- The [security.txt](https://securitytxt.org/) is a standardized file to
help with reporting security vulnerabilities, by having the most essential
information served at `.well-known/security.txt`.
- Brand this file to point to the Forgejo security team.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1192
(cherry picked from commit 7ca1d0ec87)
(cherry picked from commit ba974b0161)
(cherry picked from commit 966fbcdcfd)
(cherry picked from commit 8b9efebc6e)
(cherry picked from commit 91b1c84c18)
(cherry picked from commit 30ade1ea0b)
(cherry picked from commit 15ec35014e)
(cherry picked from commit a5e8bb4a93)
(cherry picked from commit 273b03888f)
Replace #25892
Close #21942
Close #25464
Major changes:
1. Serve "robots.txt" and ".well-known/security.txt" in the "public"
custom path
* All files in "public/.well-known" can be served, just like
"public/assets"
3. Add a test for ".well-known/security.txt"
4. Simplify the "FileHandlerFunc" logic, now the paths are consistent so
the code can be simpler
5. Add CORS header for ".well-known" endpoints
6. Add logs to tell users they should move some of their legacy custom
public files
```
2023/07/19 13:00:37 cmd/web.go:178:serveInstalled() [E] Found legacy public asset "img" in CustomPath. Please move it to /work/gitea/custom/public/assets/img
2023/07/19 13:00:37 cmd/web.go:182:serveInstalled() [E] Found legacy public asset "robots.txt" in CustomPath. Please move it to /work/gitea/custom/public/robots.txt
```
This PR is not breaking.
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Giteabot <teabot@gitea.io>