Integrate Forgejo with Authentik OIDC

Refactor Authentik blueprints into common.yaml (shared admins group),
grafana.yaml (updated with !Find and groups scope), and forgejo.yaml
(new provider + application). Add forgejo-client-secret to ExternalSecret
and worker deployment. Configure Forgejo oauth2_client for auto-registration
with login-based account linking to safely preserve existing accounts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

argocd/manifests/authentik/configmap-blueprint.yaml

@@ -12,7 +12,6 @@ data:
       labels:
         blueprints.goauthentik.io/description: "Shared groups and identity resources"
     entries:
-      # admins group — gates access to admin-only applications
       - model: authentik_core.group
         id: admins-group
         identifiers:
@@ -20,20 +19,6 @@ data:
         attrs:
           name: admins
 
-      # groups scope mapping — returns user's group names in OIDC tokens
-      - model: authentik_providers_oauth2.scopemapping
-        id: groups-scope
-        identifiers:
-          scope_name: groups
-        attrs:
-          name: "OAuth Mapping: groups"
-          scope_name: groups
-          description: "Map user groups to OIDC groups claim"
-          expression: |
-            return {
-                "groups": [group.name for group in request.user.ak_groups.all()],
-            }
-
   grafana.yaml: |
     version: 1
     metadata: