws s3 sync build s3://gogen-artifacts-prod --delete
-          else
-            aws s3 sync build s3://gogen-artifacts-staging --delete
-          fi
-
-      - name: Run Docker Push Script
-        if: github.ref == 'refs/heads/master'
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-        run: bash docker-push.sh
+        if: github.ref == 'refs/heads/dev'
+        run: aws s3 sync build s3://gogen-artifacts-staging --delete
 
       - name: Setup Node.js
-        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev'
+        if: github.ref == 'refs/heads/dev'
         uses: actions/setup-node@v2
         with:
           node-version: '18'
 
       - name: Deploy UI
-        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev'
+        if: github.ref == 'refs/heads/dev'
         run: |
           chmod +x ui/deploy_ui.sh
-          if [ "${{ github.ref }}" = "refs/heads/master" ]; then
-            ui/deploy_ui.sh
-          else
-            ui/deploy_ui.sh -e staging
-          fi
+          ui/deploy_ui.sh -e staging
 
   deploy-lambdas:
     runs-on: ubuntu-latest
     needs: build
-    # Skip if this is a tag push (handled by release workflow)
-    if: (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev') && startsWith(github.ref, 'refs/tags/') == false
+    # Production deploys are handled by release.yml on tagged commits
+    if: github.ref == 'refs/heads/dev'
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
-        
+
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
           python-version: '3.13'
-          
+
       - name: Install AWS SAM CLI
         run: |
           python -m pip install --upgrade pip
           pip install aws-sam-cli boto3 botocore awscli
-          
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
-          
+
       - name: Deploy Lambda Functions
         env:
-          # Set ROLE_ARN based on the branch
-          ROLE_ARN: ${{ github.ref == 'refs/heads/master' && secrets.PROD_LAMBDA_ROLE_ARN || secrets.STAGING_LAMBDA_ROLE_ARN }}
-          # Set GitHub OAuth credentials based on the branch
-          GITHUB_OAUTH_CLIENT_ID: ${{ github.ref == 'refs/heads/master' && secrets.PROD_GITHUB_OAUTH_CLIENT_ID || secrets.STAGING_GITHUB_OAUTH_CLIENT_ID }}
-          GITHUB_OAUTH_CLIENT_SECRET: ${{ github.ref == 'refs/heads/master' && secrets.PROD_GITHUB_OAUTH_CLIENT_SECRET || secrets.STAGING_GITHUB_OAUTH_CLIENT_SECRET }}
+          ROLE_ARN: ${{ secrets.STAGING_LAMBDA_ROLE_ARN }}
+          GITHUB_OAUTH_CLIENT_ID: ${{ secrets.STAGING_GITHUB_OAUTH_CLIENT_ID }}
+          GITHUB_OAUTH_CLIENT_SECRET: ${{ secrets.STAGING_GITHUB_OAUTH_CLIENT_SECRET }}
         run: |
           cd gogen-api
-          if [ "${{ github.ref }}" = "refs/heads/master" ]; then
-            # Prod deployment
-            bash deploy_lambdas.sh
-          else
-            # Staging deployment
-            bash deploy_lambdas.sh -e staging
-          fi
+          bash deploy_lambdas.sh -e staging
diff --git a/gogen-api/iam_policy.json b/gogen-api/iam_policy.json
index 2572512..8d375e0 100644
--- a/gogen-api/iam_policy.json
+++ b/gogen-api/iam_policy.json
@@ -128,11 +128,33 @@
 			"Resource": "*"
 		},
 		{
-			"Sid": "DynamoDBDescribePermissions",
+			"Sid": "CloudFrontListPermissions",
 			"Effect": "Allow",
-			"Action": "dynamodb:DescribeTable",
+			"Action": "cloudfront:ListDistributions",
+			"Resource": "*"
+		},
+		{
+			"Sid": "CloudFrontInvalidationPermissions",
+			"Effect": "Allow",
+			"Action": "cloudfront:CreateInvalidation",
+			"Resource": [
+				"arn:aws:cloudfront::715681304208:distribution/E1YKFKA6Y16FT0",
+				"arn:aws:cloudfront::715681304208:distribution/E2PCMI0RQZI3B7"
+			]
+		},
+		{
+			"Sid": "DynamoDBPermissions",
+			"Effect": "Allow",
+			"Action": [
+				"dynamodb:Scan",
+				"dynamodb:Query",
+				"dynamodb:GetItem",
+				"dynamodb:PutItem",
+				"dynamodb:UpdateItem",
+				"dynamodb:DeleteItem"
+			],
 			"Resource": [
-				"arn:aws:dynamodb:*:*:table/gogen-api-prod-gogen",
+				"arn:aws:dynamodb:*:*:table/gogen",
 				"arn:aws:dynamodb:*:*:table/gogen-staging"
 			]
 		}
diff --git a/ui/.env.staging b/ui/.env.staging
index dd42135..bbf010e 100644
--- a/ui/.env.staging
+++ b/ui/.env.staging
@@ -1,3 +1,3 @@
-VITE_API_URL=/api
+VITE_API_URL=https://staging-api.gogen.io/v1
 VITE_GITHUB_CLIENT_ID=Ov23liep3eAw002qddGU
-VITE_GITHUB_REDIRECT_URI=https://staging.gogen.io/auth/callback 
\ No newline at end of file
+VITE_GITHUB_REDIRECT_URI=https://staging.gogen.io/auth/callback
\ No newline at end of file
diff --git a/ui/deploy_ui.sh b/ui/deploy_ui.sh
index 6c30274..25a6d30 100755
--- a/ui/deploy_ui.sh
+++ b/ui/deploy_ui.sh
@@ -60,4 +60,18 @@ fi
 echo "Deploying to s3://$BUCKET/"
 aws s3 sync dist/ "s3://$BUCKET/" --delete
 
+# Invalidate CloudFront cache
+echo "Looking up CloudFront distribution for $BUCKET..."
+DISTRIBUTION_ID=$(aws cloudfront list-distributions \
+    --query "DistributionList.Items[?Aliases.Items[?@=='${BUCKET}']].Id | [0]" \
+    --output text)
+
+if [ -z "$DISTRIBUTION_ID" ] || [ "$DISTRIBUTION_ID" = "None" ]; then
+    echo "Warning: No CloudFront distribution found for $BUCKET. Skipping cache invalidation."
+else
+    echo "Invalidating CloudFront distribution $DISTRIBUTION_ID..."
+    aws cloudfront create-invalidation --distribution-id "$DISTRIBUTION_ID" --paths "/*"
+    echo "CloudFront invalidation created."
+fi
+
 echo "Deployment completed successfully for $ENVIRONMENT environment!" 
\ No newline at end of file
diff --git a/ui/src/config.ts b/ui/src/config.ts
index 5c1d7b0..c374b8c 100644
--- a/ui/src/config.ts
+++ b/ui/src/config.ts
@@ -5,13 +5,8 @@ interface Config {
   githubRedirectUri: string;
 }
 
-function getEnvValue(name: string): string {
-  const value = process.env[name];
-  return value ?? '';
-}
-
 export const config: Config = {
-  apiBaseUrl: getEnvValue('VITE_API_URL'),
-  githubClientId: getEnvValue('VITE_GITHUB_CLIENT_ID'),
-  githubRedirectUri: getEnvValue('VITE_GITHUB_REDIRECT_URI'),
+  apiBaseUrl: process.env.VITE_API_URL ?? '',
+  githubClientId: process.env.VITE_GITHUB_CLIENT_ID ?? '',
+  githubRedirectUri: process.env.VITE_GITHUB_REDIRECT_URI ?? '',
 };