diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8b3acf7..1d17997 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,6 +5,8 @@ on:
     branches: ['main']
   pull_request:
     branches: ['main']
+  schedule:
+    - cron: '0 3 * * *'
   workflow_dispatch:
 
 env:
@@ -46,3 +48,36 @@ jobs:
           tags: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+
+  cleanup:
+    if: github.event_name == 'push' || github.event_name == 'schedule'
+    runs-on: [self-hosted, linux-amd64]
+    needs: build
+    steps:
+      - name: Delete images older than 24h
+        env:
+          TOKEN: ${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
+        run: |
+          cutoff=$(date -u -d '24 hours ago' +%s)
+          page=1
+          while true; do
+            versions=$(curl -sf -H "Authorization: token $TOKEN" \
+              "${{ env.REGISTRY }}/api/v1/packages/wylab?type=container&q=nanobot&limit=50&page=$page")
+            count=$(echo "$versions" | jq length)
+            [ "$count" = "0" ] && break
+            echo "$versions" | jq -c '.[]' | while read -r pkg; do
+              ver=$(echo "$pkg" | jq -r '.version')
+              # Keep latest and buildcache, only delete SHA tags
+              case "$ver" in latest|buildcache) continue ;; esac
+              created=$(echo "$pkg" | jq -r '.created_at')
+              ts=$(date -u -d "$created" +%s 2>/dev/null || echo 0)
+              if [ "$ts" -lt "$cutoff" ]; then
+                id=$(echo "$pkg" | jq -r '.id')
+                echo "Deleting nanobot:$ver (id=$id, created=$created)"
+                curl -sf -X DELETE -H "Authorization: token $TOKEN" \
+                  "${{ env.REGISTRY }}/api/v1/packages/wylab/container/nanobot/$ver" || true
+              fi
+            done
+            [ "$count" -lt 50 ] && break
+            page=$((page + 1))
+          done