diff --git a/.github/actions/open-ssh-tunnel/action.yml b/.github/actions/open-ssh-tunnel/action.yml
new file mode 100644
index 00000000..36567cbd
--- /dev/null
+++ b/.github/actions/open-ssh-tunnel/action.yml
@@ -0,0 +1,25 @@
+name: deploy-helm
+description: "Helm deploy"
+
+inputs:
+  bastion_user: 
+    description: username@host for the ssh tunnel
+    required: true
+    type: string
+  bastion_ssh_key: 
+    description: private ssh key content
+    required: true
+    type: string
+
+runs:
+  using: "composite"
+  steps:
+    - run: |
+        mkdir .ssh;
+        BASTION_USER=${{ inputs.bastion_user}};
+        echo ${{ inputs.bastion_ssh_key }} | base64 -d > .ssh/github_bastion;
+        chmod 600 .ssh/github_bastion;
+        ssh-keyscan ${BASTION_USER#*@} > .ssh/known_hosts 2> /dev/null;
+        chmod 644 .ssh/known_hosts;
+        ssh -i .ssh/github_bastion ${{ inputs.bastion_user }} -o UserKnownHostsFile=.ssh/known_hosts -D 1080 -f -q -N;
+      shell: bash
diff --git a/.github/workflows/reusable.build-deploy.yml b/.github/workflows/reusable.build-deploy.yml
index 1164dd55..dfd8b697 100644
--- a/.github/workflows/reusable.build-deploy.yml
+++ b/.github/workflows/reusable.build-deploy.yml
@@ -63,6 +63,12 @@ on:
       SSH_PRIVATE_KEY: 
         description: ssh key to private submodule
         required: false
+      BASTION_USER: 
+        description: ssh bastion user@server
+        required: true
+      BASTION_SSH_KEY: 
+        description: bastion ssh key
+        required: true
       
 jobs:
 
@@ -131,6 +137,12 @@ jobs:
       with:
         ref: ${{ inputs.commit }}
 
+    - name: Open ssh tunnel
+      uses: paulscherrerinstitute/scicat-ci/.github/actions/open-ssh-tunnel@bastion_ssh
+      with: 
+        bastion_user: '${{ secrets.BASTION_USER }}'
+        bastion_ssh_key: '${{ secrets.BASTION_SSH_KEY }}'
+
     - name: Deploy to k8s using helm
       id: helm-deploy
       uses: paulscherrerinstitute/scicat-ci/.github/actions/deploy-helm@main
diff --git a/.github/workflows/scicat-search-api.yml b/.github/workflows/scicat-search-api.yml
index 67e0cc89..64a414b7 100644
--- a/.github/workflows/scicat-search-api.yml
+++ b/.github/workflows/scicat-search-api.yml
@@ -57,3 +57,5 @@ jobs:
         COMPONENT_CONFIG=helm/configs/search-api/component-config.json
     secrets:
       KUBECONFIG: ${{ secrets.KUBECONFIG }}
+      BASTION_USER: ${{ secrets.BASTION_USER }}
+      BASTION_SSH_KEY: ${{ secrets.BASTION_SSH_KEY }}