diff --git a/.github/workflows/build-gf.yml b/.github/workflows/build-gf.yml
new file mode 100644
index 0000000..00bf042
--- /dev/null
+++ b/.github/workflows/build-gf.yml
@@ -0,0 +1,62 @@
+name: Build-gf
+run-name: build-gf
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: codebuild-ab2d-contracts-${{github.run_id}}-${{github.run_attempt}}
+    env:
+      ECR_REPO: ab2d-contracts
+      TAG_PREFIX: contracts-service
+      AWS_ACCOUNT: ${{ secrets.GF_NON_PROD_ACCOUNT }}
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
+        with:
+          distribution: 'adopt'
+          java-version: '17'
+
+      - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+        with:
+          gradle-version: 8.4
+
+      - uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
+        with:
+          params: |
+            ARTIFACTORY_URL=/artifactory/url
+            ARTIFACTORY_USER=/artifactory/user
+            ARTIFACTORY_PASSWORD=/artifactory/password
+
+      - name: Assume role in target account
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT }}:role/delegatedadmin/developer/ab2d-dev-github-actions
+
+      - name: Build libraries
+        run: |
+          gradle -b build.gradle bootJar -Dset.root.project.build.filename=true
+
+      - name: Build and push docker image
+        run: |
+          ECR_DOMAIN="$AWS_ACCOUNT.dkr.ecr.$AWS_REGION.amazonaws.com"
+          SHA_SHORT=$(git rev-parse --short HEAD)
+          aws ecr get-login-password | docker login --username AWS --password-stdin $ECR_DOMAIN
+          ECR_URI="$ECR_DOMAIN/$ECR_REPO"
+          
+          if [ "$GITHUB_REF_NAME" == "main" ]; then
+            TAG_SHORT="$TAG_PREFIX-main-$SHA_SHORT"
+          else
+            TAG_SHORT="$TAG_PREFIX-$GITHUB_REF_NAME"
+          fi
+          
+          docker build -t "$ECR_URI:$TAG_SHORT" .
+          docker push "$ECR_URI" --all-tags
+          echo "Published **$ECR_URI:$TAG_SHORT**" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/deploy-gf.yml b/.github/workflows/deploy-gf.yml
new file mode 100644
index 0000000..b5d814d
--- /dev/null
+++ b/.github/workflows/deploy-gf.yml
@@ -0,0 +1,42 @@
+name: Deploy contracts GF
+run-name: deploy-gf ${{ inputs.environment }} ${{ inputs.image_tag_suffix }}
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      tag_suffix:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: AB2D environment
+        required: true
+        type: choice
+        options:
+          - dev
+          - test
+          - sandbox
+          - prod
+      image_tag_suffix:
+        description: Image tag suffix
+        required: false
+        type: string
+
+jobs:
+  apply_tofu:
+    permissions:
+      contents: read
+      id-token: write
+    uses: cmsgov/ab2d/.github/workflows/terraform-microservices-gf.yml@main # TODO set to main
+    with:
+      environment: ${{ inputs.environment }}
+      contracts_service_image: contracts-service-${{ inputs.image_tag_suffix || github.ref }}
+      apply: true
+      ref: main
+      runner: codebuild-ab2d-contracts-${{github.run_id}}-${{github.run_attempt}}
+    secrets:
+      aws_account: ${{contains(fromJSON('["dev", "test"]'), inputs.environment) && secrets.GF_NON_PROD_ACCOUNT || secrets.GF_PROD_ACCOUNT}}
diff --git a/.github/workflows/promote-gf.yml b/.github/workflows/promote-gf.yml
new file mode 100644
index 0000000..ca67b07
--- /dev/null
+++ b/.github/workflows/promote-gf.yml
@@ -0,0 +1,69 @@
+name: promote-gf
+run-name: promote-gf ${{ inputs.image_tax_prefix }}
+
+on:
+  workflow_call:
+    inputs:
+      tag_suffix:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      image_tag_suffix:
+        description: Docker tag suffix
+        required: false
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  promote:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: codebuild-ab2d-contracts-${{github.run_id}}-${{github.run_attempt}}
+    env:
+      TAG_NAME: contracts-service-${{ inputs.image_tag_suffix || github.ref }}
+      SOURCE_REPO: ab2d-contracts
+    steps:
+      - name: Define destination repo
+        id: repos
+        run: |
+          echo "DEST_REPO=ab2d-contracts" >> $GITHUB_OUTPUT 
+
+      - name: Authenticate to source account (pull from test)
+        uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.GF_NON_PROD_ACCOUNT }}:role/delegatedadmin/developer/ab2d-dev-github-actions
+
+      - name: Pull image from test ECR
+        id: pull-image
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          SRC_ECR="$ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com"
+          docker login --username AWS --password-stdin $SRC_ECR <<< $(aws ecr get-login-password)
+          echo "Pulling $SRC_ECR/$SOURCE_REPO:$TAG_NAME"
+          docker pull "$SRC_ECR/$SOURCE_REPO:$TAG_NAME"
+          echo "IMAGE=$SRC_ECR/$SOURCE_REPO:$TAG_NAME" >> $GITHUB_OUTPUT
+
+      - name: Authenticate to destination account (push)
+        uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: |
+            arn:aws:iam::${{ secrets.GF_PROD_ACCOUNT }}:role/delegatedadmin/developer/ab2d-sandbox-github-actions
+
+      - name: Tag and push image to destination ECR
+        env:
+          DEST_REPO: ${{ steps.repos.outputs.DEST_REPO }}
+          IMAGE: ${{ steps.pull-image.outputs.IMAGE }}
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          DEST_ECR="$ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com"
+          docker login --username AWS --password-stdin $DEST_ECR <<< $(aws ecr get-login-password)
+          echo "Tagging and pushing image to $DEST_ECR/$DEST_REPO:$TAG_NAME"
+          docker tag "$IMAGE" "$DEST_ECR/$DEST_REPO:$TAG_NAME"
+          docker push "$DEST_ECR/$DEST_REPO:$TAG_NAME"
diff --git a/.github/workflows/test-gf.yml b/.github/workflows/test-gf.yml
new file mode 100644
index 0000000..babe7f3
--- /dev/null
+++ b/.github/workflows/test-gf.yml
@@ -0,0 +1,81 @@
+name: Unit tests and static analysis GF
+
+on:
+  workflow_call:
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  test:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: codebuild-ab2d-contracts-${{github.run_id}}-${{github.run_attempt}}
+    env:
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
+        with:
+          distribution: 'adopt'
+          java-version: '17'
+
+      - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+        with:
+          gradle-version: 8.4
+
+      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.GF_NON_PROD_ACCOUNT }}:role/delegatedadmin/developer/ab2d-test-github-actions
+
+      - uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
+        env:
+          AWS_REGION: ${{ vars.AWS_REGION }}
+        with:
+          params: |
+            ARTIFACTORY_URL=/artifactory/url
+            ARTIFACTORY_USER=/artifactory/user
+            ARTIFACTORY_PASSWORD=/artifactory/password
+            SONAR_HOST_URL=/sonarqube/url
+            SONAR_TOKEN=/sonarqube/token
+
+      - uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8
+        with:
+          secret-ids: |
+            HPMS_AUTH_KEY_ID, ab2d/ab2d-east-impl/module/db/ab2d_hpms_auth_key_id/2020-01-02-09-15-01
+            HPMS_AUTH_KEY_SECRET, ab2d/ab2d-east-impl/module/db/ab2d_hpms_auth_key_secret/2020-01-02-09-15-01
+
+      - name: Build files
+        run: |
+          gradle build -x test --info
+
+      - name: Do tests
+        run: |
+          gradle clean test --info build
+
+      - name: Build Jar
+        run: |
+          gradle jar --info build
+
+      - name: Gradle task
+        run: |
+          gradle task
+
+      - name: SonarQube Analysis
+        run: |
+          gradle sonar \
+            -Dsonar.projectKey=ab2d-contracts \
+            -Dsonar.host.url=https://sonarqube.cloud.cms.gov \
+            -Dsonar.login=$SONAR_TOKEN
+
+      - name: Quality Gate
+        id: sonarqube-quality-gate-check
+        uses: sonarsource/sonarqube-quality-gate-action@master
+        with:
+          scanMetadataReportFile: build/sonar/report-task.txt
+        timeout-minutes: 10
diff --git a/build.gradle b/build.gradle
index 2bf3a20..bbda09d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -22,7 +22,7 @@ ext {
 allprojects {
     apply plugin: "org.cyclonedx.bom"
     dependencies {
-        implementation 'gov.cms.ab2d:ab2d-events-client:3.3.5'
+        implementation 'gov.cms.ab2d:ab2d-events-client:3.3.6'
         implementation 'gov.cms.ab2d:ab2d-contracts-client:2.1.0'
         implementation 'gov.cms.ab2d:ab2d-properties-client:2.1.0'
         implementation "io.awspring.cloud:spring-cloud-aws:${springCloudAwsVersion}"