That alone won't prevent renewal. A redirect to HTTPS on port 443 will be followed by the Let's Encrypt auth server. As long as your server is prepared to handle it arriving on port 443 it will work. Maybe that is something unique to github pages (idk) but it is not a general restriction. See the LE redirect support here: Challenge Types - Let's Encrypt
Aside from that, Page Rules are one option but this is another from a frequent contributor at the Cloudflare Community. Actually, MVP there 2023-25 