I've got a documentation website populated from the Github master branch for my documentation project.

I'd like https://mydomain/.well-known/security.txt to serve the file under tree/master/.well-known/security.txt per securitytxt.org which says

security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.

For websites, the security.txt file should be placed under the /.well-known/ path (/.well-known/security.txt) [RFC5785]. It can also be placed in the root directory (/security.txt) of a website, especially if the /.well-known/ directory cannot be used for technical reasons, or simply as a fallback.

The problem I'm seeing is that .well-known seems to be ignored by Github pages presumably because it's a hidden file per POSIX file conventions. Is this configurable?

I could use the fallback quoted above, but I'd rather follow the RFC5785 if possible.

For reference, the project I'm currently concerned about is https://github.com/temper-lang/docs and I expect the security.txt to show up at https://temperlang.dev/.well-known/security.txt but get a 404.

Below is a screenshot of my Github pages config:

It may not be a solution for you if your site is using Jekyll, but in my case I was able to enable serving of files beginning with a dot by creating a .nojekyll file in the root of the Github pages repository.

I found this by doing a few more searches on Stackoverflow. Credit to this answer.