diff --git a/pipelines/gitea/setup.sh b/pipelines/gitea/setup.sh
index 7c07229..ce8f744 100755
--- a/pipelines/gitea/setup.sh
+++ b/pipelines/gitea/setup.sh
@@ -184,13 +184,19 @@ print(data.get('client_secret', ''))
 " 2>/dev/null || echo "")
 
   if [ -z "$OAUTH2_CLIENT_SECRET" ]; then
-    echo "  ⚠ Client secret not available for existing app — recreating..."
-    APP_ID=$(echo "$EXISTING_APP" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
-    curl -s -X DELETE \
-      -H "${AUTH_HEADER}" \
-      "${API}/user/applications/oauth2/${APP_ID}" > /dev/null
-    echo "  Deleted existing OAuth2 app (id=${APP_ID})"
-    EXISTING_APP=""
+    echo "  ✓ OAuth2 app exists, secret stored in Woodpecker DB (not recreating)"
+    # Write client_id only — secret is only available on first creation
+    cat > "${OAUTH2_ENV_FILE}" <<EOF
+# Generated by gitea/setup.sh
+# Secret only available on first creation — Woodpecker DB has it
+GITEA_CLIENT_ID=${OAUTH2_CLIENT_ID}
+GITEA_CLIENT_SECRET=EXISTING_APP_SECRET_IN_WOODPECKER_DB
+EOF
+    echo ""
+    echo "  ✓ Credentials written to ${OAUTH2_ENV_FILE}"
+    echo ""
+    echo "=== Gitea Setup Complete ==="
+    exit 0
   fi
 fi
 
diff --git a/pipelines/runmefirst.sh b/pipelines/runmefirst.sh
index 6634e1a..137f309 100755
--- a/pipelines/runmefirst.sh
+++ b/pipelines/runmefirst.sh
@@ -45,13 +45,11 @@ echo "  ✓ PVs applied"
 echo ""
 
 # -------------------------------------------------------
-# 3. Configure Gitea (admin user, OAuth2 app, repo)
+# 3. Configure Gitea (admin user, repo, webhook config)
 # -------------------------------------------------------
 echo "--- Step 3: Configuring Gitea ---"
 bash gitea/setup.sh
-# Source the OAuth2 credentials for Woodpecker install
-source gitea/gitea-oauth2.env
-echo "  ✓ Gitea configured (OAuth2 client_id: ${GITEA_CLIENT_ID})"
+echo "  ✓ Gitea configured"
 
 # Ensure Gitea allows webhook delivery to local/cluster addresses
 GITEA_POD=$(kubectl get pods -n git-server -l app=gitea -o jsonpath='{.items[0].metadata.name}')
@@ -69,12 +67,48 @@ echo ""
 # 4. Install Woodpecker CI via Helm
 # -------------------------------------------------------
 echo "--- Step 4: Installing Woodpecker CI ---"
-helm upgrade --install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
-  --namespace woodpecker \
-  --values woodpecker/values.yaml \
-  --set server.env.WOODPECKER_GITEA_CLIENT="${GITEA_CLIENT_ID}" \
-  --set server.env.WOODPECKER_GITEA_SECRET="${GITEA_CLIENT_SECRET}" \
-  --wait --timeout 5m
+
+# Check if Woodpecker is already installed (upgrade vs fresh install)
+WOODPECKER_EXISTS=$(helm list -n woodpecker -q 2>/dev/null | grep -c woodpecker || true)
+
+if [ "${WOODPECKER_EXISTS:-0}" -gt 0 ]; then
+  # Upgrade — don't touch OAuth2 credentials, Woodpecker DB already has them
+  echo "  Woodpecker already installed — upgrading (preserving OAuth2 grants)..."
+  helm upgrade woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
+    --namespace woodpecker \
+    --values woodpecker/values.yaml \
+    --wait --timeout 5m
+else
+  # Fresh install — need fresh OAuth2 credentials from Gitea
+  echo "  Fresh Woodpecker install — creating fresh OAuth2 app..."
+  # Delete any existing OAuth2 app in Gitea (stale from previous install)
+  GITEA_AUTH="Authorization: Basic $(echo -n 'admin:St0nks0racl3!' | base64)"
+  GITEA_API="http://10.1.1.12:30300/api/v1"
+  EXISTING_APP_ID=$(curl -s -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2" | python3 -c '
+import sys, json
+for app in json.loads(sys.stdin.read()):
+    if app.get("name") == "woodpecker-ci":
+        print(app["id"])
+        break
+' 2>/dev/null || echo "")
+  if [ -n "$EXISTING_APP_ID" ]; then
+    curl -s -X DELETE -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2/$EXISTING_APP_ID" > /dev/null
+    echo "  Deleted stale OAuth2 app (id=$EXISTING_APP_ID)"
+  fi
+  # Create fresh OAuth2 app
+  OAUTH2_RESP=$(curl -s -X POST "$GITEA_API/user/applications/oauth2" \
+    -H "$GITEA_AUTH" -H "Content-Type: application/json" \
+    -d '{"name":"woodpecker-ci","redirect_uris":["https://stonks-ci.celestium.life/authorize"],"confidential_client":true}')
+  GITEA_CLIENT_ID=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_id'])")
+  GITEA_CLIENT_SECRET=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_secret'])")
+  echo "  ✓ OAuth2 app created (client_id: $GITEA_CLIENT_ID)"
+  helm install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
+    --namespace woodpecker \
+    --values woodpecker/values.yaml \
+    --set server.env.WOODPECKER_GITEA_CLIENT="${GITEA_CLIENT_ID}" \
+    --set server.env.WOODPECKER_GITEA_SECRET="${GITEA_CLIENT_SECRET}" \
+    --wait --timeout 5m
+fi
 echo "  ✓ Woodpecker CI installed"
 echo ""
 
@@ -90,12 +124,15 @@ echo ""
 # 6. Install ArgoCD via Helm
 # -------------------------------------------------------
 echo "--- Step 6: Installing ArgoCD ---"
-# Clean up leftover ArgoCD CRDs from previous installs (they have resource-policy: keep)
-kubectl delete crd applications.argoproj.io applicationsets.argoproj.io appprojects.argoproj.io \
-  --ignore-not-found > /dev/null 2>&1 || true
-kubectl delete sa --all -n argocd --ignore-not-found > /dev/null 2>&1 || true
-kubectl delete role --all -n argocd --ignore-not-found > /dev/null 2>&1 || true
-kubectl delete rolebinding --all -n argocd --ignore-not-found > /dev/null 2>&1 || true
+ARGOCD_EXISTS=$(helm list -n argocd -q 2>/dev/null | grep -c argocd || true)
+if [ "${ARGOCD_EXISTS:-0}" -eq 0 ]; then
+  # Fresh install — clean up leftover CRDs and SAs
+  kubectl delete crd applications.argoproj.io applicationsets.argoproj.io appprojects.argoproj.io \
+    --ignore-not-found --timeout=30s > /dev/null 2>&1 || true
+  kubectl delete sa --all -n argocd --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
+  kubectl delete role --all -n argocd --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
+  kubectl delete rolebinding --all -n argocd --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
+fi
 helm repo add argo https://argoproj.github.io/argo-helm || true
 helm repo update
 helm upgrade --install argocd argo/argo-cd \
@@ -116,19 +153,32 @@ echo ""
 # 7. Install Kargo via Helm
 # -------------------------------------------------------
 echo "--- Step 7: Installing Kargo ---"
-# Clean up leftover Kargo CRDs from previous installs (they have resource-policy: keep)
-kubectl delete crd freights.kargo.akuity.io projects.kargo.akuity.io stages.kargo.akuity.io \
-  warehouses.kargo.akuity.io promotions.kargo.akuity.io promotiontasks.kargo.akuity.io \
-  clusterpromotiontasks.kargo.akuity.io projectconfigs.kargo.akuity.io \
-  clusterconfigs.kargo.akuity.io --ignore-not-found > /dev/null 2>&1 || true
-# Also clean up any leftover SAs/roles from previous installs that block Helm
-kubectl delete sa --all -n kargo --ignore-not-found > /dev/null 2>&1 || true
-kubectl delete role --all -n kargo --ignore-not-found > /dev/null 2>&1 || true
-kubectl delete rolebinding --all -n kargo --ignore-not-found > /dev/null 2>&1 || true
+KARGO_EXISTS=$(helm list -n kargo -q 2>/dev/null | grep -c kargo || true)
+if [ "${KARGO_EXISTS:-0}" -eq 0 ]; then
+  # Fresh install — clean up leftover CRDs and SAs from previous installs
+  kubectl delete crd freights.kargo.akuity.io projects.kargo.akuity.io stages.kargo.akuity.io \
+    warehouses.kargo.akuity.io promotions.kargo.akuity.io promotiontasks.kargo.akuity.io \
+    clusterpromotiontasks.kargo.akuity.io projectconfigs.kargo.akuity.io \
+    clusterconfigs.kargo.akuity.io --ignore-not-found --timeout=30s > /dev/null 2>&1 || true
+  kubectl delete sa --all -n kargo --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
+  kubectl delete role --all -n kargo --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
+  kubectl delete rolebinding --all -n kargo --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
+fi
 helm upgrade --install kargo oci://ghcr.io/akuity/kargo-charts/kargo \
   --namespace kargo \
   --values kargo/values.yaml \
-  --wait --timeout 5m
+  --timeout 5m || true
+# Kargo chart bug: controller deployment references SA 'kargo-controller' but chart doesn't create it
+kubectl create serviceaccount kargo-controller -n kargo 2>/dev/null || true
+# Wait for controller to stabilize
+echo "  Waiting for kargo-controller..."
+for i in $(seq 1 24); do
+  if kubectl get pods -n kargo -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].status.containerStatuses[0].ready}' 2>/dev/null | grep -q true; then
+    break
+  fi
+  kubectl delete pod -n kargo -l app.kubernetes.io/component=controller --field-selector=status.phase=Failed --ignore-not-found > /dev/null 2>&1 || true
+  sleep 5
+done
 echo "  ✓ Kargo installed"
 
 # Apply Kargo resources
diff --git a/pipelines/woodpecker/values.yaml b/pipelines/woodpecker/values.yaml
index baab39d..90eb52d 100644
--- a/pipelines/woodpecker/values.yaml
+++ b/pipelines/woodpecker/values.yaml
@@ -6,8 +6,7 @@
 server:
   enabled: true
 
-  podAnnotations:
-    celestium.life/inject-ca: "true"
+  # No proxy CA injection — server talks to Gitea internally, proxy would intercept
 
   env:
     WOODPECKER_HOST: "https://stonks-ci.celestium.life"