Let's switch to zip (#18)

* Add imagemagick to CI dependencies

Lektor requires imagemagick for image processing during build.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add encrypted fonts for CI deployment

Fonts are copyrighted and excluded from git, so they were missing
from CI builds. This adds an encrypted archive that gets decrypted
at build time using a FONTS_PASSPHRASE secret.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix font decryption by passing passphrase via env variable

Using -pass pass:... with inline secret interpolation caused shell
escaping issues in CI. Using -pass env:... is the recommended
approach for secrets in GitHub Actions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* vscode settings

* Switch from openssl to password-protected zip for font encryption

openssl enc had version incompatibilities between macOS and Ubuntu CI.
zip -e is simpler and universally available.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: roberto-arista

.github/workflows/deploy.yml

@@ -23,9 +23,7 @@ jobs:
       - run: uv sync
 
       - name: Decrypt fonts
-        env:
-          FONTS_PASSPHRASE: ${{ secrets.FONTS_PASSPHRASE }}
-        run: openssl enc -aes-256-cbc -pbkdf2 -d -in assets/static/fonts.tar.gz.enc -pass env:FONTS_PASSPHRASE | tar xzf - -C assets/static
+        run: unzip -P '${{ secrets.FONTS_PASSPHRASE }}' assets/static/fonts.zip -d assets/static
 
       - run: uv run lektor build --output-path build