diff --git a/.forgejo/workflows/argocd-diff-preview.yaml b/.forgejo/workflows/argocd-diff-preview.yaml
new file mode 100644
index 0000000..36c6e8a
--- /dev/null
+++ b/.forgejo/workflows/argocd-diff-preview.yaml
@@ -0,0 +1,79 @@
+---
+name: ArgoCD Diff
+on:
+  workflow_dispatch:
+  workflow_call:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  argocd-diff-preview:
+    runs-on: docker
+    container:
+      options: --volume /var/run/docker.sock:/var/run/docker.sock
+    env:
+      PR_NUMBER: ${{ forge.event.pull_request.number }}
+      GITHUB_TOKEN: ${{ secrets.FORGEJO_TOKEN }}
+    steps:
+      - uses: https://github.com/actions/checkout@v6
+        with:
+          path: pull-request
+
+      - uses: https://github.com/actions/checkout@v6
+        with:
+          ref: main
+          path: main
+
+      - name: Install Docker CLI
+        run: |
+          if command -v apt-get &>/dev/null; then
+            apt-get update -qq && apt-get install -y --no-install-recommends docker.io
+          elif command -v apk &>/dev/null; then
+            apk add --no-cache docker-cli
+          fi
+
+      - name: Generate Diff
+        run: |
+          CONTAINER_ID=$(docker inspect --format='{{.Id}}' "$HOSTNAME")
+          docker cp "$CONTAINER_ID:$(pwd)/main"         /tmp/argocd-main
+          docker cp "$CONTAINER_ID:$(pwd)/pull-request" /tmp/argocd-pr
+          mkdir -p output
+          docker run --rm \
+            --network=host \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -v /tmp/argocd-main:/base-branch \
+            -v /tmp/argocd-pr:/target-branch \
+            -v /tmp/argocd-output:/output \
+            -e TARGET_BRANCH=refs/pull/$PR_NUMBER/merge \
+            -e REPO=${{ forge.repository }} \
+            dagandersen/argocd-diff-preview:v0.2.8
+
+      - name: Add comment
+        id: comment
+        run: |
+          DIFF_BODY=$(cat output/diff.md)
+          payload="{\"body\": $DIFF_BODY}"
+
+          existing_comment=$(curl -s \
+            -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \
+            "${{ forge.api_url }}/repos/${{ forge.repository }}/issues/$PR_NUMBER/comments")
+          comment_id=$(echo "$existing_comment" | jq -r \
+            '.[] | select(.body | test("${{ forge.workflow }}")) | .id' | head -n 1)
+
+
+          if [ -n "${comment_id}" ] && [ "${comment_id}" != "null" ]; then
+            echo "Found comment with id ${comment_id}, updating..." && \
+            curl -s -X PATCH \
+              -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              "${{ forge.api_url }}/repos/${{ forge.repository }}/issues/comments/${comment_id}" \
+              -d "$payload"
+          else
+            echo "Creating new comment..." && \
+            curl -s -X POST \
+              -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              "${{ forge.api_url }}/repos/${{ forge.repository }}/issues/$PR_NUMBER/comments" \
+              -d "$payload"
+          fi
diff --git a/k8s-peterg/argo-workflows/values.yaml b/k8s-peterg/argo-workflows/values.yaml
index deb3575..d1c1655 100644
--- a/k8s-peterg/argo-workflows/values.yaml
+++ b/k8s-peterg/argo-workflows/values.yaml
@@ -266,77 +266,3 @@ server:
       - groups
     rbac:
       enabled: true
-
-# -- Array of extra K8s manifests to deploy
-extraObjects:
-  - apiVersion: v1
-    kind: ServiceAccount
-    metadata:
-      name: admin-user
-      namespace: argo-workflows
-      annotations:
-        workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
-        workflows.argoproj.io/rbac-rule-precedence: "1"
-  - apiVersion: v1
-    kind: ServiceAccount
-    metadata:
-      name: read-only
-      namespace: argo-workflows
-      annotations:
-        workflows.argoproj.io/rbac-rule: "true"
-        workflows.argoproj.io/rbac-rule-precedence: "0"
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRoleBinding
-    metadata:
-      name: argo-workflows-admin-user
-    subjects:
-      - kind: ServiceAccount
-        name: admin-user
-        namespace: argo-workflows
-    roleRef:
-      kind: ClusterRole
-      name: argo-workflows-admin
-      apiGroup: rbac.authorization.k8s.io
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRoleBinding
-    metadata:
-      name: argo-workflows-read-only
-    subjects:
-      - kind: ServiceAccount
-        name: read-only
-        namespace: argo-workflows
-    roleRef:
-      kind: ClusterRole
-      name: argo-workflows-view
-      apiGroup: rbac.authorization.k8s.io
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata:
-      name: argo-workflows-server-sso
-      namespace: argo-workflows
-    rules:
-      - apiGroups:
-          - ""
-        resources:
-          - serviceaccounts
-        verbs:
-          - get
-      - apiGroups:
-          - ""
-        resources:
-          - serviceaccounts/token
-        verbs:
-          - create
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      name: argo-workflows-server-sso
-      namespace: argo-workflows
-    subjects:
-      - kind: ServiceAccount
-        name: argo-workflows-server
-        namespace: argo-workflows
-    roleRef:
-      kind: Role
-      name: argo-workflows-server-sso
-      apiGroup: rbac.authorization.k8s.io