diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 326f521b..9ebcf351 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -37,13 +37,6 @@ jobs:
           go-version: "1.23"
           check-latest: true
 
-      - name: Get test OIDC token
-        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main
-
-      - name: export OIDC token
-        run: |
-          echo "SIGSTORE_ID_TOKEN=$(cat ./oidc-token.txt)" >> $GITHUB_ENV
-
       - name: e2e unit tests
         run: |
           set -e
@@ -69,6 +62,14 @@ jobs:
 
           # Verify tool is on our path
           gitsign -h
+
+      # Fetch OIDC token as close to the test as possible to avoid it expiring.
+      - name: Get test OIDC token
+        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main
+      - name: export OIDC token
+        run: |
+          echo "SIGSTORE_ID_TOKEN=$(cat ./oidc-token.txt)" >> $GITHUB_ENV
+
       - name: Test Sign and Verify commit
         run: |
           set -e