diff --git a/.github/workflows/deploy-env.yml b/.github/workflows/deploy-env.yml
index c27f5c18..7dc32f67 100644
--- a/.github/workflows/deploy-env.yml
+++ b/.github/workflows/deploy-env.yml
@@ -13,6 +13,7 @@ on:
 jobs:
   deploy:
     name: Deploy to ${{ inputs.env }} (${{ inputs.account_id }})
+    if: github.ref_name == 'main'
     runs-on: ubuntu-latest
     environment: ${{ inputs.env }}
     env:
@@ -28,15 +29,34 @@ jobs:
         with:
           aws-region: eu-west-1
           role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/kitu-github-actions-role
-      - name: Diff
-        if: github.ref_name != 'main'
-        run: |
-          npm ci
-          npx cdk diff --all --require-approval=never
-        working-directory: infra
       - name: Deploy
         if: github.ref_name == 'main'
         run: |
           npm ci
           npx cdk deploy --all --require-approval=never
         working-directory: infra
+
+  diff:
+    name: Diff to ${{ inputs.env }} (${{ inputs.account_id }})
+    if: github.ref_name != 'main'
+    runs-on: ubuntu-latest
+    env:
+      KITU_ENV: ${{ inputs.env }}
+      ACCOUNT_ID: ${{ inputs.account_id }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - name: Log in to ${{ env.KITU_ENV }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-1
+          role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/kitu-github-actions-role
+      - name: Diff
+        if: github.ref_name != 'main'
+        run: |
+          npm ci
+          npx cdk diff --all --require-approval=never
+        working-directory: infra
+