This is a simple subdomain whitelist so both scripts should load.
These pages include a whitelist.js and a blacklist.js. Mosts test will attempt to load the whitelist, and block the blacklist. See code reference below to see what is actually being used.
Test page for CSP script-src wildcard subdomain
<meta
http-equiv="Content-Security-Policy"
content="script-src 'self' *.github.io">