diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 000000000..a7bce3105
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.toml text eol=lf
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 77c85a4d2..0fa21ea0f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,6 +28,8 @@ jobs:
   clippy:
     name: clippy
     runs-on: ubuntu-latest
+    env:
+      CARGO_HOME: ${{ github.workspace }}/.cache/cargo
     steps:
       - uses: actions/checkout@v4
         with:
@@ -36,15 +38,17 @@ jobs:
         run: rustup toolchain add stable --no-self-update --component clippy && rustup default stable
       - name: Get rust version
         id: rust-version
+        shell: bash
         run: |
           echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
       - name: Cache cargo index
         uses: actions/cache@v4
         with:
           path: |
-            ~/.cargo/registry/index
-            ~/.cargo/registry/cache
+            .cache/cargo/registry/index
+            .cache/cargo/registry/cache
           key: index-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.toml') }}
+          enableCrossOsArchive: true
       - name: Fetch dependencies
         run: cargo fetch
       - name: Cache target directory
@@ -188,15 +192,28 @@ jobs:
           os: windows-latest
           # CI's Windows doesn't have required root certs
           extra_test_args: --workspace --exclude tokio-boring --exclude hyper-boring
-
+    env:
+      CARGO_HOME: ${{ github.workspace }}/.cache/cargo
     steps:
     - uses: actions/checkout@v4
       with:
         submodules: 'recursive'
     - name: Install Rust (rustup)
-      run: rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }}
+      run: rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }} && rustup target add ${{ matrix.target }}
+      shell: bash
+    - name: Get rust version
+      id: rust-version
       shell: bash
-    - run: rustup target add ${{ matrix.target }}
+      run: |
+        echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
+    - name: Prepopulate cargo index
+      uses: actions/cache/restore@v4
+      with:
+        path: |
+          .cache/cargo/registry/index
+          .cache/cargo/registry/cache
+        key: index-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.toml') }}
+        enableCrossOsArchive: true
     - name: Install golang
       uses: actions/setup-go@v5
       with:
@@ -221,17 +238,6 @@ jobs:
     - name: Set Android Linker path
       if: endsWith(matrix.thing, '-android')
       run: echo "CARGO_TARGET_$(echo ${{ matrix.target }} | tr \\-a-z _A-Z)_LINKER=$ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/bin/$(echo ${{ matrix.target }} | sed s/armv7/armv7a/)21-clang++" >> "$GITHUB_ENV"
-    - name: Get rust version
-      id: rust-version
-      run: |
-        echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
-    - name: Prepopulate cargo index
-      uses: actions/cache/restore@v4
-      with:
-        path: |
-          ~/.cargo/registry/index
-          ~/.cargo/registry/cache
-        key: index-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.toml') }}
     - name: Build tests
       # We `build` because we want the linker to verify we are cross-compiling correctly for check-only targets.
       run: cargo build --target ${{ matrix.target }} --tests ${{ matrix.extra_test_args }}
@@ -253,7 +259,7 @@ jobs:
       #
       # Both of these may no longer be the case after updating the BoringSSL
       # submodules to a new revision, so it's important to test this on CI.
-      run: cargo publish --dry-run -p boring-sys
+      run: cargo publish --dry-run --target ${{ matrix.target }} -p boring-sys
 
   test-fips:
     name: Test FIPS integration
diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs
index 798d5984b..18d8d0ebd 100644
--- a/boring-sys/build/main.rs
+++ b/boring-sys/build/main.rs
@@ -679,6 +679,7 @@ fn generate_bindings(config: &Config) {
         "curve25519.h",
         "des.h",
         "dtls1.h",
+        "err.h",
         "hkdf.h",
         "hpke.h",
         "hmac.h",
@@ -709,7 +710,13 @@ fn generate_bindings(config: &Config) {
         .write(Box::new(&mut source_code))
         .expect("Couldn't serialize bindings!");
     ensure_err_lib_enum_is_named(&mut source_code);
-    fs::write(config.out_dir.join("bindings.rs"), source_code).expect("Couldn't write bindings!");
+    fs::write(config.out_dir.join("bindings.rs"), &source_code).expect("Couldn't write bindings!");
+    assert!(
+        std::str::from_utf8(&source_code)
+            .unwrap()
+            .contains("ERR_set_error_data"),
+        "includes lack definition of ERR_set_error_data: {include_path:?}"
+    );
 }
 
 /// err.h has anonymous `enum { ERR_LIB_NONE = 1 }`, which makes a dodgy `_bindgen_ty_1` name