diff --git a/.github/workflows/pull-request-actions.yaml b/.github/workflows/pull-request-actions.yaml
index cbbbd62..5b8071a 100644
--- a/.github/workflows/pull-request-actions.yaml
+++ b/.github/workflows/pull-request-actions.yaml
@@ -1,4 +1,7 @@
 
+permissions:
+  contents: read
+
 name: Pull Request Jobs
 
 on:
@@ -11,8 +14,8 @@ jobs:
     name: Shellcheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
       - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@master
+        uses:ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 #v2.0.0
         with: 
           check_together: 'yes'
diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml
index 2609416..a15ac40 100644
--- a/.github/workflows/update-deps.yaml
+++ b/.github/workflows/update-deps.yaml
@@ -1,4 +1,7 @@
     
+permissions:
+  contents: read
+
 name: Sync Dependencies with upstream
 
 on:
@@ -18,18 +21,20 @@ jobs:
     steps:
 
     - name: "Setup Github Token"
-      uses: actions/create-github-app-token@v2
+      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
       id: app-token
       with:
         app-id: ${{ vars.APP_ID }}
         private-key: ${{ secrets.PRIVATE_KEY }}    
 
     - name: Checkout 
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      with: 
+        ref: staging
 
     - name: Get latest upstream chart version
       id: capi-helm-chart
-      uses: azimuth-cloud/github-actions/helm-latest-version@master
+      uses: azimuth-cloud/github-actions/helm-latest-version@9ae9839de21f5dd3ede65728eda0019db8b692f5 #v0.23.0 
       with: 
         repository: "https://azimuth-cloud.github.io/capi-helm-charts"
         chart: "openstack-cluster"
@@ -37,7 +42,7 @@ jobs:
     # TODO: once azimuth-cloud/capi-helm-charts provides their own pinned k-orc installation method, we pick up the latest version  
     - name: "Get latest Openstack Resource Controller (K-orc) version"
       id: get-k-orc-version
-      uses: pozetroninc/github-action-get-latest-release@master
+      uses: pozetroninc/github-action-get-latest-release@2a61c339ea7ef0a336d1daa35ef0cb1418e7676c #v0.8.0
       with:
         repository: k-orc/openstack-resource-controller
         excludes: prerelease, draft
@@ -58,7 +63,7 @@ jobs:
 
     - name: "Create Pull Request for updating dependencies if changed"
       id: make-pr
-      uses: peter-evans/create-pull-request@v8
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
       env:
         pr-title: "Update Build Dependencies to match upstream"
       with:
diff --git a/bootstrap.sh b/bootstrap.sh
index cc8b0ab..a6a72c4 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -1,13 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-echo "Installing required tools..."
-sudo apt-get install -y snapd python3-openstackclient
-export PATH=$PATH:/snap/bin
-sudo snap install kubectl --classic
-sudo snap install helm --classic
-sudo snap install yq
-
 echo "Updating system to apply latest security patches..."
 export DEBIAN_FRONTEND=noninteractive
 sudo apt-get update -qq
@@ -17,6 +10,13 @@ sudo apt-get -o Dpkg::Options::="--force-confold" \
              -o Dpkg::Options::="--force-confdef" \
              -y -qq upgrade > /dev/null
 
+echo "Installing required tools..."
+sudo apt-get install -y snapd python3-openstackclient yq
+
+export PATH=$PATH:/snap/bin
+sudo snap install kubectl --classic
+sudo snap install helm --classic
+
 # Check a clouds.yaml file exists in the same directory as the script
 if [ ! -f clouds.yaml ]; then
     echo "A clouds.yaml file is required in the same directory as this script"
diff --git a/set-env.sh b/set-env.sh
index 0febd82..540fbaa 100755
--- a/set-env.sh
+++ b/set-env.sh
@@ -4,6 +4,11 @@
 # if we do this and run into any errors it will kill the user's
 # current shell (e.g. a typo)
 
+if [ ! -f "/usr/bin/yq" ]; then
+    echo "Installing yq..."
+    sudo apt-get -y install yq
+fi
+
 # Function to convert dependencies to a valid environment variables
 sanitize_var_name() {
     echo "$1" | tr '-' '_' | tr '[:lower:]' '[:upper:]'
diff --git a/user-values.yaml b/user-values.yaml
index fabb6ad..4865134 100644
--- a/user-values.yaml
+++ b/user-values.yaml
@@ -25,9 +25,9 @@ controlPlane:
 # The Kubernetes version of the cluster
 # This should match the version of kubelet and kubeadm in the image
 # and will be automatically updated by us
-kubernetesVersion: "1.34.3"
+kubernetesVersion: "1.34.8"
 # The name of the image to use for cluster machines
-machineImage: "capi-ubuntu-2204-kube-v1.34.3"
+machineImage: "capi-ubuntu-2204-kube-v1.34.8"
 
 addons:
   # Monitoring sets up kube-prometheus-stack and loki-stack.
diff --git a/values.yaml b/values.yaml
index 70118a0..f07cc6b 100644
--- a/values.yaml
+++ b/values.yaml
@@ -164,7 +164,7 @@ apiServer:
 
 addons:
   # Enable monitoring by default, this deploys
-  # https://github.com/stackhpc/capi-helm-charts/blob/main/charts/cluster-addons/README.md#monitoring-and-logging
+  # https://github.com/azimuth-cloud/capi-helm-charts/blob/main/charts/cluster-addons/README.md#monitoring-and-logging
   # and includes Loki which is required for central logging as per UKRI policy
   monitoring:
     enabled: true