diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml
index 1c74aaedadb3..8e729e66e4a9 100644
--- a/.github/actions/cache/action.yml
+++ b/.github/actions/cache/action.yml
@@ -19,4 +19,4 @@ runs:
         KEY: "${{ inputs.key }}"
     - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4  # v2.9.1
       with:
-        key: ${{ steps.normalized-key.outputs.key }}-4
+        key: ${{ steps.normalized-key.outputs.key }}-5
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5c6132cdb039..a377ca8605dd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -120,8 +120,6 @@ jobs:
           echo "CFLAGS=${CFLAGS} -Werror=implicit-function-declaration" >> $GITHUB_ENV
           echo "RUSTFLAGS=-Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib -Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib64" >> $GITHUB_ENV
         if: matrix.PYTHON.OPENSSL
-      - run: rustup run stable cargo install bindgen-cli
-        if: matrix.PYTHON.OPENSSL.TYPE == 'boringssl' || matrix.PYTHON.OPENSSL.TYPE == 'aws-lc'
       - name: Cache rust and pip
         uses: ./.github/actions/cache
         timeout-minutes: 2
@@ -131,6 +129,12 @@ jobs:
           # different Python versions of PyPy that share the same PyPy
           # version number.
           key: "${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-${{ matrix.PYTHON.NOXSESSION }}-${{ env.OPENSSL_HASH }}-0"
+      # This must run after the cache action: rust-cache prunes binaries
+      # that already existed in ~/.cargo/bin before it ran, so installing
+      # bindgen first means it never gets cached. When the cache is warm,
+      # cargo sees the binary is already installed and skips the build.
+      - run: rustup run stable cargo install bindgen-cli
+        if: matrix.PYTHON.OPENSSL.TYPE == 'boringssl' || matrix.PYTHON.OPENSSL.TYPE == 'aws-lc'
 
       - run: python -m pip install -c ci-constraints-requirements.txt 'nox[uv]' 'tomli; python_version < "3.11"'
       - name: Create nox environment