diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index f95d6d2..22e40ab 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -10,17 +10,17 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     environment: production
-
-    # Add permissions to the job
-    permissions:
-      contents: "read"
-      id-token: "write"
+    # to avoid concurrent prod deployments on rapid pushes.
+    concurrency:
+      group: cd-${{ github.ref }}
+      cancel-in-progress: true
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
+        id: setup-buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Cache
@@ -50,7 +50,9 @@ jobs:
           context: .
           file: ./Dockerfile
           push: true
-          tags: ${{ vars.DOCKER_USERNAME }}/subscriptions:latest
+          tags: |-
+            ${{ vars.DOCKER_USERNAME }}/subscriptions:latest
+            ${{ vars.DOCKER_USERNAME }}/subscriptions:${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -61,12 +63,13 @@ jobs:
           credentials_json: "${{ secrets.GCP_SA_KEY }}"
 
       - name: Deploy to Google Cloud Run
+        id: deploy
         uses: google-github-actions/deploy-cloudrun@v2
         with:
           service: ${{ vars.GCP_CLOUD_RUN_SERVICE }} # The name of your Cloud Run service
           region: ${{ vars.GCP_CLOUD_RUN_REGION }} # The region of your service (e.g., us-central1)
-          image: ${{ vars.DOCKER_USERNAME }}/subscriptions:latest
-          flags: '--allow-unauthenticated' # This flag grants public access
+          image: ${{ vars.DOCKER_USERNAME }}/subscriptions:${{ github.sha }}
+          flags: "--allow-unauthenticated" # This flag grants public access
           env_vars: |-
             RUST_LOG=${{ vars.RUST_LOG }}
             SUBSCRIPTIONS__PORT=${{ vars.SUBSCRIPTIONS__PORT }}
@@ -80,6 +83,7 @@ jobs:
             SUBSCRIPTIONS__EMAIL_CLIENT__SENDER_EMAIL=${{ vars.SUBSCRIPTIONS__EMAIL_CLIENT__SENDER_EMAIL }}
             SUBSCRIPTIONS__EMAIL_CLIENT__BASE_URL=${{ vars.SUBSCRIPTIONS__EMAIL_CLIENT__BASE_URL }}
             SUBSCRIPTIONS__EMAIL_CLIENT__AUTH_TOKEN=${{ secrets.SUBSCRIPTIONS__EMAIL_CLIENT__AUTH_TOKEN }}
+            SUBSCRIPTIONS__EMAIL_CLIENT__TIMEOUT=${{ vars.SUBSCRIPTIONS__EMAIL_CLIENT__TIMEOUT }}
 
       - name: Deployment URL
         run: 'echo "${{ steps.deploy.outputs.url }}"'