diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
index 8a838cea..b1f701b3 100644
--- a/.github/workflows/bandit.yml
+++ b/.github/workflows/bandit.yml
@@ -30,6 +30,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+
+      # PERFORMANCE: Cache pip dependencies so that any packages installed by the
+      # bandit scan action (or future pip-install steps) are served from cache.
+      # Key covers both requirements.txt and pyproject.toml so any dep change
+      # automatically busts the cache.
+      - name: Cache pip dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt', 'pyproject.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
       - name: Bandit Scan
         uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd
         with: # optional arguments
diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index 4ac91d2c..15047446 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -17,17 +17,21 @@ jobs:
         uses: actions/checkout@v4
 
       # PERFORMANCE: Caching pip dependencies significantly speeds up CI
-      # Cache key is based on requirements.txt hash, automatically invalidating when deps change
+      # Cache key is based on requirements.txt + pyproject.toml hashes, automatically
+      # invalidating when deps change. Both files are included because pyproject.toml
+      # defines the source of truth for dependencies.
       # See: https://github.com/actions/setup-python#caching-packages-dependencies
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: '3.13'
           cache: 'pip'
-          cache-dependency-path: 'requirements.txt'
+          cache-dependency-path: |
+            requirements.txt
+            pyproject.toml
 
       # REPRODUCIBILITY: Install from requirements.txt to centralize and document dependencies
-      # This also aligns installs with the cache key derived from requirements.txt
+      # This also aligns installs with the cache key derived from requirements.txt + pyproject.toml
       - name: Install dependencies
         run: pip install -r requirements.txt