diff --git a/.github/actions/cache-build-deps/action.yml b/.github/actions/cache-build-deps/action.yml
new file mode 100644
index 00000000..178f8d3b
--- /dev/null
+++ b/.github/actions/cache-build-deps/action.yml
@@ -0,0 +1,62 @@
+name: Cache build dependencies
+description: Restore cached OpenSSL/wolfSSL installs keyed by resolved commit SHA so build-wolfprovider.sh skips configure+make on a hit.
+
+inputs:
+  variant:
+    description: Token capturing every build-config dimension that changes the produced binaries (compiler, debug, replace-default, seed-src, fips). Distinct configs must use distinct variants.
+    required: true
+  openssl_ref:
+    description: OpenSSL tag/branch/sha, resolved to a SHA for the cache key.
+    required: true
+  wolfssl_ref:
+    description: wolfSSL tag/branch/sha, resolved to a SHA for the cache key. Ignored when wolfssl_fixed_key is set.
+    required: false
+    default: ''
+  wolfssl_fixed_key:
+    description: Verbatim wolfSSL cache key, used instead of resolving wolfssl_ref (FIPS bundle case - fixed stable version with no git ref).
+    required: false
+    default: ''
+  cache_openssl_source:
+    description: Also cache openssl-source. Required for --replace-default / --fips-baseline builds whose mismatch checks read the patched source.
+    required: false
+    default: 'false'
+  github_token:
+    description: Token passed to resolve-ref.sh to avoid GitHub API rate limits.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Resolve OpenSSL ref
+      id: openssl-ref
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+      run: echo "sha=$("${GITHUB_WORKSPACE}/scripts/resolve-ref.sh" "${{ inputs.openssl_ref }}" openssl/openssl)" >> "$GITHUB_OUTPUT"
+
+    - name: Resolve wolfSSL ref
+      id: wolfssl-ref
+      if: inputs.wolfssl_fixed_key == ''
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+      run: echo "sha=$("${GITHUB_WORKSPACE}/scripts/resolve-ref.sh" "${{ inputs.wolfssl_ref }}" wolfssl/wolfssl)" >> "$GITHUB_OUTPUT"
+
+    - name: Cache OpenSSL install
+      uses: actions/cache@v4
+      with:
+        path: openssl-install
+        key: openssl-install-${{ inputs.variant }}-${{ steps.openssl-ref.outputs.sha }}-${{ hashFiles('scripts/utils-openssl.sh', 'scripts/utils-wolfssl.sh', 'scripts/build-wolfprovider.sh') }}
+
+    - name: Cache OpenSSL source
+      if: inputs.cache_openssl_source == 'true'
+      uses: actions/cache@v4
+      with:
+        path: openssl-source
+        key: openssl-source-${{ inputs.variant }}-${{ steps.openssl-ref.outputs.sha }}-${{ hashFiles('scripts/utils-openssl.sh', 'scripts/utils-wolfssl.sh', 'scripts/build-wolfprovider.sh') }}
+
+    - name: Cache wolfSSL install
+      uses: actions/cache@v4
+      with:
+        path: wolfssl-install
+        key: wolfssl-install-${{ inputs.variant }}-${{ inputs.wolfssl_fixed_key || steps.wolfssl-ref.outputs.sha }}-${{ hashFiles('scripts/utils-openssl.sh', 'scripts/utils-wolfssl.sh', 'scripts/build-wolfprovider.sh') }}
diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml
index 3c158d01..163da7c6 100644
--- a/.github/workflows/cmdline.yml
+++ b/.github/workflows/cmdline.yml
@@ -50,6 +50,14 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Cache build dependencies
+        uses: ./.github/actions/cache-build-deps
+        with:
+          variant: cmdline${{ matrix.debug != '' && '-debug' || '' }}
+          openssl_ref: ${{ matrix.openssl_ref }}
+          wolfssl_ref: ${{ matrix.wolfssl_ref }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build wolfProvider
         run: |
           ${{ matrix.debug }} OPENSSL_TAG=${{ matrix.openssl_ref }} WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh
diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml
index 8e8560c1..74d3b297 100644
--- a/.github/workflows/fips-ready.yml
+++ b/.github/workflows/fips-ready.yml
@@ -47,13 +47,30 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Cache build dependencies
+        uses: ./.github/actions/cache-build-deps
+        with:
+          variant: fips-ready
+          openssl_ref: ${{ matrix.openssl_ref }}
+          wolfssl_fixed_key: wolfssl-fips-${{ matrix.wolfssl_bundle_ref }}-${{ matrix.openssl_ref }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Cache FIPS Ready Bundle zip
+        uses: actions/cache@v4
+        with:
+          path: wolfssl-fips-ready.zip
+          key: wolfssl-fips-bundle-${{ matrix.wolfssl_bundle_ref }}
+
       - name: Download FIPS Ready Bundle
         run: |
-          # Download FIPS ready bundle from wolfSSL website
-          BUNDLE_URL="https://www.wolfssl.com/wolfssl-${{matrix.wolfssl_bundle_ref}}-gplv3-fips-ready.zip"
-          
-          wget -O wolfssl-fips-ready.zip "$BUNDLE_URL"
-          unzip wolfssl-fips-ready.zip
+          # Bundle is a fixed stable release; only fetch on a cache miss. The
+          # build script's bundle copy still needs the extracted tree present,
+          # so unzip runs every time.
+          if [ ! -f wolfssl-fips-ready.zip ]; then
+            BUNDLE_URL="https://www.wolfssl.com/wolfssl-${{matrix.wolfssl_bundle_ref}}-gplv3-fips-ready.zip"
+            wget -O wolfssl-fips-ready.zip "$BUNDLE_URL"
+          fi
+          unzip -o wolfssl-fips-ready.zip
 
           # Find the extracted directory (build script requires directory, not zip)
           BUNDLE_DIR=$(find . -maxdepth 1 -type d -name "*fips-ready*" | head -n 1)
diff --git a/.github/workflows/seed-src.yml b/.github/workflows/seed-src.yml
index 6a774cba..10d1f58c 100644
--- a/.github/workflows/seed-src.yml
+++ b/.github/workflows/seed-src.yml
@@ -49,6 +49,14 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Cache build dependencies
+        uses: ./.github/actions/cache-build-deps
+        with:
+          variant: seed-src
+          openssl_ref: ${{ matrix.openssl_ref }}
+          wolfssl_ref: ${{ matrix.wolfssl_ref }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build and test wolfProvider with SEED-SRC
         run: |
              # Force wolfSSL to not use getrandom syscall via ac_cv_func_getrandom=no.
diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml
index ca8c180f..8465ba04 100644
--- a/.github/workflows/simple.yml
+++ b/.github/workflows/simple.yml
@@ -56,6 +56,15 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Cache build dependencies
+        uses: ./.github/actions/cache-build-deps
+        with:
+          variant: simple${{ matrix.replace_default != '' && '-rd' || '' }}
+          openssl_ref: ${{ matrix.openssl_ref }}
+          wolfssl_ref: ${{ matrix.wolfssl_ref }}
+          cache_openssl_source: ${{ matrix.replace_default != '' }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build and test wolfProvider
         run: |
              OPENSSL_TAG=${{ matrix.openssl_ref }} \
diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml
index 6ffe4459..8a0d07ad 100644
--- a/.github/workflows/smoke-test.yml
+++ b/.github/workflows/smoke-test.yml
@@ -57,6 +57,14 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Cache build dependencies
+        uses: ./.github/actions/cache-build-deps
+        with:
+          variant: smoke
+          openssl_ref: ${{ needs.discover_versions.outputs.openssl_latest_ref }}
+          wolfssl_ref: ${{ matrix.wolfssl_ref || needs.discover_versions.outputs.wolfssl_latest_ref }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build and test wolfProvider
         run: |
           # Resolve "stable" matrix row to the discovered latest tag.