diff --git a/.github/chainguard/delete-branches.sts.yaml b/.github/chainguard/delete-branches.sts.yaml
new file mode 100644
index 000000000..c4913715b
--- /dev/null
+++ b/.github/chainguard/delete-branches.sts.yaml
@@ -0,0 +1,8 @@
+issuer: https://token.actions.githubusercontent.com
+subject: repo:wolfi-dev/advisories:ref:refs/heads/main
+claim_pattern:
+  workflow_ref: wolfi-dev/advisories/.github/workflows/delete-old-branches.yaml@refs/heads/main
+
+permissions:
+  contents: write
+  pull_requests: read
diff --git a/.github/workflows/delete-old-branches.yaml b/.github/workflows/delete-old-branches.yaml
new file mode 100644
index 000000000..1cf843aa3
--- /dev/null
+++ b/.github/workflows/delete-old-branches.yaml
@@ -0,0 +1,34 @@
+name: Delete old branches
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+jobs:
+  cleanup_old_branches:
+    runs-on: ubuntu-latest
+
+    if: github.repository == 'wolfi-dev/advisories'
+
+    permissions:
+      id-token: write
+
+    steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
+        id: octo-sts
+        with:
+          scope: ${{ github.repository }}
+          identity: delete-branches
+
+      - uses: wolfi-dev/actions/install-wolfictl@main
+
+      - name: Delete Branches that matches adv-
+        run: |
+          wolfictl gh gc branch https://github.com/wolfi-dev/advisories --match "adv-"
+        env:
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}