diff --git a/.github/workflows/pull-request-actions.yaml b/.github/workflows/pull-request-actions.yaml
index cbbbd62..5b8071a 100644
--- a/.github/workflows/pull-request-actions.yaml
+++ b/.github/workflows/pull-request-actions.yaml
@@ -1,4 +1,7 @@
 
+permissions:
+  contents: read
+
 name: Pull Request Jobs
 
 on:
@@ -11,8 +14,8 @@ jobs:
     name: Shellcheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
       - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@master
+        uses:ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 #v2.0.0
         with: 
           check_together: 'yes'
diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml
index d0908b9..a15ac40 100644
--- a/.github/workflows/update-deps.yaml
+++ b/.github/workflows/update-deps.yaml
@@ -1,4 +1,7 @@
     
+permissions:
+  contents: read
+
 name: Sync Dependencies with upstream
 
 on:
@@ -18,20 +21,20 @@ jobs:
     steps:
 
     - name: "Setup Github Token"
-      uses: actions/create-github-app-token@v2
+      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
       id: app-token
       with:
         app-id: ${{ vars.APP_ID }}
         private-key: ${{ secrets.PRIVATE_KEY }}    
 
     - name: Checkout 
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
       with: 
         ref: staging
 
     - name: Get latest upstream chart version
       id: capi-helm-chart
-      uses: azimuth-cloud/github-actions/helm-latest-version@master
+      uses: azimuth-cloud/github-actions/helm-latest-version@9ae9839de21f5dd3ede65728eda0019db8b692f5 #v0.23.0 
       with: 
         repository: "https://azimuth-cloud.github.io/capi-helm-charts"
         chart: "openstack-cluster"
@@ -39,7 +42,7 @@ jobs:
     # TODO: once azimuth-cloud/capi-helm-charts provides their own pinned k-orc installation method, we pick up the latest version  
     - name: "Get latest Openstack Resource Controller (K-orc) version"
       id: get-k-orc-version
-      uses: pozetroninc/github-action-get-latest-release@master
+      uses: pozetroninc/github-action-get-latest-release@2a61c339ea7ef0a336d1daa35ef0cb1418e7676c #v0.8.0
       with:
         repository: k-orc/openstack-resource-controller
         excludes: prerelease, draft
@@ -60,7 +63,7 @@ jobs:
 
     - name: "Create Pull Request for updating dependencies if changed"
       id: make-pr
-      uses: peter-evans/create-pull-request@v8
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
       env:
         pr-title: "Update Build Dependencies to match upstream"
       with:
diff --git a/user-values.yaml b/user-values.yaml
index fabb6ad..4865134 100644
--- a/user-values.yaml
+++ b/user-values.yaml
@@ -25,9 +25,9 @@ controlPlane:
 # The Kubernetes version of the cluster
 # This should match the version of kubelet and kubeadm in the image
 # and will be automatically updated by us
-kubernetesVersion: "1.34.3"
+kubernetesVersion: "1.34.8"
 # The name of the image to use for cluster machines
-machineImage: "capi-ubuntu-2204-kube-v1.34.3"
+machineImage: "capi-ubuntu-2204-kube-v1.34.8"
 
 addons:
   # Monitoring sets up kube-prometheus-stack and loki-stack.