diff --git a/pkg/build/pipelines/fetch.yaml b/pkg/build/pipelines/fetch.yaml
index 925c32c7c..0d53535e5 100644
--- a/pkg/build/pipelines/fetch.yaml
+++ b/pkg/build/pipelines/fetch.yaml
@@ -71,53 +71,59 @@ inputs:
 
 pipeline:
   - runs: |
-      if [ "${{inputs.expected-sha256}}" == "" ] && [ "${{inputs.expected-sha512}}" == "" ] && [ "${{inputs.expected-none}}" == "" ]; then
+      MELANGE_CACHE_DIR="/var/cache/melange"
+      FETCH_CACHE_DIR="${MELANGE_CACHE_DIR}/fetch"
+
+      if [ -n "${{inputs.expected-sha512}}" ]; then
+        hashsize=512
+        expected="${{inputs.expected-sha512}}"
+      elif [ -n "${{inputs.expected-sha256}}" ]; then
+        hashsize=256
+        expected="${{inputs.expected-sha256}}"
+      elif [ -z "${{inputs.expected-none}}" ]; then
         printf "One of expected-sha256 or expected-sha512 is required"
         exit 1
+      else
+        hashsize=""
       fi
 
-      bn=$(basename ${{inputs.uri}})
+      bn="$(basename "${{inputs.uri}}")"
 
-      if [ ! "${{inputs.expected-sha256}}" == "" ]; then
-        fn="/var/cache/melange/sha256:${{inputs.expected-sha256}}"
-        if [ -f $fn ]; then
-          printf "fetch: found $fn in cache\n"
-          cp $fn $bn
-        fi
-      else
-        fn="/var/cache/melange/sha512:${{inputs.expected-sha512}}"
-        if [ -f $fn ]; then
-          printf "fetch: found $fn in cache\n"
-          cp $fn $bn
+      fn=""
+      if [ -n "$hashsize" ]; then
+        fn="${FETCH_CACHE_DIR}/sha${hashsize}:${expected}"
+        if [ -f "$fn" ]; then
+          printf "fetch: found %s in cache\n" "${fn}"
+          cp "${fn}" "${bn}"
         fi
       fi
 
-      if [ ! -f $bn ]; then
+      if [ ! -f "${bn}" ]; then
         wget '-T${{inputs.timeout}}' '--dns-timeout=${{inputs.dns-timeout}}' '--tries=${{inputs.retry-limit}}' --random-wait --retry-connrefused --continue '${{inputs.uri}}'
       fi
 
-      if [ "${{inputs.expected-none}}" != "" ]; then
-        printf "fetch: Checksum validation skipped\n"
-      elif [ "${{inputs.expected-sha256}}" != "" ]; then
-        printf "fetch: Expected sha256: ${{inputs.expected-sha256}}\n"
-        sum=$(sha256sum $bn | awk '{print $1}')
-        if [ "${{inputs.expected-sha256}}" != "$sum" ]; then
-          printf "fetch: Expected sha256 does not match found: $sum\n"
+      if [ -n "$hashsize" ]; then
+        printf "fetch: Expected sha%s: %s\n" "${hashsize}" "${expected}"
+        sum="$(sha${hashsize}sum "${bn}" | awk '{print $1}')"
+        if [ "${expected}" != "${sum}" ]; then
+          printf "fetch: Expected sha%s does not match found: %s\n" "${hashsize}" "${sum}"
           exit 1
         fi
-      else
-        printf "fetch: Expected sha512: ${{inputs.expected-sha512}}\n"
-        sum=$(sha512sum $bn | awk '{print $1}')
-        if [ "${{inputs.expected-sha512}}" != "$sum" ]; then
-          printf "fetch: Expected sha512 does not match found: $sum\n"
-          exit 1
+        if [ -d "${MELANGE_CACHE_DIR}" ]; then
+          printf "fetch: Caching %s in %s\n" "${bn}" "${fn}"
+          mkdir -p "${FETCH_CACHE_DIR}"
+          cp "${bn}" "${fn}" || { rm -f "${fn}"; printf "fetch: Caching failed\n"; }
+        else
+          printf "fetch: %s not available, will not cache %s\n" "${MELANGE_CACHE_DIR}" "${bn}"
         fi
+      else
+        printf "fetch: Checksum validation skipped\n"
       fi
 
       if [ "${{inputs.extract}}" = "true" ]; then
-        tar -x '--strip-components=${{inputs.strip-components}}' --no-same-owner -C '${{inputs.directory}}' -f $bn
+        tar -x '--strip-components=${{inputs.strip-components}}' --no-same-owner -C '${{inputs.directory}}' -f "${bn}"
       fi
 
       if [ "${{inputs.delete}}" = "true" ]; then
-        rm $bn
+        rm "${bn}"
       fi