diff --git a/.github/labeler.yml b/.github/labeler.yml
new file mode 100644
index 0000000..3c8cfd9
--- /dev/null
+++ b/.github/labeler.yml
@@ -0,0 +1,5 @@
+reviewapps:
+  - changed-files:
+    - all-globs-to-any-file:
+      - '!.github/**/*.yml'
+      - '!**/*.md'
diff --git a/.github/workflows/add-labels.yml b/.github/workflows/add-labels.yml
new file mode 100644
index 0000000..ed85256
--- /dev/null
+++ b/.github/workflows/add-labels.yml
@@ -0,0 +1,21 @@
+name: add labels for some cases
+
+on: pull_request
+
+jobs:
+  labeler:
+    runs-on: ubuntu-latest  # windows-latest | macos-latest
+    if: ${{ ! startsWith(github.head_ref, 'renovate/') }}
+    steps:
+      # to trigger other Actions caused by adding reviewapp Label
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+
+      - id: label-the-PR
+        uses: actions/labeler@v5
+        with:
+          repo-token: ${{ steps.generate_token.outputs.token }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build-branch.yml
similarity index 92%
rename from .github/workflows/build.yml
rename to .github/workflows/build-branch.yml
index 0dffbce..05a0e01 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build-branch.yml
@@ -1,6 +1,8 @@
-name: build dreamkast-weaver image
+name: build dreamkast-weaver image when branches are pushed
 
-on: push
+on:
+  push:
+    branches: ["*"]
 
 jobs:
   build:
@@ -18,7 +20,7 @@ jobs:
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ap-northeast-1
+          aws-region: us-west-2
 
       - name: Login to Amazon ECR
         id: login-ecr
diff --git a/.github/workflows/build-tag.yml b/.github/workflows/build-tag.yml
new file mode 100644
index 0000000..a33d907
--- /dev/null
+++ b/.github/workflows/build-tag.yml
@@ -0,0 +1,49 @@
+name: build dreamkast-weaver image when tags are pushed
+
+on:
+  push:
+    tags: ["*"]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ap-northeast-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ steps.login-ecr.outputs.registry }}/dreamkast-weaver
+          tags: |
+            type=sha,prefix=,format=long
+            type=ref,event=tag
+
+      - name: Build
+        id: docker_build
+        uses: docker/build-push-action@v5
+        with:
+          context: ./
+          file: Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          push: true
+          provenance: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/gitops-stg.yml b/.github/workflows/gitops-stg.yml
index 6b640fc..2fce639 100644
--- a/.github/workflows/gitops-stg.yml
+++ b/.github/workflows/gitops-stg.yml
@@ -78,3 +78,84 @@ jobs:
               pull_number: pr.data.number,
               merge_method: "squash",
             });
+
+  ecs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+
+      - name: Install jsonnet
+        run: |
+          go install github.com/google/go-jsonnet/cmd/jsonnet@latest
+          go install github.com/google/go-jsonnet/cmd/jsonnetfmt@latest
+
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Checkout dreamkast-infra
+        uses: actions/checkout@v4
+        with:
+          repository: cloudnativedaysjp/dreamkast-infra
+          path: dreamkast-infra
+          token: ${{ steps.generate_token.outputs.token }}
+
+      - name: Update image-tags
+        working-directory: dreamkast-infra/ecspresso/stg
+        run: |
+          cat << _EOL_ | jsonnet - > ./const.libsonnet.tmp
+          local const = import './const.libsonnet';
+
+          const + {
+            imageTags: const.imageTags + {
+              dreamkast_weaver: "${{ github.sha }}",
+            },
+          }
+          _EOL_
+          mv const.libsonnet.tmp const.libsonnet
+          jsonnetfmt -i const.libsonnet
+
+      - name: Commit files
+        id: commit_files
+        continue-on-error: true
+        working-directory: dreamkast-infra/
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git status
+          git add -A
+          git commit -am "Bump docker tag (${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA})"
+
+      - name: Push changes
+        if: steps.commit_files.outcome == 'success'
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ steps.generate_token.outputs.token }}
+          repository: cloudnativedaysjp/dreamkast-infra
+          directory: dreamkast-infra
+          branch: staging/weaver-main
+
+      - name: Create and Merge Pull Request
+        if: steps.commit_files.outcome == 'success'
+        uses: "actions/github-script@v7"
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const pr = await github.rest.pulls.create({
+              owner: "cloudnativedaysjp",
+              repo: "dreamkast-infra",
+              title: "Automated PR (staging/weaver-main)",
+              body: "**this PR is automatically created & merged**",
+              head: "staging/weaver-main",
+              base: "main"
+            });
+            await github.rest.pulls.merge({
+              owner: "cloudnativedaysjp",
+              repo: "dreamkast-infra",
+              pull_number: pr.data.number,
+              merge_method: "squash",
+            });
diff --git a/.github/workflows/reviewapp-cleanup.yml b/.github/workflows/reviewapp-cleanup.yml
new file mode 100644
index 0000000..11e12df
--- /dev/null
+++ b/.github/workflows/reviewapp-cleanup.yml
@@ -0,0 +1,91 @@
+name: cleanup reviewapps
+
+on:
+  schedule:
+    - cron:  '*/30 * * * *'
+
+# this workflow should not work with cleanup workflow
+concurrency: reviewapps
+
+jobs:
+  cleanup:
+    name: create reviewapp files to dreamkast-infra
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Checkout dreamkast-infra
+        uses: actions/checkout@v4
+        with:
+          repository: cloudnativedaysjp/dreamkast-infra
+          path: dreamkast-infra
+          token: ${{ steps.generate_token.outputs.token }}
+
+      - name: Install ecspresso
+        uses: kayac/ecspresso@v2
+
+      - name: Cleanup
+        working-directory: dreamkast-infra/ecspresso/reviewapps
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PREFIX: weaver-
+        shell: bash -x {0}
+        run: |
+          EXPECTED="$(gh pr list --repo ${{ github.repository }} --label 'reviewapps' --json number --jq '.[].number' | sed 's/^\(.*\)$/'$PREFIX'\1/g')"
+          ACTUAL="$(ls | grep -E ^$PREFIX)"
+          # If present only in ACTUAL, cleanup
+          for act in $ACTUAL; do
+            EXIST=false
+            for exp in $EXPECTED; do
+              [ "$act" = "$exp" ] && EXIST=true
+            done
+            [ $EXIST = true ] && continue
+            bash -x $act/cleanup.sh
+            rm -rf $act
+          done
+      - name: Commit files
+        id: commit_files
+        continue-on-error: true
+        working-directory: dreamkast-infra/
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git status
+          git add -A
+          git commit -a -F- <<EOM
+          cleanup ReviewApps by GHA in ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}
+          EOM
+      - name: Push changes
+        if: steps.commit_files.outcome == 'success'
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ steps.generate_token.outputs.token }}
+          repository: cloudnativedaysjp/dreamkast-infra
+          directory: dreamkast-infra
+          branch: staging/weaver-main
+
+      - name: Create and Merge Pull Request
+        if: steps.commit_files.outcome == 'success'
+        uses: "actions/github-script@v7"
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const pr = await github.rest.pulls.create({
+              owner: "cloudnativedaysjp",
+              repo: "dreamkast-infra",
+              title: "Automated PR (staging/weaver-main)",
+              body: "**this PR is automatically created & merged**",
+              head: "staging/weaver-main",
+              base: "main"
+            });
+            await github.rest.pulls.merge({
+              owner: "cloudnativedaysjp",
+              repo: "dreamkast-infra",
+              pull_number: pr.data.number,
+              merge_method: "squash",
+            });
diff --git a/.github/workflows/reviewapp.yml b/.github/workflows/reviewapp.yml
new file mode 100644
index 0000000..233ee21
--- /dev/null
+++ b/.github/workflows/reviewapp.yml
@@ -0,0 +1,131 @@
+name: deploy reviewapp
+
+on:
+  push:
+    branches-ignore:
+    - main
+  pull_request:
+    types:
+      - labeled
+
+# this workflow should not work with cleanup workflow
+concurrency: reviewapps
+
+jobs:
+  reviewapp:
+    name: create reviewapp files to dreamkast-infra
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    if: ${{ ! startsWith(github.head_ref, 'renovate/') }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # checout branch even if triggered by PullRequest Label
+          ref: ${{ github.head_ref }}
+
+      - id: check_if_reviewapp
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          PR_NUMBER=$(gh pr view --json number -q .number)
+          gh pr view --json labels -q .labels | jq '.[] | select(.name == "reviewapps")' -e
+          echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
+          # the following is needed because it cannot be retrieved
+          # from ${{ github.sha }} if triggered by PullRequest Label
+          echo "pr_commit=$(gh pr view --json commits | jq -r '.commits[-1].oid')" >> "$GITHUB_OUTPUT"
+
+      - name: Install Go
+        if: steps.check_if_reviewapp.outcome == 'success'
+        uses: actions/setup-go@v5
+
+      - name: Install jsonnet
+        if: steps.check_if_reviewapp.outcome == 'success'
+        run: |
+          go install github.com/google/go-jsonnet/cmd/jsonnet@latest
+          go install github.com/google/go-jsonnet/cmd/jsonnetfmt@latest
+
+      - name: Generate token
+        if: steps.check_if_reviewapp.outcome == 'success'
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Configure AWS Credentials
+        if: steps.check_if_reviewapp.outcome == 'success'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-west-2
+
+      - name: Checkout dreamkast-infra
+        if: steps.check_if_reviewapp.outcome == 'success'
+        uses: actions/checkout@v4
+        with:
+          repository: cloudnativedaysjp/dreamkast-infra
+          path: dreamkast-infra
+          token: ${{ steps.generate_token.outputs.token }}
+
+      - name: Create reviewapps
+        if: steps.check_if_reviewapp.outcome == 'success'
+        working-directory: dreamkast-infra/
+        run: ecspresso/reviewapps/build-reviewapp.sh
+        env:
+          REPOSITORY_NAME: ${{ github.repository }}
+          PR_NUMBER: ${{ steps.check_if_reviewapp.outputs.pr_number }}
+          IMAGE_TAG: ${{ steps.check_if_reviewapp.outputs.pr_commit }}
+
+      - name: Commit files
+        id: commit_files
+        if: steps.check_if_reviewapp.outcome == 'success'
+        continue-on-error: true
+        working-directory: dreamkast-infra/
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git status
+          git add -A
+          git commit -a -F- <<EOM
+          Bump docker tag by ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/pull/${{ steps.check_if_reviewapp.outputs.pr_number }}
+          commit: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/commit/${{ steps.check_if_reviewapp.outputs.pr_commit }}
+          EOM
+
+      - name: Push changes
+        if: steps.commit_files.outcome == 'success'
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ steps.generate_token.outputs.token }}
+          repository: cloudnativedaysjp/dreamkast-infra
+          directory: dreamkast-infra
+          branch: staging/weaver-main
+
+      - name: Create and Merge Pull Request
+        if: steps.commit_files.outcome == 'success'
+        uses: "actions/github-script@v7"
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const pr = await github.rest.pulls.create({
+              owner: "cloudnativedaysjp",
+              repo: "dreamkast-infra",
+              title: "Automated PR (staging/weaver-main)",
+              body: "**this PR is automatically created & merged**",
+              head: "staging/weaver-main",
+              base: "main"
+            });
+            await github.rest.pulls.merge({
+              owner: "cloudnativedaysjp",
+              repo: "dreamkast-infra",
+              pull_number: pr.data.number,
+              merge_method: "squash",
+            });
+      - uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          number: ${{ steps.check_if_reviewapp.outputs.pr_number }}
+          message: |
+            Review app
+            * https://dreamkast-weaver-${{ steps.check_if_reviewapp.outputs.pr_number }}.dev.cloudnativedays.jp
diff --git a/.github/workflows/reviewapps.yml b/.github/workflows/reviewapps.yml
deleted file mode 100644
index d393c7c..0000000
--- a/.github/workflows/reviewapps.yml
+++ /dev/null
@@ -1,82 +0,0 @@
-name: grant 'reviewapps' label if there are any changes in PR's source code.
-
-on: pull_request
-
-jobs:
-  labeling:
-    runs-on: ubuntu-latest  # windows-latest | macos-latest
-    name: grant 'reviewapps' label
-    if: ${{ ! startsWith(github.head_ref, 'renovate/') }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-python@v4
-        with:
-          python-version: '3.10'
-          architecture: 'x64'
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v40
-        with:
-          use_fork_point: true
-
-      - name: List all changed files
-        id: check-paths-ignore
-        env:
-          ALL_CHANGED_FILES: "${{ steps.changed-files.outputs.all_changed_files }}"
-        run: |
-          FLAG=$(cat << '_EOF_' | python
-          import os
-          import sys
-          import pathlib
-          paths_ignore = [
-            '.github/**/*.yml',
-            '**.md',
-          ]
-          all_changed_files = os.getenv("ALL_CHANGED_FILES").split()
-          for filename in all_changed_files:
-            if not any(list(map(lambda pattern: pathlib.PurePath(filename).match(pattern), paths_ignore))):
-              print("false")
-              sys.exit()
-          print("true")
-          _EOF_
-          )
-          echo "FLAG=${FLAG}" >> $GITHUB_OUTPUT
-
-      - name: Labeling 'reviewapps' to PR
-        uses: actions/github-script@v6
-        id: set-result
-        if: ${{ steps.check-paths-ignore.outputs.FLAG == 'false' }}
-        with:
-          result-encoding: string
-          script: |
-            const message = `
-            Review app
-            * https://dreamkast-weaver-%d.dev.cloudnativedays.jp
-            `;
-            const targetLabel = 'reviewapps';
-            issue = await github.rest.issues.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-            });
-            flag = false;
-            issue.data.labels.filter(label => {
-              if (label.name == targetLabel) { flag = true; };
-            });
-            if (!flag) {
-              github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                labels: [targetLabel]
-              });
-              github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                body: message.replace("%d", context.issue.number),
-              });
-            }