diff --git a/.github/workflows/kubernetes-sync.yml b/.github/workflows/kubernetes-sync.yml
index b6451a736d37d..5791f2825f794 100644
--- a/.github/workflows/kubernetes-sync.yml
+++ b/.github/workflows/kubernetes-sync.yml
@@ -14,19 +14,6 @@ jobs:
     outputs:
       new-release-branches: ${{ steps.create-release-branches.outputs.NEW_RELEASE_BRANCHES }}
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          path: 'rancher-k8s'
-          fetch-depth: 0
-          fetch-tags: true
-  
-      - name: Configure git user
-        run: |
-          echo "[INFO] Setting up git user in git repository."
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-
       - name: Read App Secrets
         uses: rancher-eio/read-vault-secrets@main
         with:
@@ -39,6 +26,19 @@ jobs:
         with:
           app-id: ${{ env.APP_ID }}
           private-key: ${{ env.PRIVATE_KEY }}
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          path: 'rancher-k8s'
+          fetch-depth: 0
+          fetch-tags: true
+          token: ${{ steps.app-token.outputs.token }}
+  
+      - name: Configure git user
+        run: |
+          echo "[INFO] Setting up git user in git repository."
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
 
       - name: Fetch the new tags from kubernetes/kubernetes repository
         run: $GITHUB_WORKSPACE/rancher-k8s/scripts/check-for-new-tag.sh
@@ -48,8 +48,6 @@ jobs:
         run: |
           cd rancher-k8s
           $GITHUB_WORKSPACE/rancher-k8s/scripts/create-release-branch.sh
-        env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
       # - name: 'Tar files'
       #   run: |
@@ -81,10 +79,24 @@ jobs:
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
+      - name: Read App Secrets
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/github/app-credentials appId | APP_ID ;
+            secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | PRIVATE_KEY
+      - name: Create App Token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ env.APP_ID }}
+          private-key: ${{ env.PRIVATE_KEY }}
+
       - name: Checkout repository with branch ${{ matrix.branches }}
         uses: actions/checkout@v4
         with:
           ref: ${{ matrix.branches }}
+          token: ${{ steps.app-token.outputs.token }}
 
       # - name: Download git repo from artifact
       #   uses: actions/download-artifact@v4
@@ -96,20 +108,6 @@ jobs:
       #     tar -zxf rancher-k8s.tar.gz
       #     rm rancher-k8s.tar.gz
 
-      
-      - name: Read App Secrets
-        uses: rancher-eio/read-vault-secrets@main
-        with:
-          secrets: |
-            secret/data/github/repo/${{ github.repository }}/github/app-credentials appId | APP_ID ;
-            secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | PRIVATE_KEY
-      - name: Create App Token
-        uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: ${{ env.APP_ID }}
-          private-key: ${{ env.PRIVATE_KEY }}
-
       - name: Build with Dapper for ${{ matrix.branches }}
         run: dapper ci
 
@@ -139,5 +137,4 @@ jobs:
               echo "[INFO] Successfully pushed tag $TAG: https://github.com/rancher/kubernetes/releases/tag/$TAG"
           fi
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           RELEASE_BRANCH: ${{ matrix.branches }}
\ No newline at end of file