diff --git a/.github/workflows/build-push-image.yml b/.github/workflows/build-push-image.yml
index 6755d83..5c82dde 100644
--- a/.github/workflows/build-push-image.yml
+++ b/.github/workflows/build-push-image.yml
@@ -25,7 +25,8 @@ on:
       key_cache:
         required: false
         type: string
-        default: "v1-keypair-${{ github.ref_name }}" # unique for the branch / PR
+        # cosign keys are unique for the ref
+        default: "v1-keypair-${{ github.ref_name }}"
     secrets:
       registry_token:
         required: true
@@ -282,7 +283,16 @@ jobs:
           cosign-release: 'v2.5.0'
       - name: Check install
         run: cosign version
-      - name: Generate keypair
+      - name: Cache keypair
+        id: cache-keypair
+        uses: actions/cache@v4
+        with:
+          path: "${{ inputs.key_name }}.*"
+          key: ${{ inputs.key_cache }}
+          enableCrossOsArchive: true
+      - if: ${{ steps.cache-keypair.outputs.cache-hit != 'true' }}
+        continue-on-error: true
+        name: Generate keypair
         run: |-
           cosign generate-key-pair --output-key-prefix="${{ inputs.key_name }}"
       - name: Cache keypair