diff --git a/platform/gitea/files/config/config.yaml b/platform/gitea/files/config/config.yaml
index b093dbff..219725ad 100644
--- a/platform/gitea/files/config/config.yaml
+++ b/platform/gitea/files/config/config.yaml
@@ -18,14 +18,13 @@ repositories:
     migrate:
       source: https://github.com/khuedoan/homelab
       mirror: false
-    # TODO create webhook (use a global one?)
-    # webhooks:
-    #   - http://gitea-webhook.tekton-pipelines:3000
+    hook: true
   - name: blog
     owner: khuedoan
     migrate:
       source: https://github.com/khuedoan/blog
       mirror: true
+    hook: true
   - name: backstage
     owner: khuedoan
     migrate:
diff --git a/platform/gitea/files/config/main.go b/platform/gitea/files/config/main.go
index 2ff804b3..384c35bf 100644
--- a/platform/gitea/files/config/main.go
+++ b/platform/gitea/files/config/main.go
@@ -23,6 +23,7 @@ type Repository struct {
 		Source string
 		Mirror bool
 	}
+	Hook bool
 }
 
 type Config struct {
@@ -48,6 +49,7 @@ func main() {
 	gitea_host := os.Getenv("GITEA_HOST")
 	gitea_user := os.Getenv("GITEA_USER")
 	gitea_password := os.Getenv("GITEA_PASSWORD")
+	webhook_token := os.Getenv("WEBHOOK_TOKEN")
 
 	options := (gitea.SetBasicAuth(gitea_user, gitea_password))
 	client, err := gitea.NewClient(gitea_host, options)
@@ -89,5 +91,32 @@ func main() {
 				Private: repo.Private,
 			})
 		}
+
+		if repo.Hook {
+			hooks, _, _ := client.ListRepoHooks(repo.Owner, repo.Name, gitea.ListHooksOptions{})
+			if len(hooks) == 0 {
+				_, _, err = client.CreateRepoHook(repo.Owner, repo.Name, gitea.CreateHookOption{
+					Type: gitea.HookTypeGitea,
+					Config: map[string]string{
+						"url": "http://el-workflows-listener.tekton-workflows:8080",
+						"http_method": "post",
+						"content_type": "json",
+						"secret": webhook_token,
+					},
+					Events: []string{
+						"create",
+						"delete",
+						"push",
+						"pull_request",
+					},
+					BranchFilter: "*",
+					Active: true,
+				})
+
+				if err != nil {
+					log.Printf("Create hook %s/%s: %v", repo.Owner, repo.Name, err)
+				}
+			}
+		}
 	}
 }
diff --git a/platform/gitea/templates/config-job.yaml b/platform/gitea/templates/config-job.yaml
index 6208acff..7f23afa0 100644
--- a/platform/gitea/templates/config-job.yaml
+++ b/platform/gitea/templates/config-job.yaml
@@ -30,6 +30,11 @@ spec:
                     secretKeyRef:
                       name: gitea-admin-secret
                       key: password
+                - name: WEBHOOK_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-webhook-secret
+                      key: token
               workingDir: /go/src/gitea-config
               command:
                 - sh
diff --git a/platform/gitea/templates/webhook-secret.yaml b/platform/gitea/templates/webhook-secret.yaml
new file mode 100644
index 00000000..d547da8a
--- /dev/null
+++ b/platform/gitea/templates/webhook-secret.yaml
@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-webhook-secret
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: token
+      remoteRef:
+        key: /tekton/webhook
+        property: token
diff --git a/platform/tekton-pipelines/kustomization.yaml b/platform/tekton-pipelines/kustomization.yaml
index e56efa57..7d5254d6 100644
--- a/platform/tekton-pipelines/kustomization.yaml
+++ b/platform/tekton-pipelines/kustomization.yaml
@@ -16,4 +16,5 @@ resources:
   # Workflow
   - https://storage.googleapis.com/tekton-releases-nightly/workflows/latest/release.yaml
   # Pre-defined workflows
+  - workflows/webhook-secret.yaml
   - workflows/master.yaml
diff --git a/platform/tekton-pipelines/workflows/master.yaml b/platform/tekton-pipelines/workflows/master.yaml
index 0ea2fa04..b5ca74e2 100644
--- a/platform/tekton-pipelines/workflows/master.yaml
+++ b/platform/tekton-pipelines/workflows/master.yaml
@@ -1,7 +1,7 @@
 apiVersion: workflows.tekton.dev/v1alpha1
 kind: Workflow
 metadata:
-  name: blog-master
+  name: master
   namespace: tekton-workflows
 spec:
   triggers:
diff --git a/platform/tekton-pipelines/workflows/webhook-secret.yaml b/platform/tekton-pipelines/workflows/webhook-secret.yaml
new file mode 100644
index 00000000..348b5564
--- /dev/null
+++ b/platform/tekton-pipelines/workflows/webhook-secret.yaml
@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: webhook-secret
+  namespace: tekton-workflows
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: token
+      remoteRef:
+        key: /tekton/webhook
+        property: token
diff --git a/platform/vault/files/generate-secrets/config.yaml b/platform/vault/files/generate-secrets/config.yaml
index 4b9b29d7..41a860df 100644
--- a/platform/vault/files/generate-secrets/config.yaml
+++ b/platform/vault/files/generate-secrets/config.yaml
@@ -18,3 +18,10 @@
     - key: password
       length: 32
       special: true
+
+# Tekton
+- path: tekton/webhook
+  data:
+    - key: token
+      length: 32
+      special: false