diff --git a/.github/workflows/nss-pk12util-debian-test.yml b/.github/workflows/nss-pk12util-debian-test.yml
index 5d19db2a..0944e13e 100644
--- a/.github/workflows/nss-pk12util-debian-test.yml
+++ b/.github/workflows/nss-pk12util-debian-test.yml
@@ -100,14 +100,14 @@ jobs:
       uses: actions/cache@v4
       with:
         path: /tmp/nss-build
-        key: nss-debian-source-${{ hashFiles('.github/workflows/wolfpkcs11-nss-debian.patch') }}-${{ env.WOLFSSL_VERSION }}
+        key: nss-debian-source-${{ hashFiles('.github/workflows/wolfpkcs11-nss-debian.patch', '.github/workflows/nss-pk12util-debian-test.yml') }}-${{ env.WOLFSSL_VERSION }}
 
     - name: Cache NSS built packages
       id: cache-nss-packages
       uses: actions/cache@v4
       with:
         path: /tmp/nss-packages
-        key: nss-debian-packages-${{ hashFiles('.github/workflows/wolfpkcs11-nss-debian.patch') }}-${{ env.WOLFSSL_VERSION }}
+        key: nss-debian-packages-${{ hashFiles('.github/workflows/wolfpkcs11-nss-debian.patch', '.github/workflows/nss-pk12util-debian-test.yml') }}-${{ env.WOLFSSL_VERSION }}
 
     - name: Get NSS Debian sources and apply wolfPKCS11 patch
       if: steps.cache-nss-source.outputs.cache-hit != 'true'
@@ -135,6 +135,16 @@ jobs:
         # Copy patch file from workspace to current directory for reliable access
         cp "${GITHUB_WORKSPACE}/.github/workflows/wolfpkcs11-nss-debian.patch" ./wolfpkcs11-nss-debian.patch
 
+        # Prepend the wolfPKCS11 changelog entry. Done inline (rather than in
+        # the patch) so future Debian security uploads do not break the hunk
+        # context every time a new entry lands at the top of debian/changelog.
+        # `dch --local` derives the new version from whatever is currently at
+        # the top, so this works regardless of which deb12uN the apt mirror
+        # currently ships.
+        DEBEMAIL="support@wolfssl.com" DEBFULLNAME="wolfSSL" \
+          dch --local "+wolfSSL-" --distribution bookworm-security \
+          "First build with wolfPKCS11 backend"
+
         # Apply the patch
         patch -p1 < ./wolfpkcs11-nss-debian.patch
 
diff --git a/.github/workflows/nss.yml b/.github/workflows/nss.yml
index 62559b4d..9e5864d5 100644
--- a/.github/workflows/nss.yml
+++ b/.github/workflows/nss.yml
@@ -135,6 +135,7 @@ jobs:
           --enable-keygen --enable-pwdbased --enable-scrypt --with-eccminsz=192
           --with-max-rsa-bits=8192 --enable-rsapss
           CFLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DRSA_MIN_SIZE=1024 -DWOLFSSL_PSS_LONG_SALT"
+        check: false
         install: true
 
     - name: Cache wolfSSL
diff --git a/.github/workflows/tpm2-store-test.yml b/.github/workflows/tpm2-store-test.yml
index 5beb1c5a..4ffa3865 100644
--- a/.github/workflows/tpm2-store-test.yml
+++ b/.github/workflows/tpm2-store-test.yml
@@ -47,7 +47,7 @@ jobs:
       id: cache-wolfssl
       with:
         path: build-dir/
-        key: wolfssl-${{ matrix.wolfssl_version }}
+        key: wolfssl-${{ matrix.wolfssl_version }}-tpm
         lookup-only: true
 
     - name: debug
@@ -60,7 +60,7 @@ jobs:
         repository: wolfssl/wolfssl
         ref: ${{ matrix.wolfssl_version }}
         path: wolfssl/
-        configure: --enable-all --disable-anon CPPFLAGS=-DWC_RSA_DIRECT
+        configure: --enable-all --disable-anon --disable-nginx CPPFLAGS=-DWC_RSA_DIRECT
         check: false
         install: true 
 
@@ -79,14 +79,14 @@ jobs:
       id: cache-wolftpm
       with:
         path: build-dir/
-        key: wolftpm-${{ matrix.wolftpm_version }}
+        key: wolftpm-${{ matrix.wolftpm_version }}-tpm
         lookup-only: true
 
     - name: Checking cache for wolfssl
       uses: actions/cache@v4
       with:
         path: build-dir/
-        key: wolfssl-${{ matrix.wolfssl_version }}
+        key: wolfssl-${{ matrix.wolfssl_version }}-tpm
         fail-on-cache-miss: true
 
     - name: debug
@@ -133,14 +133,14 @@ jobs:
       uses: actions/cache@v4
       with:
         path: build-dir/
-        key: wolfssl-${{ matrix.wolfssl_version }}
+        key: wolfssl-${{ matrix.wolfssl_version }}-tpm
         fail-on-cache-miss: true
 
     - name: Checking cache for wolftpm
       uses: actions/cache@v4
       with:
         path: build-dir/
-        key: wolftpm-${{ matrix.wolftpm_version }}
+        key: wolftpm-${{ matrix.wolftpm_version }}-tpm
         fail-on-cache-miss: true
 
     - name: Restore wolfTPM examples from cache
diff --git a/.github/workflows/wolfpkcs11-nss-debian.patch b/.github/workflows/wolfpkcs11-nss-debian.patch
index 47007ad5..a9ccd28b 100644
--- a/.github/workflows/wolfpkcs11-nss-debian.patch
+++ b/.github/workflows/wolfpkcs11-nss-debian.patch
@@ -1,16 +1,3 @@
-diff '--color=auto' -ur a/debian/changelog b/debian/changelog
---- a/debian/changelog	2024-10-10 20:51:11.000000000 +0100
-+++ b/debian/changelog	2025-08-14 15:02:27.391964431 +0100
-@@ -1,3 +1,9 @@
-+nss (2:3.87.1-1+wolfSSL-1) bookworm-security; urgency=medium
-+
-+  * First build with wolfPKCS11 backend
-+
-+ -- wolfSSL <support@wolfssl.com>  Thu, 08 Aug 2025 15:02:11 +0100
-+
- nss (2:3.87.1-1+deb12u1) bookworm-security; urgency=medium
- 
-   * nss: fix CVE-2024-6602, CVE-2024-6609 and CVE-2024-0743
 diff '--color=auto' -ur a/debian/control b/debian/control
 --- a/debian/control	2022-05-31 22:30:45.000000000 +0100
 +++ b/debian/control	2025-08-14 16:47:27.639784242 +0100