diff --git a/.github/workflows/updater-ci.yaml b/.github/workflows/updater-ci.yaml
new file mode 100644
index 0000000..b2e5745
--- /dev/null
+++ b/.github/workflows/updater-ci.yaml
@@ -0,0 +1,55 @@
+name: Updater CI
+on:
+  pull_request:
+    branches: [*]
+  push:
+    branches: [develop]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Cargo Home Cache
+        uses: actions/cache@v2
+        env:
+          cache-name: cargo-home
+        with:
+          path: /usr/share/rust/.cargo
+          key: ${{ runner.os }}-${{ hashFiles('/usr/share/rust/.cargo/bin/cargo') }}-${{ hashFiles('/usr/share/rust/.cargo/bin/cargo-deny') }}-${{ hashFiles('Makefile') }}-${{ hashFiles('updater/Cargo.lock') }}-${{ hashFiles('integ/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ hashFiles('/usr/share/rust/.cargo/bin/cargo') }}-${{ hashFiles('/usr/share/rust/.cargo/bin/cargo-deny') }}-${{ hashFiles('Makefile') }}-${{ hashFiles('updater/Cargo.lock') }}-
+            ${{ runner.os }}-${{ hashFiles('/usr/share/rust/.cargo/bin/cargo') }}-${{ hashFiles('/usr/share/rust/.cargo/bin/cargo-deny') }}-${{ hashFiles('Makefile') }}-
+            ${{ runner.os }}-${{ hashFiles('/usr/share/rust/.cargo/bin/cargo') }}-${{ hashFiles('/usr/share/rust/.cargo/bin/cargo-deny') }}-
+            ${{ runner.os }}-${{ hashFiles('/usr/share/rust/.cargo/bin/cargo') }}-
+
+      - name: Updater Build Cache
+        uses: actions/cache@v2
+        env:
+          cache-name: updater-target
+        with:
+          path: updater/target
+          key: ${{ runner.os }}-${{ hashFiles('updater/Cargo.toml') }}-${{ hashFiles('updater/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ hashFiles('updater/Cargo.toml') }}-
+            ${{ runner.os }}-
+
+      - name: Integ Build Cache
+        uses: actions/cache@v2
+        env:
+          cache-name: integ-target
+        with:
+          path: integ/target
+          key: ${{ runner.os }}-${{ hashFiles('integ/Cargo.toml') }}-${{ hashFiles('integ/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ hashFiles('integ/Cargo.toml') }}-
+            ${{ runner.os }}-
+
+      - run: rustup update stable && cargo install cargo-deny
+      - run: make ci
+
+  image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: make image
diff --git a/Makefile b/Makefile
index 4f7d681..1744bfb 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@ image: fetch-sdk
 
 .PHONY: fetch-sdk
 fetch-sdk: # fetches and loads the image we use to build the updater docker image
-	set -eou pipefail; \
+	set -eou; \
 	if ! docker image inspect ${BUILDER_IMAGE} >/dev/null 2>&1; then \
 	  if ! curl --fail --show-error https://${BOTTLEROCKET_SDK_SITE}/${BUILDER_IMAGE}.tar.gz \
 		| gunzip | docker load; then \
@@ -35,3 +35,23 @@ fetch-sdk: # fetches and loads the image we use to build the updater docker imag
 check-licenses:
 	cd updater && cargo deny check licenses
 	cd integ && cargo deny check licenses
+
+.PHONY: unit-tests
+unit-tests:
+	cd updater && cargo test --locked
+	cd integ && cargo test --locked
+
+.PHONY: build
+build:
+	cd updater && cargo build --locked
+	cd integ && cargo build --locked
+
+.PHONY: lint
+lint:
+	cd updater && cargo fmt -- --check
+	cd updater && cargo clippy --locked -- -D warnings
+	cd integ && cargo fmt -- --check
+	cd integ && cargo clippy --locked -- -D warnings
+
+.PHONY: ci # these are all of the checks (except for image) that we run for ci
+ci: check-licenses lint build unit-tests