diff --git a/.github/chainguard/delete-branches.sts.yaml b/.github/chainguard/delete-branches.sts.yaml
new file mode 100644
index 0000000000..89623d8435
--- /dev/null
+++ b/.github/chainguard/delete-branches.sts.yaml
@@ -0,0 +1,7 @@
+issuer: https://token.actions.githubusercontent.com
+subject: repo:wolfi-dev/os:ref:refs/heads/main
+claim_pattern:
+  job_workflow_ref: wolfi-dev/os/.github/workflows/delete-old-branches.yaml@refs/heads/main
+
+permissions:
+  contents: write
diff --git a/.github/workflows/delete-old-branches.yaml b/.github/workflows/delete-old-branches.yaml
new file mode 100644
index 0000000000..a034cc03eb
--- /dev/null
+++ b/.github/workflows/delete-old-branches.yaml
@@ -0,0 +1,30 @@
+name: Delete old branches
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+jobs:
+  cleanup_old_branches:
+    runs-on: ubuntu-latest
+
+    if: github.repository == 'wolfi-dev/os'
+
+    permissions:
+      id-token: write # To gitsign and federate
+
+    steps:
+      - uses: chainguard-dev/octo-sts-action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
+        id: octo-sts
+        with:
+          scope: ${{ github.repository }}
+          identity: delete-branches
+
+      - uses: wolfi-dev/actions/install-wolfictl@main
+
+      - name: Delete Branches
+        run: |
+          wolfictl gh gc branch https://github.com/wolfi-dev/os --match "wolfictl-"
+        env:
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}