diff --git a/.github/workflows/cleanup-ephemeral-environment.yml b/.github/workflows/cleanup-ephemeral-environment.yml
new file mode 100644
index 0000000000..46dd6a1852
--- /dev/null
+++ b/.github/workflows/cleanup-ephemeral-environment.yml
@@ -0,0 +1,40 @@
+name: Ephemeral environment cleanup
+
+on:
+  pull_request:
+    types: [unlabeled]
+
+jobs:
+  cleanup-config:
+    name: Cleanup ephemeral environment
+    runs-on: ubuntu-24.04
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'ephemeral-environment') }}
+    steps:
+      - name: Log in to Azure - CI subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve GitHub PAT secrets
+        id: retrieve-secret-pat
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+
+      - name: Trigger Ephemeral Environment cleanup
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: 'bitwarden',
+              repo: 'devops',
+              workflow_id: '_ephemeral_environment_pr_manager.yml',
+              ref: 'BRE-291-ephemeral-pr-manager',
+              inputs: {
+                ephemeral_env_branch: '$GITHUB_HEAD_REF',
+                cleanup_config: true,
+                project: 'server'
+              }
+            })