diff --git a/rire/factory.c-one-infra.de/stacks/core/argocd/manifests/argocd-forgejo-access-token.yaml b/rire/factory.c-one-infra.de/stacks/core/argocd/manifests/argocd-forgejo-access-token.yaml
new file mode 100644
index 0000000..8003a1f
--- /dev/null
+++ b/rire/factory.c-one-infra.de/stacks/core/argocd/manifests/argocd-forgejo-access-token.yaml
@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: forgejo-access-token
+  namespace: argocd 
+spec:
+  secretStoreRef:
+    name: gitea
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: forgejo-access-token
+    template:
+      engineVersion: v2
+      data:
+        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
+        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argocd
+  data:
+    - secretKey: FORGEJO_ACCESS_USERNAME
+      remoteRef:
+        key: forgejo-access-token
+        property: username
+    - secretKey: FORGEJO_ACCESS_TOKEN
+      remoteRef:
+        key: forgejo-access-token
+        property: token
diff --git a/rire/factory.c-one-infra.de/stacks/core/argocd/manifests/argocd-sso-config.yaml b/rire/factory.c-one-infra.de/stacks/core/argocd/manifests/argocd-sso-config.yaml
new file mode 100644
index 0000000..8402810
--- /dev/null
+++ b/rire/factory.c-one-infra.de/stacks/core/argocd/manifests/argocd-sso-config.yaml
@@ -0,0 +1,54 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: argocd-config
+  namespace: argocd
+spec:
+  template:
+    metadata:
+      generateName: argocd-config-
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: push
+          image: docker.io/library/ubuntu:22.04
+          env:
+            - name: FORGEJO_USER
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_username
+            - name: FORGEJO_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_token
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              #! /bin/bash
+
+              apt -qq update
+              apt -qq install git wget -y
+              if [[ "$(uname -m)" == "x86_64" ]]; then
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
+                install yq_linux_amd64 /usr/local/bin/yq
+                rm yq_linux_amd64
+              else
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
+                install yq_linux_arm64 /usr/local/bin/yq
+                rm yq_linux_arm64
+              fi
+
+              git config --global user.email "bot@bots.de"
+              git config --global user.name "bot"
+              
+              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@gitea.factory.c-one-infra.de/giteaAdmin/edfbuilder.git
+              cd edfbuilder
+              yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://factory.c-one-infra.de/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml
+              
+              git add stacks/core/argocd/values.yaml
+              git commit -m "adds Forgejo SSO config"
+              git push
+  backoffLimit: 99           
\ No newline at end of file
diff --git a/rire/factory.c-one-infra.de/stacks/core/forgejo.yaml b/rire/factory.c-one-infra.de/stacks/core/forgejo.yaml
index 2afe4bd..5be8df2 100644
--- a/rire/factory.c-one-infra.de/stacks/core/forgejo.yaml
+++ b/rire/factory.c-one-infra.de/stacks/core/forgejo.yaml
@@ -18,7 +18,7 @@ spec:
   sources:
     - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
       path: .
-      targetRevision: v11.0.5-depends
+      targetRevision: v12.0.0-depends
       helm:
         valueFiles:
           - $values/rire/factory.c-one-infra.de/stacks/core/forgejo/values.yaml
diff --git a/rire/factory.c-one-infra.de/stacks/core/forgejo/manifests/forgejo-access-token.yaml b/rire/factory.c-one-infra.de/stacks/core/forgejo/manifests/forgejo-access-token.yaml
new file mode 100644
index 0000000..215af67
--- /dev/null
+++ b/rire/factory.c-one-infra.de/stacks/core/forgejo/manifests/forgejo-access-token.yaml
@@ -0,0 +1,26 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: forgejo-access-token
+  namespace: gitea 
+spec:
+  secretStoreRef:
+    name: gitea
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: forgejo-access-token
+    template:
+      engineVersion: v2
+      data:
+        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
+        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
+  data:
+    - secretKey: FORGEJO_ACCESS_USERNAME
+      remoteRef:
+        key: forgejo-access-token
+        property: username
+    - secretKey: FORGEJO_ACCESS_TOKEN
+      remoteRef:
+        key: forgejo-access-token
+        property: token
diff --git a/rire/factory.c-one-infra.de/stacks/core/forgejo/manifests/forgejo-secret.yaml b/rire/factory.c-one-infra.de/stacks/core/forgejo/manifests/forgejo-secret.yaml
new file mode 100644
index 0000000..d449c24
--- /dev/null
+++ b/rire/factory.c-one-infra.de/stacks/core/forgejo/manifests/forgejo-secret.yaml
@@ -0,0 +1,26 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: gitea 
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        key: "{{.FORGEJO_CLIENT_ID}}"
+        secret: "{{.FORGEJO_CLIENT_SECRET}}"
+  data:
+    - secretKey: FORGEJO_CLIENT_ID
+      remoteRef:
+        key: keycloak-clients
+        property: FORGEJO_CLIENT_ID
+    - secretKey: FORGEJO_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: FORGEJO_CLIENT_SECRET
diff --git a/rire/factory.c-one-infra.de/stacks/core/forgejo/manifests/forgejo-sso-config.yaml b/rire/factory.c-one-infra.de/stacks/core/forgejo/manifests/forgejo-sso-config.yaml
new file mode 100644
index 0000000..c6a9b56
--- /dev/null
+++ b/rire/factory.c-one-infra.de/stacks/core/forgejo/manifests/forgejo-sso-config.yaml
@@ -0,0 +1,76 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: forgejo-config
+  namespace: gitea
+spec:
+  template:
+    metadata:
+      generateName: forgejo-config-
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: push
+          image: docker.io/library/ubuntu:22.04
+          env:
+            - name: FORGEJO_USER
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_username
+            - name: FORGEJO_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_token
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              #! /bin/bash
+
+              apt -qq update
+              apt -qq install git wget -y
+              if [[ "$(uname -m)" == "x86_64" ]]; then
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
+                install yq_linux_amd64 /usr/local/bin/yq
+                rm yq_linux_amd64
+              else
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
+                install yq_linux_arm64 /usr/local/bin/yq
+                rm yq_linux_arm64
+              fi
+
+              git config --global user.email "bot@bots.de"
+              git config --global user.name "giteaAdmin"
+              
+              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@gitea.factory.c-one-infra.de/giteaAdmin/edfbuilder.git
+              cd edfbuilder
+              yq eval ".gitea.oauth = [
+                {
+                  \"name\": \"Keycloak\",
+                  \"provider\": \"openidConnect\",
+                  \"existingSecret\": \"auth-generic-oauth-secret\",
+                  \"autoDiscoverUrl\": \"https://factory.c-one-infra.de/keycloak/realms/cnoe/.well-known/openid-configuration\"
+                }
+              ] |
+                (.gitea.oauth[] | .name) |= (. style=\"single\")
+                |
+                (.gitea.oauth[] | .provider) |= (. style=\"single\")
+                |
+                (.gitea.oauth[] | .existingSecret) |= (. style=\"single\")
+                |
+                (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\")
+              " -i stacks/core/forgejo/values.yaml
+
+              yq eval '.gitea.config.oauth2_client = 
+                {
+                  "ENABLE_AUTO_REGISTRATION" : true,
+                  "ACCOUNT_LINKING" : "auto"
+                }
+              ' -i stacks/core/forgejo/values.yaml
+              
+              git add stacks/core/forgejo/values.yaml
+              git commit -m "adds Forgejo SSO config"
+              git push
+  backoffLimit: 99
\ No newline at end of file
diff --git a/rire/factory.c-one-infra.de/stacks/ref-implementation/backstage/manifests/install.yaml b/rire/factory.c-one-infra.de/stacks/ref-implementation/backstage/manifests/install.yaml
index 83d39de..ef219ca 100644
--- a/rire/factory.c-one-infra.de/stacks/ref-implementation/backstage/manifests/install.yaml
+++ b/rire/factory.c-one-infra.de/stacks/ref-implementation/backstage/manifests/install.yaml
@@ -264,7 +264,8 @@ spec:
                 name: gitea-credentials
             - secretRef:
                 name: argocd-credentials
-          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development
+          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0
+          imagePullPolicy: Always
           name: backstage
           ports:
             - containerPort: 7007