diff --git a/.github/workflows/demo-preview-cleanup.rb b/.github/workflows/demo-preview-cleanup.rb
new file mode 100644
index 0000000000..6c0cd4564b
--- /dev/null
+++ b/.github/workflows/demo-preview-cleanup.rb
@@ -0,0 +1,3 @@
+# az container delete -n ${{ env.APP_NAME }} -g primer -y &> /dev/null
+
+puts ARGV.inspect
diff --git a/.github/workflows/demo-preview-cleanup.yml b/.github/workflows/demo-preview-cleanup.yml
new file mode 100644
index 0000000000..0fb92f7de8
--- /dev/null
+++ b/.github/workflows/demo-preview-cleanup.yml
@@ -0,0 +1,58 @@
+name: Demo Preview Destroy
+
+on:
+  # schedule:
+  #   - cron: '0 12 * * *'  # every day at noon
+  push:
+    branches:
+      - demo_preview_cleanup
+
+permissions:
+  id-token: write # This is required for requesting the OIDC JWT for authing with Azure
+  contents: read  # This is required for actions/checkout
+
+# This allows one deploy workflow to interrupt another
+concurrency:
+  group: 'preview-env-cleanup @ ${{ github.head_ref || github.run_id }} for ${{ github.event.inputs.PR_NUMBER }}'
+  cancel-in-progress: true
+
+jobs:
+  cleanup:
+    name: Cleanup
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    environment:
+      name: preview
+
+    steps:
+      - uses: Azure/login@v2
+        with:
+          # excluding a client secret here will cause a login via OpenID Connect (OIDC),
+          # which prevents us from having to rotate client credentials, etc
+          client-id: "5ad1a188-b944-40eb-a2f8-cc683a6a65a0"
+          tenant-id: "398a6654-997b-47e9-b12b-9515b896b4de"
+          subscription-id: "550eb99d-d0c7-4651-a337-f53fa6520c4f"
+
+      # Do this before repo checkout to prevent running bundle install
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3'
+
+      - name: Check out repo
+        uses: actions/checkout@v4
+
+      - name: Enumerate open PRs
+        uses: actions/github-script@v7
+        id: enumerate-open-prs
+        with:
+          script: |
+            octokit.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open'
+            })
+
+      # Delete web app (which will also delete the App Service plan)
+      # This will succeed even if the app doesn't exist / has already been deleted
+      - name: 'Delete App Service Apps for closed PRs'
+        run: ./.github/workflows/demo-preview-cleanup.rb "${{steps.enumerate-open-prs.outputs.result}}"