diff --git a/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider_test.go b/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider_test.go
index be58da09f..cc017cc08 100644
--- a/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider_test.go
+++ b/internal/federationdomain/resolvedprovider/resolvedgithub/resolved_github_provider_test.go
@@ -3,4 +3,51 @@
 
 package resolvedgithub
 
-// TODO: write some tests.
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
+	"go.pinniped.dev/internal/idtransform"
+	"go.pinniped.dev/internal/psession"
+	"go.pinniped.dev/internal/upstreamgithub"
+)
+
+type fakeTransformer struct{}
+
+func (a fakeTransformer) Evaluate(_ context.Context, _ string, _ []string) (*idtransform.TransformationResult, error) {
+	return &idtransform.TransformationResult{}, nil
+}
+func (a fakeTransformer) Source() interface{} { return nil }
+
+func TestFederationDomainResolvedGitHubIdentityProvider(t *testing.T) {
+	fake := fakeTransformer{}
+	transforms := idtransform.NewTransformationPipeline()
+	transforms.AppendTransformation(fake)
+	subject := FederationDomainResolvedGitHubIdentityProvider{
+		DisplayName: "fake-display-name",
+		Provider: upstreamgithub.New(upstreamgithub.ProviderConfig{
+			Name:        "fake-provider-config",
+			ResourceUID: "fake-resource-uid",
+		}),
+		SessionProviderType: psession.ProviderTypeGitHub,
+		Transforms:          transforms,
+	}
+
+	require.Equal(t, "fake-display-name", subject.GetDisplayName())
+	require.Equal(t, upstreamgithub.New(upstreamgithub.ProviderConfig{
+		Name:        "fake-provider-config",
+		ResourceUID: "fake-resource-uid",
+	}), subject.GetProvider())
+	require.Equal(t, psession.ProviderTypeGitHub, subject.GetSessionProviderType())
+	require.Equal(t, v1alpha1.IDPTypeGitHub, subject.GetIDPDiscoveryType())
+	require.Equal(t, []v1alpha1.IDPFlow{v1alpha1.IDPFlowBrowserAuthcode}, subject.GetIDPDiscoveryFlows())
+	require.Equal(t, transforms, subject.GetTransforms())
+	require.Equal(t, &psession.GitHubSessionData{}, subject.CloneIDPSpecificSessionDataFromSession(&psession.CustomSessionData{
+		Username:         "fake-username",
+		UpstreamUsername: "fake-upstream-username",
+		GitHub:           &psession.GitHubSessionData{},
+	}))
+}
diff --git a/internal/upstreamgithub/upstreamgithub_test.go b/internal/upstreamgithub/upstreamgithub_test.go
index c5a1cda99..d0160ea0b 100644
--- a/internal/upstreamgithub/upstreamgithub_test.go
+++ b/internal/upstreamgithub/upstreamgithub_test.go
@@ -3,4 +3,68 @@
 
 package upstreamgithub
 
-// TODO: as we flesh out the Provider & ProviderConfig add tests
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/oauth2"
+	"k8s.io/apimachinery/pkg/types"
+
+	"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
+)
+
+func TestGitHubProvider(t *testing.T) {
+	subject := New(ProviderConfig{
+		Name:               "foo",
+		ResourceUID:        "resource-uid-12345",
+		Host:               "fake-host",
+		UsernameAttribute:  "fake-username-attribute",
+		GroupNameAttribute: "fake-group-name-attribute",
+		OAuth2Config: &oauth2.Config{
+			ClientID:     "fake-client-id",
+			ClientSecret: "fake-client-secret",
+		},
+		AllowedOrganizations:    []string{"fake-org", "fake-org2"},
+		OrganizationLoginPolicy: v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers,
+		AuthorizationURL:        "https://fake-authorization-url",
+		HttpClient: &http.Client{
+			Timeout: 1234509,
+		},
+	})
+
+	require.Equal(t, ProviderConfig{
+		Name:               "foo",
+		ResourceUID:        "resource-uid-12345",
+		Host:               "fake-host",
+		UsernameAttribute:  "fake-username-attribute",
+		GroupNameAttribute: "fake-group-name-attribute",
+		OAuth2Config: &oauth2.Config{
+			ClientID:     "fake-client-id",
+			ClientSecret: "fake-client-secret",
+		},
+		AllowedOrganizations:    []string{"fake-org", "fake-org2"},
+		OrganizationLoginPolicy: v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers,
+		AuthorizationURL:        "https://fake-authorization-url",
+		HttpClient: &http.Client{
+			Timeout: 1234509,
+		},
+	}, subject.GetConfig())
+
+	require.Equal(t, "foo", subject.GetName())
+	require.Equal(t, types.UID("resource-uid-12345"), subject.GetResourceUID())
+	require.Equal(t, "fake-client-id", subject.GetClientID())
+	require.Equal(t, &oauth2.Config{
+		ClientID:     "fake-client-id",
+		ClientSecret: "fake-client-secret",
+	}, subject.GetOAuth2Config())
+	require.Equal(t, "fake-host", subject.GetHost())
+	require.Equal(t, v1alpha1.GitHubUsernameAttribute("fake-username-attribute"), subject.GetUsernameAttribute())
+	require.Equal(t, v1alpha1.GitHubGroupNameAttribute("fake-group-name-attribute"), subject.GetGroupNameAttribute())
+	require.Equal(t, []string{"fake-org", "fake-org2"}, subject.GetAllowedOrganizations())
+	require.Equal(t, v1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers, subject.GetOrganizationLoginPolicy())
+	require.Equal(t, "https://fake-authorization-url", subject.GetAuthorizationURL())
+	require.Equal(t, &http.Client{
+		Timeout: 1234509,
+	}, subject.GetHttpClient())
+}