Fix env password for fonts decryption (#17)

* Add imagemagick to CI dependencies

Lektor requires imagemagick for image processing during build.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add encrypted fonts for CI deployment

Fonts are copyrighted and excluded from git, so they were missing
from CI builds. This adds an encrypted archive that gets decrypted
at build time using a FONTS_PASSPHRASE secret.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix font decryption by passing passphrase via env variable

Using -pass pass:... with inline secret interpolation caused shell
escaping issues in CI. Using -pass env:... is the recommended
approach for secrets in GitHub Actions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* vscode settings

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: roberto-arista

.claude/settings.local.json

@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git push:*)",
+      "Bash(cd:*)",
+      "Bash(git check-ignore:*)"
+    ]
+  }
+}

.github/workflows/deploy.yml

@@ -23,7 +23,9 @@ jobs:
       - run: uv sync
 
       - name: Decrypt fonts
-        run: openssl enc -aes-256-cbc -pbkdf2 -d -in assets/static/fonts.tar.gz.enc -pass pass:'${{ secrets.FONTS_PASSPHRASE }}' | tar xzf - -C assets/static
+        env:
+          FONTS_PASSPHRASE: ${{ secrets.FONTS_PASSPHRASE }}
+        run: openssl enc -aes-256-cbc -pbkdf2 -d -in assets/static/fonts.tar.gz.enc -pass env:FONTS_PASSPHRASE | tar xzf - -C assets/static
 
       - run: uv run lektor build --output-path build