diff --git a/.github/workflows/deploy_helmfile.yaml b/.github/workflows/deploy_helmfile.yaml
index aca6c00..1c19a7f 100644
--- a/.github/workflows/deploy_helmfile.yaml
+++ b/.github/workflows/deploy_helmfile.yaml
@@ -91,6 +91,23 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
+      - name: clone repository
+        uses: actions/checkout@v4
+
+      - name: Tailscale VPN
+        uses: tailscale/github-action@v2
+        if: inputs.enableVpn == 'true'
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:ci
+          version: 1.76.1
+
+      # Bug https://github.com/tailscale/github-action/issues/107
+      #- name: Tailscale sleep workaround
+      #  run: |
+      #    sleep 10
+
       - name: Send notification to slack
         if: inputs.slackChannelId != ''
         uses: slackapi/slack-github-action@v1.26.0
@@ -131,9 +148,6 @@ jobs:
               ]
             }
 
-      - name: clone repository
-        uses: actions/checkout@v4
-
       # There is no public action that would give us the abilities we need. Meaning:
       #   - helmfile
       #   - eksctl
@@ -187,20 +201,6 @@ jobs:
       - name: setup kubeconfig
         run: aws eks update-kubeconfig --name ${{ inputs.eksClusterName }} $OPTIONAL_PARAMS
 
-      - name: Tailscale VPN
-        uses: tailscale/github-action@v2
-        if: inputs.enableVpn == 'true'
-        with:
-          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
-          tags: tag:ci
-          version: 1.76.1
-
-      # Bug https://github.com/tailscale/github-action/issues/107
-      - name: Tailscale sleep workaround
-        run: |
-          sleep 10
-
       - name: helmfile ${{ inputs.helmfileCommand }}
         run: |
           export $(echo ${{ inputs.envVariables }})