diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/git.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/git.yml
index 3da8e60..a691725 100644
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/git.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/git.yml
@@ -55,6 +55,7 @@
         force_basic_auth: yes
         body:
           name: token_init_{{ lookup('password', '/dev/null length=5 chars=ascii_letters,digits') }}
+          scopes: ["write:public_key","write:org"]
       register: gitea_api_token
 
     - name: Retrieve existing gitea configuration
diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml
index 5d03e02..c98c0b7 100644
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@@ -1,7 +1,7 @@
 platform:
 
   k3s:
-    version: v1.26.4+k3s1
+    version: v1.26.5+k3s1
 
   packaged_components:
     - name: traefik
@@ -56,7 +56,7 @@ components:
 
   argo-cd:
     helm:
-      version: 5.27.4  # (= ArgoCD v2.6.7)
+      version: 5.34.6  # (= ArgoCD v2.7.3)
       chart: argo/argo-cd
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
       chart_values: !unsafe |
@@ -99,7 +99,7 @@ components:
 
   cert-manager:
     helm:
-      version: 1.11.0
+      version: 1.12.1
       chart: jetstack/cert-manager
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
       # chart_values: !unsafe |
@@ -109,19 +109,19 @@ components:
     management:
       version:
         # Must match the version referenced at `dependencies.static_binaries[.filename==clusterctl].url`
-        base: v1.4.0
+        base: v1.4.1
         # Must match the version referenced at `components.cert-manager.helm.version`
-        cert_manager: v1.11.0
-        infrastructure_vsphere: v1.6.0
+        cert_manager: v1.11.1
+        infrastructure_vsphere: v1.6.1
         ipam_incluster: v0.1.0-alpha.2
         # Refer to `https://console.cloud.google.com/gcr/images/cloud-provider-vsphere/GLOBAL/cpi/release/manager` for available tags
-        cpi_vsphere: v1.26.0
+        cpi_vsphere: v1.26.2
     workload:
       version:
-        calico: v3.25.0
-        k8s: v1.26.4
+        calico: v3.26.0
+        k8s: v1.26.5
       node_template:
-        url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.26.4.ova
+        url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.26.5.ova
 
   # dex:
   #   helm:
@@ -173,7 +173,7 @@ components:
 
   gitea:
     helm:
-      version: v7.0.2 # (= Gitea v1.18.3)
+      version: v8.3.0 # (= Gitea v1.19.3)
       chart: gitea-charts/gitea
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/'
       chart_values: !unsafe |
@@ -204,7 +204,7 @@ components:
 
   harbor:
     helm:
-      version: 1.11.0  # (= Harbor v2.7.0)
+      version: 1.12.1  # (= Harbor v2.8.1)
       chart: harbor/harbor
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
       chart_values: !unsafe |
@@ -259,7 +259,7 @@ components:
 
   kube-prometheus-stack:
     helm:
-      version: 45.2.0
+      version: 46.5.0  # (= Prometheus version v0.65.1)
       chart: prometheus-community/kube-prometheus-stack
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
       chart_values: !unsafe |
@@ -270,11 +270,11 @@ components:
 
   kubevip:
     # Must match the version referenced at `dependencies.container_images`
-    version: v0.5.8
+    version: v0.6.0
 
   longhorn:
     helm:
-      version: 1.4.1
+      version: 1.4.2
       chart: longhorn/longhorn
       parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag'
       chart_values: !unsafe |
@@ -290,7 +290,7 @@ components:
 
   step-certificates:
     helm:
-      version: 1.23.0
+      version: 1.23.2+5  # (= step-ca v0.23.2)
       chart: smallstep/step-certificates
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u
       chart_values: !unsafe |
@@ -320,7 +320,7 @@ dependencies:
   container_images:
     # This should match the image tag referenced at `platform.packaged_components[.name==traefik].config`
     - busybox:1
-    - ghcr.io/kube-vip/kube-vip:v0.5.8
+    - ghcr.io/kube-vip/kube-vip:v0.6.0
     # The following list is generated by running the following commands:
     #   $ clusterctl init -i vsphere:<version> [...]
     #   $ clusterctl generate cluster <name> [...] | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)' | sort -u
@@ -334,25 +334,25 @@ dependencies:
 
   static_binaries:
     - filename: clusterctl
-      url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.4.0/clusterctl-linux-amd64
+      url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.4.1/clusterctl-linux-amd64
     - filename: govc
-      url: https://github.com/vmware/govmomi/releases/download/v0.29.0/govc_Linux_x86_64.tar.gz
+      url: https://github.com/vmware/govmomi/releases/download/v0.30.4/govc_Linux_x86_64.tar.gz
       archive: compressed
     - filename: helm
-      url: https://get.helm.sh/helm-v3.10.2-linux-amd64.tar.gz
+      url: https://get.helm.sh/helm-v3.12.0-linux-amd64.tar.gz
       archive: compressed
       extra_opts: --strip-components=1
     - filename: kubectl-slice
-      url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.5/kubectl-slice_linux_x86_64.tar.gz
+      url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.6/kubectl-slice_linux_x86_64.tar.gz
       archive: compressed
     - filename: skopeo
       url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.12.0/skopeo_linux_amd64
     - filename: step
-      url: https://dl.step.sm/gh-release/cli/gh-release-header/v0.23.0/step_linux_0.23.0_amd64.tar.gz
+      url: https://dl.step.sm/gh-release/cli/gh-release-header/v0.23.2/step_linux_0.23.2_amd64.tar.gz
       archive: compressed
       extra_opts: --strip-components=2
     - filename: yq
-      url: http://github.com/mikefarah/yq/releases/download/v4.30.5/yq_linux_amd64
+      url: http://github.com/mikefarah/yq/releases/download/v4.34.1/yq_linux_amd64
 
   packages:
     apt:
diff --git a/ansible/vars/workloadcluster.yml b/ansible/vars/workloadcluster.yml
index c4b15d6..8bfff3d 100644
--- a/ansible/vars/workloadcluster.yml
+++ b/ansible/vars/workloadcluster.yml
@@ -9,7 +9,7 @@ downstream:
   helm_charts:
 
     longhorn:
-      version: 1.4.1
+      version: 1.4.2
       chart: longhorn/longhorn
       namespace: longhorn-system
       parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag'
@@ -19,7 +19,7 @@ downstream:
           defaultDataPath: /mnt/blockstorage
 
     sealed-secrets:
-      version: 2.8.1  # (= Sealed Secrets v0.20.2)
+      version: 2.9.0  # (= Sealed Secrets v0.21.0)
       chart: sealed-secrets/sealed-secrets
       namespace: sealed-secrets
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'