Integrate Forgejo with Authentik OIDC

Refactor Authentik blueprints into common.yaml (shared admins group),
grafana.yaml (updated with !Find and groups scope), and forgejo.yaml
(new provider + application). Add forgejo-client-secret to ExternalSecret
and worker deployment. Configure Forgejo oauth2_client for auto-registration
with login-based account linking to safely preserve existing accounts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

argocd/manifests/authentik/configmap-blueprint.yaml

@@ -12,6 +12,7 @@ data:
       labels:
         blueprints.goauthentik.io/description: "Shared groups and identity resources"
     entries:
+      # admins group — gates access to admin-only applications
       - model: authentik_core.group
         id: admins-group
         identifiers:
@@ -19,6 +20,20 @@ data:
         attrs:
           name: admins
 
+      # groups scope mapping — returns user's group names in OIDC tokens
+      - model: authentik_providers_oauth2.scopemapping
+        id: groups-scope
+        identifiers:
+          scope_name: groups
+        attrs:
+          name: "OAuth Mapping: groups"
+          scope_name: groups
+          description: "Map user groups to OIDC groups claim"
+          expression: |
+            return {
+                "groups": [group.name for group in request.user.ak_groups.all()],
+            }
+
   grafana.yaml: |
     version: 1
     metadata: