diff --git a/pipelines/runmefirst.sh b/pipelines/runmefirst.sh
index 5d9231e..ba437ff 100755
--- a/pipelines/runmefirst.sh
+++ b/pipelines/runmefirst.sh
@@ -140,39 +140,48 @@ echo "--- Step 5: Installing Woodpecker CI ---"
 WOODPECKER_EXISTS=$(helm list -n woodpecker -q 2>/dev/null | grep -c woodpecker || true)
 
 if [ "${WOODPECKER_EXISTS:-0}" -gt 0 ]; then
-  echo "  Woodpecker already installed — upgrading (preserving OAuth2 grants)..."
+  echo "  Woodpecker already installed — upgrading..."
   helm upgrade woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
     --namespace woodpecker \
     --values woodpecker/values.yaml \
     --timeout 5m
 else
   echo "  Fresh Woodpecker install..."
-  # Delete stale OAuth2 app in Gitea (if any)
-  EXISTING_APP_ID=$(curl -s -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2" | python3 -c '
+  # Delete stale OAuth2 app in Gitea (if any) and create fresh one
+  # only if the values.yaml still has placeholders
+  CURRENT_CLIENT=$(grep WOODPECKER_GITEA_CLIENT woodpecker/values.yaml | head -1 | awk -F'"' '{print $2}')
+  if [ "$CURRENT_CLIENT" = "<GITEA_CLIENT_ID>" ] || [ -z "$CURRENT_CLIENT" ]; then
+    EXISTING_APP_ID=$(curl -s -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2" | python3 -c '
 import sys, json
 for app in json.loads(sys.stdin.read()):
     if app.get("name") == "woodpecker-ci":
         print(app["id"])
         break
 ' 2>/dev/null || echo "")
-  if [ -n "$EXISTING_APP_ID" ]; then
-    curl -s -X DELETE -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2/$EXISTING_APP_ID" > /dev/null
-    echo "  Deleted stale OAuth2 app (id=$EXISTING_APP_ID)"
-  fi
-  # Create fresh OAuth2 app
-  OAUTH2_RESP=$(curl -s -X POST "$GITEA_API/user/applications/oauth2" \
-    -H "$GITEA_AUTH" -H "Content-Type: application/json" \
-    -d '{"name":"woodpecker-ci","redirect_uris":["https://stonks-ci.celestium.life/authorize"],"confidential_client":true}')
-  GITEA_CLIENT_ID=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_id'])")
-  GITEA_CLIENT_SECRET=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_secret'])")
-  echo "  ✓ OAuth2 app created (client_id: $GITEA_CLIENT_ID)"
+    if [ -n "$EXISTING_APP_ID" ]; then
+      curl -s -X DELETE -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2/$EXISTING_APP_ID" > /dev/null
+      echo "  Deleted stale OAuth2 app (id=$EXISTING_APP_ID)"
+    fi
+    OAUTH2_RESP=$(curl -s -X POST "$GITEA_API/user/applications/oauth2" \
+      -H "$GITEA_AUTH" -H "Content-Type: application/json" \
+      -d '{"name":"woodpecker-ci","redirect_uris":["https://stonks-ci.celestium.life/authorize"],"confidential_client":true}')
+    GITEA_CLIENT_ID=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_id'])")
+    GITEA_CLIENT_SECRET=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_secret'])")
+    echo "  ✓ OAuth2 app created (client_id: $GITEA_CLIENT_ID)"
 
-  helm install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
-    --namespace woodpecker \
-    --values woodpecker/values.yaml \
-    --set server.env.WOODPECKER_GITEA_CLIENT="${GITEA_CLIENT_ID}" \
-    --set server.env.WOODPECKER_GITEA_SECRET="${GITEA_CLIENT_SECRET}" \
-    --timeout 5m
+    helm install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
+      --namespace woodpecker \
+      --values woodpecker/values.yaml \
+      --set server.env.WOODPECKER_GITEA_CLIENT="${GITEA_CLIENT_ID}" \
+      --set server.env.WOODPECKER_GITEA_SECRET="${GITEA_CLIENT_SECRET}" \
+      --timeout 5m
+  else
+    echo "  ✓ OAuth2 creds baked into values.yaml — using those"
+    helm install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
+      --namespace woodpecker \
+      --values woodpecker/values.yaml \
+      --timeout 5m
+  fi
 fi
 
 # Wait for server to be ready (don't use --wait, agents may take longer)
diff --git a/pipelines/woodpecker/values.yaml b/pipelines/woodpecker/values.yaml
index ed4fcdb..6098ae5 100644
--- a/pipelines/woodpecker/values.yaml
+++ b/pipelines/woodpecker/values.yaml
@@ -14,8 +14,9 @@ server:
     WOODPECKER_GRPC_ADDR: "0.0.0.0:9000"
     WOODPECKER_GITEA: "true"
     WOODPECKER_GITEA_URL: "http://gitea-service.git-server.svc.cluster.local:3000"
-    WOODPECKER_GITEA_CLIENT: "<GITEA_CLIENT_ID>"
-    WOODPECKER_GITEA_SECRET: "<GITEA_CLIENT_SECRET>"
+    WOODPECKER_GITEA_CLIENT: "8fb7fc0f-98f6-42b5-b066-6cc4d745de4f"
+    WOODPECKER_GITEA_SECRET: "gto_izanujbxlcxzc23znan56m3uie6s4ta2lgvro2yhgmuwvw3vutkq"
+    WOODPECKER_AGENT_SECRET: "01eede973f522dbea9c1f09afc020ed0934a6f946d5832be5fecacb0da04ce23"
     WOODPECKER_ADMIN: "admin"
     WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx"
 
@@ -55,6 +56,7 @@ agent:
 
   env:
     WOODPECKER_SERVER: "woodpecker-server:9000"
+    WOODPECKER_AGENT_SECRET: "01eede973f522dbea9c1f09afc020ed0934a6f946d5832be5fecacb0da04ce23"
     WOODPECKER_BACKEND: kubernetes
     WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker
     WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 5Gi