diff --git a/db/migrate/20250531092748_add_expiry_notification_columns_to_deploy_tokens.rb b/db/migrate/20250531092748_add_expiry_notification_columns_to_deploy_tokens.rb
new file mode 100644
index 00000000000..25965568b41
--- /dev/null
+++ b/db/migrate/20250531092748_add_expiry_notification_columns_to_deploy_tokens.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class AddExpiryNotificationColumnsToDeployTokens < Gitlab::Database::Migration[2.3]
+  milestone '18.2'
+
+  def up
+    add_column :deploy_tokens, :seven_days_notification_sent_at, :datetime_with_timezone
+    add_column :deploy_tokens, :thirty_days_notification_sent_at, :datetime_with_timezone
+    add_column :deploy_tokens, :sixty_days_notification_sent_at, :datetime_with_timezone
+  end
+
+  def down
+    remove_column :deploy_tokens, :seven_days_notification_sent_at
+    remove_column :deploy_tokens, :thirty_days_notification_sent_at
+    remove_column :deploy_tokens, :sixty_days_notification_sent_at
+  end
+end
diff --git a/db/migrate/20250531094235_add_indices_for_deploy_token_expiry_columns.rb b/db/migrate/20250531094235_add_indices_for_deploy_token_expiry_columns.rb
new file mode 100644
index 00000000000..c89d28c9247
--- /dev/null
+++ b/db/migrate/20250531094235_add_indices_for_deploy_token_expiry_columns.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+class AddIndicesForDeployTokenExpiryColumns < Gitlab::Database::Migration[2.3]
+  disable_ddl_transaction!
+  milestone '18.2'
+
+  def up
+    add_concurrent_index :deploy_tokens,
+      [:expires_at, :id],
+      where: 'revoked = false AND seven_days_notification_sent_at IS NULL',
+      name: 'index_dts_on_expiring_at_seven_days_notification_sent_at'
+
+    add_concurrent_index :deploy_tokens,
+      [:expires_at, :id],
+      where: 'revoked = false AND thirty_days_notification_sent_at IS NULL',
+      name: 'index_dts_on_expiring_at_thirty_days_notification_sent_at'
+
+    add_concurrent_index :deploy_tokens,
+      [:expires_at, :id],
+      where: 'revoked = false AND sixty_days_notification_sent_at IS NULL',
+      name: 'index_dts_on_expiring_at_sixty_days_notification_sent_at'
+  end
+
+  def down
+    remove_concurrent_index_by_name :deploy_tokens,
+      name: 'index_dts_on_expiring_at_seven_days_notification_sent_at'
+    remove_concurrent_index_by_name :deploy_tokens,
+      name: 'index_dts_on_expiring_at_thirty_days_notification_sent_at'
+    remove_concurrent_index_by_name :deploy_tokens,
+      name: 'index_dts_on_expiring_at_sixty_days_notification_sent_at'
+  end
+end
diff --git a/db/schema_migrations/20250531092748 b/db/schema_migrations/20250531092748
new file mode 100644
index 00000000000..5a60019530c
--- /dev/null
+++ b/db/schema_migrations/20250531092748
@@ -0,0 +1 @@
+57b7b2da5c36d48131b24af9cfbaadc60d8f778bb1115bca78f978eac4154aff
\ No newline at end of file
diff --git a/db/schema_migrations/20250531094235 b/db/schema_migrations/20250531094235
new file mode 100644
index 00000000000..df1e75d1566
--- /dev/null
+++ b/db/schema_migrations/20250531094235
@@ -0,0 +1 @@
+fda827ba7f101feb366f33d74a1b70391de33a08b8254f11419d3579bf870683
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index edb7c3468c6..17e69fb843c 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -13900,7 +13900,10 @@ CREATE TABLE deploy_tokens (
     read_virtual_registry boolean DEFAULT false NOT NULL,
     project_id bigint,
     group_id bigint,
-    write_virtual_registry boolean DEFAULT false NOT NULL
+    write_virtual_registry boolean DEFAULT false NOT NULL,
+    seven_days_notification_sent_at timestamp with time zone,
+    thirty_days_notification_sent_at timestamp with time zone,
+    sixty_days_notification_sent_at timestamp with time zone
 );
 
 CREATE SEQUENCE deploy_tokens_id_seq
@@ -35493,6 +35496,12 @@ CREATE INDEX index_draft_notes_on_merge_request_id ON draft_notes USING btree (m
 
 CREATE INDEX index_draft_notes_on_project_id ON draft_notes USING btree (project_id);
 
+CREATE INDEX index_dts_on_expiring_at_seven_days_notification_sent_at ON deploy_tokens USING btree (expires_at, id) WHERE ((revoked = false) AND (seven_days_notification_sent_at IS NULL));
+
+CREATE INDEX index_dts_on_expiring_at_sixty_days_notification_sent_at ON deploy_tokens USING btree (expires_at, id) WHERE ((revoked = false) AND (sixty_days_notification_sent_at IS NULL));
+
+CREATE INDEX index_dts_on_expiring_at_thirty_days_notification_sent_at ON deploy_tokens USING btree (expires_at, id) WHERE ((revoked = false) AND (thirty_days_notification_sent_at IS NULL));
+
 CREATE INDEX index_duo_workflows_checkpoint_writes_on_namespace_id ON duo_workflows_checkpoint_writes USING btree (namespace_id);
 
 CREATE INDEX index_duo_workflows_checkpoint_writes_on_project_id ON duo_workflows_checkpoint_writes USING btree (project_id);
diff --git a/workhorse/go.mod b/workhorse/go.mod
index f59f96d66b1..d4424e3ec56 100644
--- a/workhorse/go.mod
+++ b/workhorse/go.mod
@@ -36,7 +36,7 @@ require (
 	go.uber.org/goleak v1.3.0
 	gocloud.dev v0.40.1-0.20241107185025-56954848c3aa
 	golang.org/x/image v0.28.0
-	golang.org/x/net v0.40.0
+	golang.org/x/net v0.41.0
 	golang.org/x/oauth2 v0.30.0
 	google.golang.org/grpc v1.73.0
 	google.golang.org/protobuf v1.36.6
@@ -159,7 +159,7 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/crypto v0.39.0 // indirect
 	golang.org/x/sync v0.15.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.26.0 // indirect
diff --git a/workhorse/go.sum b/workhorse/go.sum
index fec807307eb..3c6c96cb087 100644
--- a/workhorse/go.sum
+++ b/workhorse/go.sum
@@ -687,8 +687,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
-golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -778,8 +778,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
 golang.org/x/oauth2 v0.0.0-20170912212905-13449ad91cb2/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=