diff --git a/.forgejo/workflows/argocd-diff-preview.yaml b/.forgejo/workflows/argocd-diff-preview.yaml
deleted file mode 100644
index 36c6e8a..0000000
--- a/.forgejo/workflows/argocd-diff-preview.yaml
+++ /dev/null
@@ -1,79 +0,0 @@
----
-name: ArgoCD Diff
-on:
-  workflow_dispatch:
-  workflow_call:
-  pull_request:
-    branches:
-      - main
-
-jobs:
-  argocd-diff-preview:
-    runs-on: docker
-    container:
-      options: --volume /var/run/docker.sock:/var/run/docker.sock
-    env:
-      PR_NUMBER: ${{ forge.event.pull_request.number }}
-      GITHUB_TOKEN: ${{ secrets.FORGEJO_TOKEN }}
-    steps:
-      - uses: https://github.com/actions/checkout@v6
-        with:
-          path: pull-request
-
-      - uses: https://github.com/actions/checkout@v6
-        with:
-          ref: main
-          path: main
-
-      - name: Install Docker CLI
-        run: |
-          if command -v apt-get &>/dev/null; then
-            apt-get update -qq && apt-get install -y --no-install-recommends docker.io
-          elif command -v apk &>/dev/null; then
-            apk add --no-cache docker-cli
-          fi
-
-      - name: Generate Diff
-        run: |
-          CONTAINER_ID=$(docker inspect --format='{{.Id}}' "$HOSTNAME")
-          docker cp "$CONTAINER_ID:$(pwd)/main"         /tmp/argocd-main
-          docker cp "$CONTAINER_ID:$(pwd)/pull-request" /tmp/argocd-pr
-          mkdir -p output
-          docker run --rm \
-            --network=host \
-            -v /var/run/docker.sock:/var/run/docker.sock \
-            -v /tmp/argocd-main:/base-branch \
-            -v /tmp/argocd-pr:/target-branch \
-            -v /tmp/argocd-output:/output \
-            -e TARGET_BRANCH=refs/pull/$PR_NUMBER/merge \
-            -e REPO=${{ forge.repository }} \
-            dagandersen/argocd-diff-preview:v0.2.8
-
-      - name: Add comment
-        id: comment
-        run: |
-          DIFF_BODY=$(cat output/diff.md)
-          payload="{\"body\": $DIFF_BODY}"
-
-          existing_comment=$(curl -s \
-            -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \
-            "${{ forge.api_url }}/repos/${{ forge.repository }}/issues/$PR_NUMBER/comments")
-          comment_id=$(echo "$existing_comment" | jq -r \
-            '.[] | select(.body | test("${{ forge.workflow }}")) | .id' | head -n 1)
-
-
-          if [ -n "${comment_id}" ] && [ "${comment_id}" != "null" ]; then
-            echo "Found comment with id ${comment_id}, updating..." && \
-            curl -s -X PATCH \
-              -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \
-              -H "Content-Type: application/json" \
-              "${{ forge.api_url }}/repos/${{ forge.repository }}/issues/comments/${comment_id}" \
-              -d "$payload"
-          else
-            echo "Creating new comment..." && \
-            curl -s -X POST \
-              -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \
-              -H "Content-Type: application/json" \
-              "${{ forge.api_url }}/repos/${{ forge.repository }}/issues/$PR_NUMBER/comments" \
-              -d "$payload"
-          fi
diff --git a/k8s-peterg/argo-workflows/values.yaml b/k8s-peterg/argo-workflows/values.yaml
index d1c1655..deb3575 100644
--- a/k8s-peterg/argo-workflows/values.yaml
+++ b/k8s-peterg/argo-workflows/values.yaml
@@ -266,3 +266,77 @@ server:
       - groups
     rbac:
       enabled: true
+
+# -- Array of extra K8s manifests to deploy
+extraObjects:
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: admin-user
+      namespace: argo-workflows
+      annotations:
+        workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
+        workflows.argoproj.io/rbac-rule-precedence: "1"
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: read-only
+      namespace: argo-workflows
+      annotations:
+        workflows.argoproj.io/rbac-rule: "true"
+        workflows.argoproj.io/rbac-rule-precedence: "0"
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: argo-workflows-admin-user
+    subjects:
+      - kind: ServiceAccount
+        name: admin-user
+        namespace: argo-workflows
+    roleRef:
+      kind: ClusterRole
+      name: argo-workflows-admin
+      apiGroup: rbac.authorization.k8s.io
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: argo-workflows-read-only
+    subjects:
+      - kind: ServiceAccount
+        name: read-only
+        namespace: argo-workflows
+    roleRef:
+      kind: ClusterRole
+      name: argo-workflows-view
+      apiGroup: rbac.authorization.k8s.io
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: argo-workflows-server-sso
+      namespace: argo-workflows
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - serviceaccounts
+        verbs:
+          - get
+      - apiGroups:
+          - ""
+        resources:
+          - serviceaccounts/token
+        verbs:
+          - create
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: argo-workflows-server-sso
+      namespace: argo-workflows
+    subjects:
+      - kind: ServiceAccount
+        name: argo-workflows-server
+        namespace: argo-workflows
+    roleRef:
+      kind: Role
+      name: argo-workflows-server-sso
+      apiGroup: rbac.authorization.k8s.io