diff --git a/.github/cache-bust b/.github/cache-bust
new file mode 100644
index 0000000..70cfb58
--- /dev/null
+++ b/.github/cache-bust
@@ -0,0 +1,4 @@
+# this file provides a manual way to clear out github actions caches. any change
+# to this file will cause all github action caches to miss. increment the number
+# below by 1 if you need to clear the caches.
+1
diff --git a/.github/workflows/updater-ci.yaml b/.github/workflows/updater-ci.yaml
new file mode 100644
index 0000000..d2a549a
--- /dev/null
+++ b/.github/workflows/updater-ci.yaml
@@ -0,0 +1,55 @@
+name: Updater CI
+on:
+  pull_request:
+    paths-ignore:
+      - '**.md'
+    branches: ['*']
+  push:
+    paths-ignore:
+      - '**.md'
+    branches: [develop]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Cargo Home Cache
+        uses: actions/cache@v2
+        env:
+          cache-name: cargo-home
+        with:
+          path: /usr/share/rust/.cargo
+          key: ${{ hashFiles('.github/cache-bust', '/usr/share/rust/.cargo/bin/cargo') }}-${{ hashFiles('updater/Cargo.lock', 'integ/Cargo.lock') }}
+          restore-keys: |
+            ${{ hashFiles('.github/cache-bust', '/usr/share/rust/.cargo/bin/cargo') }}-${{ hashFiles('updater/Cargo.lock', 'integ/Cargo.lock') }}
+            ${{ hashFiles('.github/cache-bust', '/usr/share/rust/.cargo/bin/cargo') }}-
+
+      - name: Updater Build Cache
+        uses: actions/cache@v2
+        env:
+          cache-name: updater-target
+        with:
+          path: updater/target
+          key: ${{ hashFiles('.github/cache-bust') }}-${{ hashFiles('updater/Cargo.lock') }}
+          restore-keys: |
+            ${{ hashFiles('.github/cache-bust') }}-
+
+      - name: Integ Build Cache
+        uses: actions/cache@v2
+        env:
+          cache-name: integ-target
+        with:
+          path: integ/target
+          key: ${{ hashFiles('.github/cache-bust') }}-${{ hashFiles('integ/Cargo.lock') }}
+          restore-keys: |
+            ${{ hashFiles('.github/cache-bust') }}-
+
+      - run: rustup update stable && cargo install cargo-deny
+      - run: make ci
+
+  image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: make image
diff --git a/Makefile b/Makefile
index 6aa0ff9..6ac0ba5 100644
--- a/Makefile
+++ b/Makefile
@@ -21,3 +21,28 @@ image: fetch-sdk
 .PHONY: fetch-sdk
 fetch-sdk: # fetches and loads the image we use to build the updater docker image
 	scripts/load-bottlerocket-sdk.sh --site ${BOTTLEROCKET_SDK_SITE} --image ${BUILDER_IMAGE}
+
+.PHONY: check-licenses
+check-licenses:
+	cd updater && cargo deny check licenses
+	cd integ && cargo deny check licenses
+
+.PHONY: unit-tests
+unit-tests:
+	cd updater && cargo test --locked
+	cd integ && cargo test --locked
+
+.PHONY: build
+build:
+	cd updater && cargo build --locked
+	cd integ && cargo build --locked
+
+.PHONY: lint
+lint:
+	cd updater && cargo fmt -- --check
+	cd updater && cargo clippy --locked -- -D warnings
+	cd integ && cargo fmt -- --check
+	cd integ && cargo clippy --locked -- -D warnings
+
+.PHONY: ci # these are all of the checks (except for image) that we run for ci
+ci: check-licenses lint build unit-tests
diff --git a/integ/deny.toml b/integ/deny.toml
new file mode 100644
index 0000000..076b573
--- /dev/null
+++ b/integ/deny.toml
@@ -0,0 +1,38 @@
+[licenses]
+unlicensed = "deny"
+
+# Deny licenses unless they are specifically listed here
+copyleft = "deny"
+allow-osi-fsf-free = "neither"
+default = "deny"
+
+# We want really high confidence when inferring licenses from text
+confidence-threshold = 0.93
+
+# Licenses that are allowed but unused are commented out to silence warnings
+allow = [
+    "Apache-2.0",
+    #"BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    #"CC0-1.0",
+    #"ISC",
+    "MIT",
+    # OpenSSL",
+    "Unlicense",
+    "Zlib"
+]
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[[licenses.clarify]]
+name = "webpki"
+expression = "ISC"
+license-files = [
+    { path = "LICENSE", hash = 0x001c7e6c },
+]
diff --git a/updater/deny.toml b/updater/deny.toml
new file mode 100644
index 0000000..14ebcbf
--- /dev/null
+++ b/updater/deny.toml
@@ -0,0 +1,38 @@
+[licenses]
+unlicensed = "deny"
+
+# Deny licenses unless they are specifically listed here
+copyleft = "deny"
+allow-osi-fsf-free = "neither"
+default = "deny"
+
+# We want really high confidence when inferring licenses from text
+confidence-threshold = 0.93
+
+# Licenses that are allowed but unused are commented out to silence warnings
+allow = [
+    "Apache-2.0",
+    #"BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    #"CC0-1.0",
+    "ISC",
+    "MIT",
+    "OpenSSL",
+    "Unlicense",
+    "Zlib"
+]
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[[licenses.clarify]]
+name = "webpki"
+expression = "ISC"
+license-files = [
+    { path = "LICENSE", hash = 0x001c7e6c },
+]