diff --git a/sdk_container/src/third_party/portage-stable/.github/workflows/update-metadata-glsa.yml b/sdk_container/src/third_party/portage-stable/.github/workflows/update-metadata-glsa.yml
new file mode 100644
index 0000000000..8bb05a6724
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/.github/workflows/update-metadata-glsa.yml
@@ -0,0 +1,32 @@
+name: Keep GLSA metadata updated
+on:
+  schedule:
+    - cron:  '0 7 1 * *'
+  workflow_dispatch:
+
+jobs:
+  keep-glsa-metadata-updated:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout portage-stable
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Update GLSA metadata
+        id: update-glsa-metadata
+        run: |
+          rm -rf metadata/glsa
+          mkdir --parents metadata/glsa
+          rsync --archive rsync://rsync.gentoo.org/gentoo-portage/metadata/glsa/* ./metadata/glsa/
+          todaydate=$(date +%Y-%m-%d)
+          echo "TODAYDATE=${todaydate}" >>"${GITHUB_OUTPUT}"
+      - name: Create pull request for main branch
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          branch: buildbot/monthly-glsa-metadata-updates-${{steps.update-glsa-metadata.outputs.TODAYDATE }}
+          delete-branch: true
+          base: main
+          title: Monthly GLSA metadata ${{steps.update-glsa-metadata.outputs.TODAYDATE }}
+          body: Updated GLSA metadata
+          labels: main
diff --git a/sdk_container/src/third_party/portage-stable/.github/workflows/update-packages-from-list.yml b/sdk_container/src/third_party/portage-stable/.github/workflows/update-packages-from-list.yml
index 968f56e4e2..e5fd2903a1 100644
--- a/sdk_container/src/third_party/portage-stable/.github/workflows/update-packages-from-list.yml
+++ b/sdk_container/src/third_party/portage-stable/.github/workflows/update-packages-from-list.yml
@@ -20,13 +20,14 @@ jobs:
           path: gentoo
           # Gentoo is quite a large repo, so limit ourselves to last
           # quarter milion of commits. It is about two years worth of changes.
+          # Is is needed by the sync script to find out the hash of the last commit
+          # that made the changes to the package.
           fetch-depth: 250000
           ref: master
       - name: Checkout build scripts
         uses: actions/checkout@v3
         with:
           repository: flatcar/flatcar-build-scripts
-          ref: krnowak/stuff
           path: flatcar-build-scripts
       - name: Update listed packages
         id: update-listed-packages