diff --git a/.woodpecker/helmfile.yaml b/.woodpecker/helmfile.yaml
new file mode 100644
index 0000000..72c92c5
--- /dev/null
+++ b/.woodpecker/helmfile.yaml
@@ -0,0 +1,40 @@
+when:
+  event:
+    - push
+matrix:
+  include:
+    - NAME: badhouseplants
+      ENV: badhouseplants
+.opts: &opts
+  secrets:
+    - sops_age_key
+  image: ghcr.io/helmfile/helmfile:latest
+  backend_options:
+    kubernetes:
+      serviceAccountName: woodpecker-ci
+      #resources:
+      #  requests:
+      #    memory: 1200Mi
+      #    cpu: 2
+      #  limits:
+      #    memory: 1200Mi
+      #    cpu: 2
+steps:
+  diff:
+    !!merge <<: *opts
+    when:
+      - branch:
+          exclude:
+            - main
+    commands:
+      - sed -i "/\b\(kubeContext\)\b/d" common/environments.yaml
+      - helmfile -e "${ENV}" diff
+  diff:
+    !!merge <<: *opts
+    when:
+      - branch:
+          include:
+            - main
+    commands:
+      - sed -i "/\b\(kubeContext\)\b/d" common/environments.yaml
+      - helmfile -e "${ENV}" apply
diff --git a/scripts/get_kubeconfig_from_sa.sh b/scripts/get_kubeconfig_from_sa.sh
new file mode 100755
index 0000000..e4d4ec3
--- /dev/null
+++ b/scripts/get_kubeconfig_from_sa.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+
+# you need to have kubectl on PATH with the context set to the cluster you want to create the config for
+
+# Cosmetics for the created config
+clusterName="${CLUSTER_NAME}"
+# your server address goes here get it via `kubectl cluster-info`
+server="${CLUSTER_URL}"
+# the Namespace and ServiceAccount name that is used for the config
+export namespace='pipelines'
+export serviceAccount='woodpecker-ci'
+
+# The following automation does not work from Kubernetes 1.24 and up.
+# You might need to
+# define a Secret, reference the ServiceAccount there and set the secretName by hand!
+# See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount for details
+secretName=$(kubectl --namespace="$namespace" get serviceAccount "$serviceAccount" -o=jsonpath='{.secrets[0].name}')
+
+######################
+# actual script starts
+set -o errexit
+
+
+ca=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.ca\.crt}')
+token=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.token}' | base64 --decode)
+
+echo "
+---
+apiVersion: v1
+kind: Config
+clusters:
+  - name: ${clusterName}
+    cluster:
+      certificate-authority-data: ${ca}
+      server: ${server}
+contexts:
+  - name: ${serviceAccount}@${clusterName}
+    context:
+      cluster: ${clusterName}
+      namespace: ${namespace}
+      user: ${serviceAccount}
+users:
+  - name: ${serviceAccount}
+    user:
+      token: ${token}
+current-context: ${serviceAccount}@${clusterName}
+"
+