diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5e68998d..3e580644 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,34 +5,6 @@ on:
   workflow_dispatch:
 
 jobs:
-  ci_block:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: block on ci workflows
-        id: block
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          MIN_WAIT: 30
-          MAX_WAIT: 300
-        run: bash ./scripts/ci_concurrency.sh
-  dependabot:
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
-    steps:
-      - name: Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@v1
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-      - name: Enable auto-merge for Dependabot PRs
-        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
-        run: gh pr merge --auto --merge "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
   go_checks:
     runs-on: ubuntu-latest
     container: eversc/go-pr-checks:1.19
@@ -57,27 +29,6 @@ jobs:
       - name: go test
         run: |
           go test ./... -v
-  test_cloudfunction_deploy:
-    runs-on: ubuntu-latest
-    container: google/cloud-sdk
-    steps:
-      - uses: actions/checkout@v3
-      - name: deploy cloudfunction
-        env:
-          GCLOUD_SERVICE_KEY: ${{ secrets.gcloud_service_key }}
-        run: |
-          echo $GCLOUD_SERVICE_KEY | base64 -d | gcloud auth activate-service-account --key-file=-
-          export RAND_SUFFIX=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 8 ; echo '')
-          gcloud functions deploy ckr-dummy-$RAND_SUFFIX \
-          --region europe-west1 \
-          --entry-point Request \
-          --runtime go119 \
-          --trigger-http \
-          --project pe-dev-185509
-          gcloud functions delete ckr-dummy-$RAND_SUFFIX \
-          --region europe-west1 \
-          --project pe-dev-185509 \
-          --quiet
   docker_build:
     runs-on: ubuntu-latest
     steps:
@@ -103,24 +54,3 @@ jobs:
       - name: terraform validate
         id: validate
         run: terraform validate -no-color -test-directory=tf_module/ckr_gcp
-  e2e_test:
-    runs-on: ubuntu-latest
-    container: eversc/aws-cli:1.19
-    needs: ci_block
-    steps:
-      - uses: actions/checkout@v3
-      - name: e2e test rotation
-        env:
-          CKR_CREDENTIALS_GITHUBAPITOKEN: ${{ secrets.CKR_GITHUB_TOKEN }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_E2E_TEST }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_E2E_TEST }}
-        run: |
-          export GO111MODULE=on
-          go build -o cloud-key-rotator ./cmd
-          chmod u+x cloud-key-rotator
-          aws secretsmanager get-secret-value --secret-id ckr-config --region eu-west-1 --query SecretString --output text > config.json
-          echo "used aws creds"
-          ./cloud-key-rotator rotate
-          rm config.json
-          sleep 10
-          if $(aws sts get-caller-identity >/dev/null 2>/dev/null); then exit 1; fi
diff --git a/.github/workflows/dependabot_automerge.yml b/.github/workflows/dependabot_automerge.yml
new file mode 100644
index 00000000..f34983fe
--- /dev/null
+++ b/.github/workflows/dependabot_automerge.yml
@@ -0,0 +1,25 @@
+name: Dependabot Automerge
+on:
+  workflow_run:
+    workflows: ["E2E tests"]
+    types:
+      - completed
+
+jobs:
+  dependabot:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
new file mode 100644
index 00000000..f9209987
--- /dev/null
+++ b/.github/workflows/e2e.yml
@@ -0,0 +1,61 @@
+name: E2E tests
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types:
+      - completed
+
+jobs:
+  test_cloudfunction_deploy:
+    runs-on: ubuntu-latest
+    container: google/cloud-sdk
+    steps:
+      - uses: actions/checkout@v3
+      - name: deploy cloudfunction
+        env:
+          GCLOUD_SERVICE_KEY: ${{ secrets.gcloud_service_key }}
+        run: |
+          echo $GCLOUD_SERVICE_KEY | base64 -d | gcloud auth activate-service-account --key-file=-
+          export RAND_SUFFIX=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 8 ; echo '')
+          gcloud functions deploy ckr-dummy-$RAND_SUFFIX \
+          --region europe-west1 \
+          --entry-point Request \
+          --runtime go119 \
+          --trigger-http \
+          --project pe-dev-185509
+          gcloud functions delete ckr-dummy-$RAND_SUFFIX \
+          --region europe-west1 \
+          --project pe-dev-185509 \
+          --quiet
+  ci_block:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: block on ci workflows
+        id: block
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          MIN_WAIT: 30
+          MAX_WAIT: 300
+        run: bash ./scripts/ci_concurrency.sh
+  e2e_test:
+    runs-on: ubuntu-latest
+    container: eversc/aws-cli:1.19
+    needs: ci_block
+    steps:
+      - uses: actions/checkout@v3
+      - name: e2e test rotation
+        env:
+          CKR_CREDENTIALS_GITHUBAPITOKEN: ${{ secrets.CKR_GITHUB_TOKEN }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_E2E_TEST }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_E2E_TEST }}
+        run: |
+          export GO111MODULE=on
+          go build -o cloud-key-rotator ./cmd
+          chmod u+x cloud-key-rotator
+          aws secretsmanager get-secret-value --secret-id ckr-config --region eu-west-1 --query SecretString --output text > config.json
+          echo "used aws creds"
+          ./cloud-key-rotator rotate
+          rm config.json
+          sleep 10
+          if $(aws sts get-caller-identity >/dev/null 2>/dev/null); then exit 1; fi