Add Vietnamese

[RosaWagner]

Here is the specimen and diff with previous version:

260210_Diff.zip
260210_Specimen.zip

[zalando-compr-opensource]

invalid team ID

The team ID in your .zappr.yaml file (in the default branch) does not appear
to be valid. Please, fix this before team ID checks will be added back into
ComPR's specification check.

(If this PR is already fixing this, ignore the warning. But preferably fix it
in a PR separate from other changes, as the merge build from this PR will
not give a compliant image.)

You can follow this guideline for help.

[zalando-compr-opensource]

invalid team ID

The team ID in your .zappr.yaml file (in the default branch) does not appear
to be valid. Please, fix this before team ID checks will be added back into
ComPR's specification check.

(If this PR is already fixing this, ignore the warning. But preferably fix it
in a PR separate from other changes, as the merge build from this PR will
not give a compliant image.)

You can follow this guideline for help.

[Copilot]

Pull request overview

This PR updates the Zalando Sans build outputs and project tooling/config as part of the “Add Vietnamese” update, including a version bump, dependency lockfile generation, and CI/build pipeline tweaks.

Changes:

• Bump font version to 1.800 and add updated compiled TTF asset(s).
• Replace the placeholder requirements.txt with a fully pinned, pip-compiled lockfile.
• Update customization script and CI workflow behavior (URL/badge handling, pushing, triggers/permissions, artifact naming).

Reviewed changes

Copilot reviewed 4 out of 175 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
sources/config.yaml	Bumps the project version to 1.800.
scripts/customize.py	Removes raw_url usage, updates badge URL replacement logic, and re-enables git push after customization.
requirements.txt	Replaces placeholder with a fully pinned dependency lockfile generated by pip-compile.
fonts/ttf/ZalandoSans-CondensedExtraLight.ttf	Adds/updates a built TTF binary artifact (version shows 1.800).
Makefile	Adds fontspector badge generation output and minor comment formatting changes.
.github/workflows/build.yaml	Expands triggers, changes tool/action setup, adjusts artifact naming, and updates release packaging steps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

git status --porcelain can return statuses other than staged modifications (M ), e.g. newly added files (A ) or untracked files (??). With the current any(line.startswith("M ") ...) check, the script can incorrectly print "Nothing changed" and skip committing/pushing even though there are changes staged by this script. Consider checking for any non-empty porcelain output (or explicitly handling A / ?? / D ) instead of only M .

[Copilot]

Automatically pushing to origin as part of make customize is risky/unexpected (it may fail without credentials, and it removes the user’s chance to review the changes before publishing). Consider prompting the user, making the push opt-in via a flag/env var, or leaving push to a separate explicit step.

[Copilot]

permissions: write-all grants this workflow broad write access to the repository and other resources. This is significantly more privilege than is required for building/testing and uploading artifacts, and it increases the blast radius if any step/action is compromised. Prefer the principle of least privilege (e.g. default contents: read, and only add pages: write / id-token: write in the specific job/step that needs it).

Suggested change

	permissions: write-all
	permissions:
	contents: read

[Copilot]

CI installs Python 3.11 here, but requirements.txt is generated with Python 3.13 (per its header). If the lockfile includes Python-version-specific resolution, the environment created in CI may diverge from what was locked. Consider aligning the CI Python version with the version used for pip-compile, or regenerating the lock with 3.11 to match CI.

[RosaWagner]

The build is working locally, no idea why it doesn't work here through the github action