diff --git a/.github/workflows/promote-to-master.yaml b/.github/workflows/promote-to-master.yaml
new file mode 100644
index 0000000..2581460
--- /dev/null
+++ b/.github/workflows/promote-to-master.yaml
@@ -0,0 +1,56 @@
+name: Open PR from staging to master
+on:
+  schedule:
+    - cron: "0 12 * * 3" # Wednesday at 12pm UTC
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+  pull-requests: write
+
+env:
+  author: "${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>"
+  committer: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
+
+jobs:
+  prod-promotion:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Setup Github Token"
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 #v3.2.0
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Checkout master branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          ref: master
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Merge staging into master
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git fetch origin staging
+          git merge --no-commit --no-ff origin/staging || true
+          git add -A
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 #v8.1.1
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          branch: promote-staging-to-prod
+          base: master
+          commit-message: "Update dependencies"
+          title: "Update dependencies"
+          author: ${{ env.author }}
+          committer: ${{ env.committer }}
+          body: |
+            Automated promotion PR to copy contents from `staging` to `master`.
+            
+            This PR was automatically created by the environment promotion workflow.
+          labels: |
+            automated
+            environment-promotion
\ No newline at end of file
diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml
index db2dca8..a15ac40 100644
--- a/.github/workflows/update-deps.yaml
+++ b/.github/workflows/update-deps.yaml
@@ -29,6 +29,8 @@ jobs:
 
     - name: Checkout 
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      with: 
+        ref: staging
 
     - name: Get latest upstream chart version
       id: capi-helm-chart
diff --git a/bootstrap.sh b/bootstrap.sh
index cc8b0ab..a6a72c4 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -1,13 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-echo "Installing required tools..."
-sudo apt-get install -y snapd python3-openstackclient
-export PATH=$PATH:/snap/bin
-sudo snap install kubectl --classic
-sudo snap install helm --classic
-sudo snap install yq
-
 echo "Updating system to apply latest security patches..."
 export DEBIAN_FRONTEND=noninteractive
 sudo apt-get update -qq
@@ -17,6 +10,13 @@ sudo apt-get -o Dpkg::Options::="--force-confold" \
              -o Dpkg::Options::="--force-confdef" \
              -y -qq upgrade > /dev/null
 
+echo "Installing required tools..."
+sudo apt-get install -y snapd python3-openstackclient yq
+
+export PATH=$PATH:/snap/bin
+sudo snap install kubectl --classic
+sudo snap install helm --classic
+
 # Check a clouds.yaml file exists in the same directory as the script
 if [ ! -f clouds.yaml ]; then
     echo "A clouds.yaml file is required in the same directory as this script"
diff --git a/dependencies.yaml b/dependencies.yaml
index b5aa0f6..ca56773 100644
--- a/dependencies.yaml
+++ b/dependencies.yaml
@@ -1,4 +1,4 @@
 # https://github.com/azimuth-cloud/capi-helm-charts
-cluster-chart: "0.19.2"
+cluster-chart: "0.21.0"
 # https://github.com/k-orc/openstack-resource-controller
 k-orc: "2.4.0"
diff --git a/set-env.sh b/set-env.sh
index 0febd82..540fbaa 100755
--- a/set-env.sh
+++ b/set-env.sh
@@ -4,6 +4,11 @@
 # if we do this and run into any errors it will kill the user's
 # current shell (e.g. a typo)
 
+if [ ! -f "/usr/bin/yq" ]; then
+    echo "Installing yq..."
+    sudo apt-get -y install yq
+fi
+
 # Function to convert dependencies to a valid environment variables
 sanitize_var_name() {
     echo "$1" | tr '-' '_' | tr '[:lower:]' '[:upper:]'
diff --git a/user-values.yaml b/user-values.yaml
index 87e63a7..4865134 100644
--- a/user-values.yaml
+++ b/user-values.yaml
@@ -25,9 +25,9 @@ controlPlane:
 # The Kubernetes version of the cluster
 # This should match the version of kubelet and kubeadm in the image
 # and will be automatically updated by us
-kubernetesVersion: "1.34.6"
+kubernetesVersion: "1.34.8"
 # The name of the image to use for cluster machines
-machineImage: "capi-ubuntu-2204-kube-v1.34.6"
+machineImage: "capi-ubuntu-2204-kube-v1.34.8"
 
 addons:
   # Monitoring sets up kube-prometheus-stack and loki-stack.
diff --git a/values.yaml b/values.yaml
index 70118a0..f07cc6b 100644
--- a/values.yaml
+++ b/values.yaml
@@ -164,7 +164,7 @@ apiServer:
 
 addons:
   # Enable monitoring by default, this deploys
-  # https://github.com/stackhpc/capi-helm-charts/blob/main/charts/cluster-addons/README.md#monitoring-and-logging
+  # https://github.com/azimuth-cloud/capi-helm-charts/blob/main/charts/cluster-addons/README.md#monitoring-and-logging
   # and includes Loki which is required for central logging as per UKRI policy
   monitoring:
     enabled: true