diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 0dcbdbe..1944006 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -69,8 +69,10 @@ jobs:
       - name: Replace AWS account ID in task definition
         env:
           AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+          AWS_GITHUB_PAT_ARN_ID: ${{ secrets.AWS_GITHUB_PAT_ARN_ID }}
         run: |
           sed -i 's|${AWS_ACCOUNT_ID}|'"$AWS_ACCOUNT_ID"'|' ${{ env.ECS_TASK_DEFINITION }}
+          sed -i 's|${AWS_GITHUB_PAT_ARN_ID}|'"$AWS_GITHUB_PAT_ARN_ID"'|' ${{ env.AWS_GITHUB_PAT_ARN_ID }}
 
       - name: Render Amazon ECS task definition
         id: render-task-def
@@ -78,7 +80,7 @@ jobs:
         with:
           task-definition: ${{ env.ECS_TASK_DEFINITION }}
           container-name: ${{ env.CONTAINER_NAME }}
-          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
 
       - name: Deploy Amazon ECS task definition
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
diff --git a/.github/workflows/task-definition.json b/.github/workflows/task-definition.json
index d57a162..79b80fa 100644
--- a/.github/workflows/task-definition.json
+++ b/.github/workflows/task-definition.json
@@ -15,6 +15,12 @@
           "hostPort": 3000
         }
       ],
+      "secrets": [
+        {
+          "name": "GITHUB_PAT",
+          "valueFrom": "arn:aws:secretsmanager:ap-east-1:${AWS_ACCOUNT_ID}:secret:${AWS_GITHUB_PAT_ARN_ID}"
+        }
+      ],
       "essential": true,
       "logConfiguration": {
         "logDriver": "awslogs",
diff --git a/terraform/main.tf b/terraform/main.tf
index 1915573..c442925 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -282,7 +282,12 @@ resource "aws_ecs_task_definition" "main" {
         }
       ]
       essential = true
-
+      secrets = [
+        {
+          name      = "GITHUB_PAT"
+          valueFrom = data.aws_secretsmanager_secret.github_pat.arn
+        }
+      ]
       logConfiguration = {
         logDriver = "awslogs"
         options = {
@@ -397,6 +402,31 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
+resource "aws_iam_role_policy" "ecs_task_execution_secrets_policy" {
+  name = "${var.project_name}-ecs-task-secrets-policy"
+  role = aws_iam_role.ecs_task_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "secretsmanager:GetSecretValue"
+        ]
+        Resource = [
+          data.aws_secretsmanager_secret.github_pat.arn
+        ]
+      }
+    ]
+  })
+}
+
+# secret
+data "aws_secretsmanager_secret" "github_pat" {
+  name = "github-pat"
+}
+
 # cloudwatch
 resource "aws_cloudwatch_log_group" "ecs_logs" {
   name              = "/ecs/${var.project_name}"