diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5395414..ad5c978 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,8 +5,11 @@ on:
     branches: [main]
   pull_request:
 
+# Cancel in-flight runs for the same workflow + ref. Including
+# `github.workflow` in the key keeps this from colliding with any other
+# workflow that happens to share a ref-based group prefix.
 concurrency:
-  group: ci-${{ github.ref }}
+  group: ci-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 # Least-privilege: this workflow only reads the repo to lint/build/verify; it
@@ -34,6 +37,31 @@ jobs:
         with:
           node-version-file: .nvmrc
 
+      # Cache Bun's resolved package store keyed on the lockfile hash. Cuts
+      # ~10s off `bun install` on a clean runner; the restore-key falls back
+      # to any prior cache from this OS so partial hits still help.
+      - name: Cache Bun install cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
+        with:
+          path: ~/.bun/install/cache
+          key: ${{ runner.os }}-bun-${{ hashFiles('bun.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-bun-
+
+      # Cache Next.js's incremental build output. Keyed on lockfile + commit
+      # SHA so the exact-key match is always per-commit fresh; restore-keys
+      # fall back to any previous build on the same lockfile, then any build
+      # on this OS — so most CI runs hit a cache and skip rebuilding
+      # unchanged webpack modules.
+      - name: Cache Next.js build cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
+        with:
+          path: ${{ github.workspace }}/.next/cache
+          key: ${{ runner.os }}-nextjs-${{ hashFiles('bun.lock') }}-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-nextjs-${{ hashFiles('bun.lock') }}-
+            ${{ runner.os }}-nextjs-
+
       - name: Install
         run: bun install --frozen-lockfile