diff --git a/pipelines/runmefirst.sh b/pipelines/runmefirst.sh
index 70ccf73..07d8453 100755
--- a/pipelines/runmefirst.sh
+++ b/pipelines/runmefirst.sh
@@ -88,7 +88,7 @@ if [ "${WOODPECKER_EXISTS:-0}" -gt 0 ]; then
   helm upgrade woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
     --namespace woodpecker \
     --values woodpecker/values.yaml \
-    --wait --timeout 5m
+    --timeout 5m
 else
   echo "  Fresh Woodpecker install..."
   # Delete stale OAuth2 app in Gitea (if any)
@@ -116,9 +116,15 @@ for app in json.loads(sys.stdin.read()):
     --values woodpecker/values.yaml \
     --set server.env.WOODPECKER_GITEA_CLIENT="${GITEA_CLIENT_ID}" \
     --set server.env.WOODPECKER_GITEA_SECRET="${GITEA_CLIENT_SECRET}" \
-    --wait --timeout 5m
+    --timeout 5m
 fi
 
+# Wait for server to be ready (don't use --wait, agents may take longer)
+echo "  Waiting for Woodpecker server..."
+kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=server -n woodpecker --timeout=120s > /dev/null 2>&1 || true
+echo "  Waiting for Woodpecker agents..."
+kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=agent -n woodpecker --timeout=120s > /dev/null 2>&1 || true
+
 # Apply agent RBAC (grants cluster-admin to default + woodpecker-agent SAs)
 kubectl apply -f woodpecker/agent-rbac.yaml
 echo "  ✓ Woodpecker CI installed + RBAC applied"
@@ -199,12 +205,24 @@ if [ "${KARGO_EXISTS:-0}" -eq 0 ]; then
   kubectl delete role --all -n kargo --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
   kubectl delete rolebinding --all -n kargo --ignore-not-found --timeout=10s > /dev/null 2>&1 || true
 fi
+# Kargo chart bug: controller deployment references SA 'kargo-controller' but chart doesn't create it
+# Pre-create with Helm labels so it doesn't conflict with the chart
+kubectl apply -f - <<'SAEOF'
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kargo-controller
+  namespace: kargo
+  labels:
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: kargo
+    meta.helm.sh/release-namespace: kargo
+SAEOF
 helm upgrade --install kargo oci://ghcr.io/akuity/kargo-charts/kargo \
   --namespace kargo \
   --values kargo/values.yaml \
   --timeout 5m || true
-# Kargo chart bug: controller deployment references SA 'kargo-controller' but chart doesn't create it
-kubectl create serviceaccount kargo-controller -n kargo 2>/dev/null || true
 echo "  Waiting for kargo-controller..."
 for i in $(seq 1 24); do
   if kubectl get pods -n kargo -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].status.containerStatuses[0].ready}' 2>/dev/null | grep -q true; then
diff --git a/pipelines/woodpecker/values.yaml b/pipelines/woodpecker/values.yaml
index 8f49f5d..ed4fcdb 100644
--- a/pipelines/woodpecker/values.yaml
+++ b/pipelines/woodpecker/values.yaml
@@ -60,5 +60,5 @@ agent:
     WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 5Gi
     WOODPECKER_BACKEND_K8S_STORAGE_RWX: "false"
     WOODPECKER_BACKEND_K8S_STORAGE_CLASS: local-path
-    WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: "celestium.life/inject-ca:true"
+    WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: '{"celestium.life/inject-ca":"true"}'
     WOODPECKER_MAX_WORKFLOWS: "16"