diff --git a/.dockerignore b/.dockerignore
index 87dc6da..a863019 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -3,5 +3,6 @@ node_modules
 .git
 .env
 .env.local
+.env.production
 *.md
 .playwright-mcp
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..a62f8e9
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,44 @@
+workflow:
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "web"'
+    - when: never
+
+stages:
+  - publish
+
+variables:
+  DOCKER_HOST: tcp://docker:2375
+  DOCKER_TLS_CERTDIR: ""
+  DOCKER_DRIVER: overlay2
+  DEFAULT_IMAGE_REPO: swr.cn-north-1.myhuaweicloud.com/sino-bridge/sinocode-analytics
+  PUSH_LATEST: "true"
+
+publish:huawei-swr:
+  stage: publish
+  image: docker:28.0.4-cli
+  services:
+    - name: docker:28.0.4-dind
+      command: ["--tls=false"]
+  script:
+    - |
+      if [ -z "${DOCKER_LOGIN_COMMAND:-}" ]; then
+        echo "Set DOCKER_LOGIN_COMMAND when running the pipeline."
+        exit 1
+      fi
+    - sh -lc "$DOCKER_LOGIN_COMMAND"
+    - |
+      IMAGE_REPO="${IMAGE_REPO:-$DEFAULT_IMAGE_REPO}"
+      IMAGE_TAG="${IMAGE_TAG:-$CI_COMMIT_SHORT_SHA}"
+      IMAGE_REF="$IMAGE_REPO:$IMAGE_TAG"
+
+      echo "Building $IMAGE_REF"
+      docker build --pull -t "$IMAGE_REF" .
+      docker push "$IMAGE_REF"
+
+      if [ "${PUSH_LATEST:-true}" = "true" ]; then
+        LATEST_REF="$IMAGE_REPO:latest"
+        docker tag "$IMAGE_REF" "$LATEST_REF"
+        docker push "$LATEST_REF"
+      fi
+
+      echo "Published $IMAGE_REF"
diff --git a/README.md b/README.md
index d49b738..b71da5d 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,16 @@ The default `docker-compose.yml` expects `.env.production` and an external Docke
 
 For Coolify deployments, use `docker-compose.coolify.yml`. It expects runtime environment variables from Coolify and an external Docker network named `coolify`.
 
+## GitLab Manual Publish
+
+Run the GitLab pipeline manually and set `DOCKER_LOGIN_COMMAND` to the full Huawei Cloud SWR login command.
+
+Optional variables:
+
+- `IMAGE_REPO`: defaults to `swr.cn-north-1.myhuaweicloud.com/sino-bridge/sinocode-analytics`
+- `IMAGE_TAG`: defaults to the Git commit short SHA
+- `PUSH_LATEST`: defaults to `true`
+
 ## Operational Notes
 
 - API query parameters are validated at the route layer. Invalid integers or reversed date ranges return HTTP 400.