diff --git a/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl b/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
index ea0550904..ed1836768 100644
--- a/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
+++ b/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/generated/1.21/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/1.21/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
index ea0550904..ed1836768 100644
--- a/generated/1.21/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
+++ b/generated/1.21/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/generated/1.22/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/1.22/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
index ea0550904..ed1836768 100644
--- a/generated/1.22/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
+++ b/generated/1.22/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/generated/1.23/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/1.23/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
index ea0550904..ed1836768 100644
--- a/generated/1.23/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
+++ b/generated/1.23/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/generated/1.24/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/1.24/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
index ea0550904..ed1836768 100644
--- a/generated/1.24/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
+++ b/generated/1.24/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/generated/1.25/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/1.25/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
index ea0550904..ed1836768 100644
--- a/generated/1.25/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
+++ b/generated/1.25/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/generated/1.26/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/1.26/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
index ea0550904..ed1836768 100644
--- a/generated/1.26/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
+++ b/generated/1.26/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/generated/1.27/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/1.27/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
index ea0550904..ed1836768 100644
--- a/generated/1.27/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
+++ b/generated/1.27/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/generated/1.28/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/1.28/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
index ea0550904..ed1836768 100644
--- a/generated/1.28/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
+++ b/generated/1.28/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/generated/1.29/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/1.29/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
index ea0550904..ed1836768 100644
--- a/generated/1.29/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
+++ b/generated/1.29/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/generated/latest/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/latest/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
index ea0550904..ed1836768 100644
--- a/generated/latest/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
+++ b/generated/latest/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -16,6 +16,7 @@ const (
 	IDPTypeLDAP            IDPType = "ldap"
 	IDPTypeActiveDirectory IDPType = "activedirectory"
 
+	IDPTypeGitHub          IDPType = "github"
 	IDPFlowCLIPassword     IDPFlow = "cli_password"
 	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
 )
diff --git a/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
index 358d57921..1c0e398aa 100644
--- a/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
+++ b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
@@ -11,6 +11,7 @@ import (
 
 	"go.pinniped.dev/internal/federationdomain/idplister"
 	"go.pinniped.dev/internal/federationdomain/resolvedprovider"
+	"go.pinniped.dev/internal/federationdomain/resolvedprovider/resolvedgithub"
 	"go.pinniped.dev/internal/federationdomain/resolvedprovider/resolvedldap"
 	"go.pinniped.dev/internal/federationdomain/resolvedprovider/resolvedoidc"
 	"go.pinniped.dev/internal/idtransform"
@@ -144,6 +145,7 @@ func (u *FederationDomainIdentityProvidersListerFinder) GetIdentityProviders() [
 	cachedOIDCProviders := u.wrappedLister.GetOIDCIdentityProviders()
 	cachedLDAPProviders := u.wrappedLister.GetLDAPIdentityProviders()
 	cachedADProviders := u.wrappedLister.GetActiveDirectoryIdentityProviders()
+	cachedGitHubProviders := u.wrappedLister.GetGitHubIdentityProviders()
 	providers := []resolvedprovider.FederationDomainResolvedIdentityProvider{}
 	// Every configured identityProvider on the FederationDomain uses an objetRef to an underlying IDP CR that might
 	// be available as a provider in the wrapped cache. For each configured identityProvider/displayName...
@@ -184,6 +186,13 @@ func (u *FederationDomainIdentityProvidersListerFinder) GetIdentityProviders() [
 				})
 			}
 		}
+		for _, p := range cachedGitHubProviders {
+			if idp.UID == p.GetResourceUID() {
+				providers = append(providers, &resolvedgithub.FederationDomainResolvedGitHubIdentityProvider{
+					// TODO: fill this out.
+				})
+			}
+		}
 	}
 	return providers
 }
diff --git a/internal/federationdomain/idplister/upstream_idp_lister.go b/internal/federationdomain/idplister/upstream_idp_lister.go
index 38b5e27eb..0084b472c 100644
--- a/internal/federationdomain/idplister/upstream_idp_lister.go
+++ b/internal/federationdomain/idplister/upstream_idp_lister.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package idplister
@@ -19,8 +19,13 @@ type UpstreamActiveDirectoryIdentityProviderLister interface {
 	GetActiveDirectoryIdentityProviders() []upstreamprovider.UpstreamLDAPIdentityProviderI
 }
 
+type UpstreamGitHubIdentityProviderLister interface {
+	GetGitHubIdentityProviders() []upstreamprovider.UpstreamGithubIdentityProviderI
+}
+
 type UpstreamIdentityProvidersLister interface {
 	UpstreamOIDCIdentityProvidersLister
 	UpstreamLDAPIdentityProvidersLister
 	UpstreamActiveDirectoryIdentityProviderLister
+	UpstreamGitHubIdentityProviderLister
 }
diff --git a/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider.go b/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider.go
new file mode 100644
index 000000000..673af6578
--- /dev/null
+++ b/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider.go
@@ -0,0 +1,94 @@
+package resolvedgithub
+
+import (
+	"context"
+
+	"go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
+	"go.pinniped.dev/internal/federationdomain/resolvedprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
+	"go.pinniped.dev/internal/idtransform"
+	"go.pinniped.dev/internal/psession"
+	"go.pinniped.dev/pkg/oidcclient/nonce"
+	"go.pinniped.dev/pkg/oidcclient/pkce"
+)
+
+// FederationDomainResolvedGitHubIdentityProvider respresents a FederationDomainIdentityProvider which has
+// been resolved dynamically based on the currently loaded IDP CRs to include the provider.UpstreamGitHubIdentityProviderI
+// and other metadata about the provider.
+type FederationDomainResolvedGitHubIdentityProvider struct {
+	DisplayName         string
+	Provider            upstreamprovider.UpstreamGithubIdentityProviderI
+	SessionProviderType psession.ProviderType
+	Transforms          *idtransform.TransformationPipeline
+}
+
+var _ resolvedprovider.FederationDomainResolvedIdentityProvider = (*FederationDomainResolvedGitHubIdentityProvider)(nil)
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) GetDisplayName() string {
+	return p.DisplayName
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) GetProvider() upstreamprovider.UpstreamIdentityProviderI {
+	return p.Provider
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) GetSessionProviderType() psession.ProviderType {
+	return p.SessionProviderType
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) GetIDPDiscoveryType() v1alpha1.IDPType {
+	return v1alpha1.IDPTypeGitHub
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) GetIDPDiscoveryFlows() []v1alpha1.IDPFlow {
+	// TODO: implement
+	return []v1alpha1.IDPFlow{}
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) GetTransforms() *idtransform.TransformationPipeline {
+	return p.Transforms
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) CloneIDPSpecificSessionDataFromSession(session *psession.CustomSessionData) interface{} {
+	if session.GitHub == nil {
+		return nil
+	}
+	return session.GitHub.Clone()
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) ApplyIDPSpecificSessionDataToSession(session *psession.CustomSessionData, idpSpecificSessionData interface{}) {
+	session.GitHub = idpSpecificSessionData.(*psession.GitHubSessionData)
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) UpstreamAuthorizeRedirectURL(state *resolvedprovider.UpstreamAuthorizeRequestState, downstreamIssuerURL string) (string, error) {
+	// TODO: implement
+	return "", nil
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) Login(
+	ctx context.Context,
+	submittedUsername string,
+	submittedPassword string,
+) (*resolvedprovider.Identity, *resolvedprovider.IdentityLoginExtras, error) {
+	// TODO: implement
+	return nil, nil, nil
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) LoginFromCallback(
+	ctx context.Context,
+	authCode string,
+	pkce pkce.Code,
+	nonce nonce.Nonce,
+	redirectURI string,
+) (*resolvedprovider.Identity, *resolvedprovider.IdentityLoginExtras, error) {
+	// TODO: implement
+	return nil, nil, nil
+}
+
+func (p *FederationDomainResolvedGitHubIdentityProvider) UpstreamRefresh(
+	ctx context.Context,
+	identity *resolvedprovider.Identity,
+) (refreshedIdentity *resolvedprovider.RefreshedIdentity, err error) {
+	// TODO: implement
+	return nil, nil
+}
diff --git a/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider_test.go b/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider_test.go
new file mode 100644
index 000000000..c36c1bea7
--- /dev/null
+++ b/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider_test.go
@@ -0,0 +1 @@
+package resolvedgithub
diff --git a/internal/psession/pinniped_session.go b/internal/psession/pinniped_session.go
index 63f5ebe79..e27b489b0 100644
--- a/internal/psession/pinniped_session.go
+++ b/internal/psession/pinniped_session.go
@@ -74,6 +74,9 @@ type CustomSessionData struct {
 
 	// Only used when ProviderType == "activedirectory".
 	ActiveDirectory *ActiveDirectorySessionData `json:"activedirectory,omitempty"`
+
+	// Only used when ProviderType == "github".
+	GitHub *GitHubSessionData `json:"github,omitempty"`
 }
 
 type ProviderType string
@@ -140,6 +143,15 @@ func (s *ActiveDirectorySessionData) Clone() *ActiveDirectorySessionData {
 	}
 }
 
+type GitHubSessionData struct {
+	// TODO: flesh this out
+}
+
+func (s *GitHubSessionData) Clone() *GitHubSessionData {
+	dataCopy := *s // this shortcut works because all fields in this type are currently strings (no pointers)
+	return &dataCopy
+}
+
 // NewPinnipedSession returns a new empty session.
 func NewPinnipedSession() *PinnipedSession {
 	return &PinnipedSession{