diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml
index 5ecfcd8..7553279 100644
--- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml
+++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml
@@ -52,15 +52,7 @@ spec:
               
               git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git
               cd edfbuilder
-              yq eval '.configs.cm.oidc.config =
-                {
-                  "name": "Keycloak",
-                  "issuer": "https://${DOMAIN}/keycloak/realms/cnoe/.well-known/openid-configuration",
-                  "clientID": "argocd",
-                  "clientSecret": "$auth-generic-oauth-secret:client_secret",
-                  "requestedScopes": ["openid", "profile", "email", "groups"]
-                }
-              ' -i stacks/core/argocd/values.yaml
+              yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://192-168-197-2.c-one-infra.de/keycloak/realms/cnoe\nclientID: argocd\nclientSecret:          $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml
               
               git add stacks/core/argocd/values.yaml
               git commit -m "adds Forgejo SSO config"
diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
index 5d877e4..228ee6f 100644
--- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
+++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
@@ -11,16 +11,26 @@ spec:
     metadata:
       generateName: forgejo-config-
     spec:
-      # serviceAccountName: forgejo-config
-      restartPolicy: Never
+      # serviceAccountName: bot
+      restartPolicy: OnFailure
       containers:
         - name: push
           image: docker.io/library/ubuntu:22.04
+          envFrom:
+            - secretRef: 
+                name: auth-generic-oauth-secret # thats the external secret the job should wait for
+            - secretRef:
+                name: k8s-job-token # edpbuilder should create this automatically and feed it to this job
           command: ["/bin/bash", "-c"]
           args:
             - |
               #! /bin/bash
 
+              if [[ "$client_secret" == "" ]];
+              then
+                exit 1
+              fi
+
               apt -qq update
               apt -qq install git wget -y
               if [[ "$(uname -m)" == "x86_64" ]]; then
@@ -34,11 +44,11 @@ spec:
               fi
 
               DOMAIN=192-168-197-2.c-one-infra.de
-              GIT_USERNAME=bot
-              GIT_PASSWORD=ca78ba327f61588a564907638920d163936863c9
+              GIT_USERNAME=giteaAdmin
+              GIT_PASSWORD=2e53bfe27b64a5aa4e8bc591e15b33cc92ff95fa
 
               git config --global user.email "bot@bots.de"
-              git config --global user.name "bot"
+              git config --global user.name "giteaAdmin"
               
               git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git
               cd edfbuilder
@@ -68,4 +78,5 @@ spec:
               
               git add stacks/core/forgejo/values.yaml
               git commit -m "adds Forgejo SSO config"
-              git push
\ No newline at end of file
+              git push
+  backoffLimit: 99
\ No newline at end of file