feat(deploy): commit-status reporting to Git providers

Report deploy status back to the Git provider as a commit status
(pending/success/failure) for git-sourced workloads (static + dockerfile).

- GitProvider.SetCommitStatus on gitea/github/gitlab over the existing
  SSRF-safe client; fixed "tinyforge" context so redeploys update one row.
  postJSON returns status-code-only errors (never echoes the upstream body,
  which a hostile provider could use to reflect the auth token into the
  best-effort log line).
- Best-effort deploy hook: pending on deploy start, success/failure on
  outcome, gated on a per-workload report_commit_status flag. Never fails or
  blocks a deploy; emits nothing on the unchanged-SHA short-circuit.
- UI ToggleSwitch (create + edit) + reportCommitStatus in sourceForms.ts
  + en/ru i18n.
- Tests: per-provider state mapping + request shape; reporter gating
  (enabled/disabled/empty-SHA/nil/error-swallow).

Reviewed via go-reviewer + security-reviewer (0 CRITICAL/HIGH; one MEDIUM
body-echo log-leak fixed).

internal/workload/plugin/source/dockerfile/commit_status_test.go

@@ -0,0 +1,125 @@
+package dockerfile
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/alexei/tinyforge/internal/staticsite"
+	"github.com/alexei/tinyforge/internal/workload/plugin"
+)
+
+// fakeProvider is a stub staticsite.GitProvider that records SetCommitStatus
+// calls. Unused interface methods panic so a mis-wired test is loud.
+type fakeProvider struct {
+	calls   []statusCall
+	failErr error
+}
+
+type statusCall struct {
+	owner, repo, sha string
+	status           staticsite.CommitStatus
+	targetURL, descr string
+}
+
+func (f *fakeProvider) SetCommitStatus(_ context.Context, owner, repo, sha string, status staticsite.CommitStatus, targetURL, description string) error {
+	f.calls = append(f.calls, statusCall{owner, repo, sha, status, targetURL, description})
+	return f.failErr
+}
+
+func (*fakeProvider) Name() string                                     { return "fake" }
+func (*fakeProvider) TestConnection(context.Context, string, string) error { panic("unused") }
+func (*fakeProvider) ListRepos(context.Context, string) ([]staticsite.RepoInfo, error) {
+	panic("unused")
+}
+func (*fakeProvider) ListBranches(context.Context, string, string) ([]string, error) {
+	panic("unused")
+}
+func (*fakeProvider) GetLatestCommitSHA(context.Context, string, string, string) (string, error) {
+	panic("unused")
+}
+func (*fakeProvider) ListTree(context.Context, string, string, string) ([]staticsite.FolderEntry, error) {
+	panic("unused")
+}
+func (*fakeProvider) DownloadFolder(context.Context, string, string, string, string, string) error {
+	panic("unused")
+}
+
+func sampleCfg() Config {
+	return Config{RepoOwner: "owner", RepoName: "svc", Branch: "main", Port: 8080}
+}
+
+// Enabled: forwards to the provider with the captured identifiers + target.
+func TestReporter_Enabled_Calls(t *testing.T) {
+	fp := &fakeProvider{}
+	cfg := sampleCfg()
+	cfg.ReportCommitStatus = true
+	r := newCommitStatusReporter(fp, cfg, "deadbeef", statusTargetURL("svc.example.com"))
+
+	w := plugin.Workload{Name: "svc"}
+	r.report(context.Background(), w, staticsite.CommitStatusPending, "Tinyforge: deploying")
+	r.report(context.Background(), w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
+
+	if len(fp.calls) != 2 {
+		t.Fatalf("calls = %d, want 2", len(fp.calls))
+	}
+	c := fp.calls[0]
+	if c.owner != "owner" || c.repo != "svc" || c.sha != "deadbeef" {
+		t.Errorf("identifiers wrong: %+v", c)
+	}
+	if c.targetURL != "https://svc.example.com" {
+		t.Errorf("targetURL = %q", c.targetURL)
+	}
+	if fp.calls[1].status != staticsite.CommitStatusSuccess {
+		t.Errorf("second status = %q, want success", fp.calls[1].status)
+	}
+}
+
+// Disabled: inert.
+func TestReporter_Disabled_NoCalls(t *testing.T) {
+	fp := &fakeProvider{}
+	cfg := sampleCfg() // ReportCommitStatus false
+	r := newCommitStatusReporter(fp, cfg, "deadbeef", "")
+	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusFailure, "x")
+	if len(fp.calls) != 0 {
+		t.Fatalf("expected no calls when disabled, got %d", len(fp.calls))
+	}
+}
+
+// Empty SHA: no call even when enabled.
+func TestReporter_EmptySHA_NoCalls(t *testing.T) {
+	fp := &fakeProvider{}
+	cfg := sampleCfg()
+	cfg.ReportCommitStatus = true
+	r := newCommitStatusReporter(fp, cfg, "", "")
+	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusPending, "x")
+	if len(fp.calls) != 0 {
+		t.Fatalf("expected no calls with empty SHA, got %d", len(fp.calls))
+	}
+}
+
+// Provider error is swallowed (best-effort).
+func TestReporter_ProviderError_Swallowed(t *testing.T) {
+	fp := &fakeProvider{failErr: errors.New("boom")}
+	cfg := sampleCfg()
+	cfg.ReportCommitStatus = true
+	r := newCommitStatusReporter(fp, cfg, "deadbeef", "")
+	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusFailure, "Tinyforge: build failed")
+	if len(fp.calls) != 1 {
+		t.Fatalf("expected the failing call to still be recorded, got %d", len(fp.calls))
+	}
+}
+
+func TestReporter_NilSafe(t *testing.T) {
+	var r *commitStatusReporter
+	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusSuccess, "x")
+}
+
+func TestStatusTargetURL(t *testing.T) {
+	if got := statusTargetURL(""); got != "" {
+		t.Errorf("empty domain -> %q, want \"\"", got)
+	}
+	if got := statusTargetURL("x.example.com"); got != "https://x.example.com" {
+		t.Errorf("got %q", got)
+	}
+}

internal/workload/plugin/source/dockerfile/deploy.go

@@ -43,7 +43,7 @@ const healthCheckDelay = 3 * time.Second
 // Each step writes its own status update so the dashboard's runtime-
 // state panel can show a useful intermediate state when the deploy
 // stalls on the slow step (almost always the build).
-func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plugin.DeploymentIntent) error {
+func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plugin.DeploymentIntent) (retErr error) {
 	cfg, err := plugin.SourceConfigOf[Config](w)
 	if err != nil {
 		return fmt.Errorf("dockerfile source: decode config: %w", err)
@@ -90,6 +90,25 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 
 	domain := primaryDomain(deps, w)
 
+	// Commit-status reporter (best-effort; gated on cfg.ReportCommitStatus).
+	// The deferred terminal report fires Success/Failure based on the
+	// deploy's outcome, but ONLY once an actual build/deploy began
+	// (deployStarted). The unchanged-SHA short-circuit below returns via
+	// healUnchanged before that flips, so no status is reported when
+	// nothing was built. retErr is the named return the defer inspects.
+	reporter := newCommitStatusReporter(provider, cfg, latestSHA, statusTargetURL(domain))
+	deployStarted := false
+	defer func() {
+		if !deployStarted {
+			return
+		}
+		if retErr != nil {
+			reporter.report(ctx, w, staticsite.CommitStatusFailure, "Tinyforge: build failed")
+		} else {
+			reporter.report(ctx, w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
+		}
+	}()
+
 	prevContainerID := ""
 	prevProxyRouteID := ""
 	if prevContainer != nil {
@@ -129,8 +148,13 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 		}
 	}
 
+	// From here on a deploy is genuinely underway, so the deferred terminal
+	// status report should fire. Push a "pending" commit status (best-
+	// effort) and arm the deferred Success/Failure report.
 	updateStatus(deps, w, "syncing", prev.LastCommitSHA, "")
 	publishEvent(deps, w, "syncing")
+	deployStarted = true
+	reporter.report(ctx, w, staticsite.CommitStatusPending, "Tinyforge: deploying")
 
 	// Clone the repo into a temp dir. We always download the entire
 	// repo tree (folderPath = ""); a ContextPath subset is applied
@@ -371,6 +395,55 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	return nil
 }
 
+// commitStatusReporter pushes deploy outcomes back to the git provider as
+// a commit status, gated on the per-workload report_commit_status flag.
+// Strictly best-effort: every call is wrapped so a reporting failure is
+// logged at Warn and NEVER propagates to fail or block the deploy. Mirrors
+// the static plugin's reporter of the same name.
+type commitStatusReporter struct {
+	provider  staticsite.GitProvider
+	owner     string
+	repo      string
+	sha       string
+	targetURL string
+	enabled   bool
+}
+
+// newCommitStatusReporter builds a reporter from the decoded config. When
+// report_commit_status is off (or the SHA is empty) the returned reporter's
+// report method is inert.
+func newCommitStatusReporter(provider staticsite.GitProvider, cfg Config, sha, targetURL string) *commitStatusReporter {
+	return &commitStatusReporter{
+		provider:  provider,
+		owner:     cfg.RepoOwner,
+		repo:      cfg.RepoName,
+		sha:       sha,
+		targetURL: targetURL,
+		enabled:   cfg.ReportCommitStatus,
+	}
+}
+
+// report sends one commit status, swallowing (and logging) any error. Safe
+// to call on a disabled reporter or with a nil provider/empty SHA.
+func (r *commitStatusReporter) report(ctx context.Context, w plugin.Workload, status staticsite.CommitStatus, description string) {
+	if r == nil || !r.enabled || r.provider == nil || r.sha == "" {
+		return
+	}
+	if err := r.provider.SetCommitStatus(ctx, r.owner, r.repo, r.sha, status, r.targetURL, description); err != nil {
+		slog.Warn("dockerfile: commit-status report failed (ignored)",
+			"workload", w.Name, "status", string(status), "error", err)
+	}
+}
+
+// statusTargetURL derives the https URL the commit status links back to —
+// the workload's primary public face, or "" when it has none.
+func statusTargetURL(domain string) string {
+	if domain == "" {
+		return ""
+	}
+	return "https://" + domain
+}
+
 // updateStatus writes the runtime-state status/error/commit and (on
 // terminal states) fires the side effects the static plugin's helper
 // does: failures land in the event log, and a "deployed" or "failed"

internal/workload/plugin/source/dockerfile/dockerfile.go

@@ -59,6 +59,11 @@ type Config struct {
 
 	Port        int    `json:"port"`
 	Healthcheck string `json:"healthcheck,omitempty"`
+
+	// ReportCommitStatus, when true, pushes the deploy outcome back to the
+	// git provider as a commit status (pending/success/failure) on the
+	// built SHA. Best-effort — a reporting failure never fails a deploy.
+	ReportCommitStatus bool `json:"report_commit_status"`
 }
 
 type source struct{}

internal/workload/plugin/source/static/commit_status_test.go

@@ -0,0 +1,140 @@
+package static
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/alexei/tinyforge/internal/staticsite"
+	"github.com/alexei/tinyforge/internal/workload/plugin"
+)
+
+// fakeProvider is a stub staticsite.GitProvider that records SetCommitStatus
+// calls. Only the methods the reporter exercises are meaningful; the rest
+// satisfy the interface and panic if ever hit so a mis-wired test is loud.
+type fakeProvider struct {
+	calls   []statusCall
+	failErr error // when set, SetCommitStatus returns it (best-effort path)
+}
+
+type statusCall struct {
+	owner, repo, sha   string
+	status             staticsite.CommitStatus
+	targetURL, descr   string
+}
+
+func (f *fakeProvider) SetCommitStatus(_ context.Context, owner, repo, sha string, status staticsite.CommitStatus, targetURL, description string) error {
+	f.calls = append(f.calls, statusCall{owner, repo, sha, status, targetURL, description})
+	return f.failErr
+}
+
+func (*fakeProvider) Name() string { return "fake" }
+func (*fakeProvider) TestConnection(context.Context, string, string) error {
+	panic("unused")
+}
+func (*fakeProvider) ListRepos(context.Context, string) ([]staticsite.RepoInfo, error) {
+	panic("unused")
+}
+func (*fakeProvider) ListBranches(context.Context, string, string) ([]string, error) {
+	panic("unused")
+}
+func (*fakeProvider) GetLatestCommitSHA(context.Context, string, string, string) (string, error) {
+	panic("unused")
+}
+func (*fakeProvider) ListTree(context.Context, string, string, string) ([]staticsite.FolderEntry, error) {
+	panic("unused")
+}
+func (*fakeProvider) DownloadFolder(context.Context, string, string, string, string, string) error {
+	panic("unused")
+}
+
+func sampleCfg() Config {
+	return Config{RepoOwner: "owner", RepoName: "pages", Branch: "main"}
+}
+
+// When report_commit_status is enabled, the reporter forwards to the
+// provider with the owner/repo/sha + target URL it was built with.
+func TestReporter_Enabled_Calls(t *testing.T) {
+	fp := &fakeProvider{}
+	cfg := sampleCfg()
+	cfg.ReportCommitStatus = true
+	r := newCommitStatusReporter(fp, cfg, "abc123", statusTargetURL("app.example.com"))
+
+	w := plugin.Workload{Name: "site"}
+	r.report(context.Background(), w, staticsite.CommitStatusPending, "Tinyforge: deploying")
+	r.report(context.Background(), w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
+
+	if len(fp.calls) != 2 {
+		t.Fatalf("calls = %d, want 2", len(fp.calls))
+	}
+	first := fp.calls[0]
+	if first.owner != "owner" || first.repo != "pages" || first.sha != "abc123" {
+		t.Errorf("identifiers wrong: %+v", first)
+	}
+	if first.status != staticsite.CommitStatusPending {
+		t.Errorf("first status = %q, want pending", first.status)
+	}
+	if first.targetURL != "https://app.example.com" {
+		t.Errorf("targetURL = %q", first.targetURL)
+	}
+	if fp.calls[1].status != staticsite.CommitStatusSuccess {
+		t.Errorf("second status = %q, want success", fp.calls[1].status)
+	}
+}
+
+// When report_commit_status is disabled, the reporter is inert.
+func TestReporter_Disabled_NoCalls(t *testing.T) {
+	fp := &fakeProvider{}
+	cfg := sampleCfg() // ReportCommitStatus defaults to false
+	r := newCommitStatusReporter(fp, cfg, "abc123", "")
+
+	r.report(context.Background(), plugin.Workload{Name: "site"}, staticsite.CommitStatusSuccess, "x")
+	if len(fp.calls) != 0 {
+		t.Fatalf("expected no calls when disabled, got %d", len(fp.calls))
+	}
+}
+
+// An empty SHA (e.g. a provider that couldn't resolve the branch) must not
+// produce a status call even when reporting is enabled.
+func TestReporter_EmptySHA_NoCalls(t *testing.T) {
+	fp := &fakeProvider{}
+	cfg := sampleCfg()
+	cfg.ReportCommitStatus = true
+	r := newCommitStatusReporter(fp, cfg, "", "")
+
+	r.report(context.Background(), plugin.Workload{Name: "site"}, staticsite.CommitStatusPending, "x")
+	if len(fp.calls) != 0 {
+		t.Fatalf("expected no calls with empty SHA, got %d", len(fp.calls))
+	}
+}
+
+// A provider error must be swallowed (best-effort) — report never panics or
+// propagates. We assert it returns normally after a failing provider call.
+func TestReporter_ProviderError_Swallowed(t *testing.T) {
+	fp := &fakeProvider{failErr: errors.New("boom")}
+	cfg := sampleCfg()
+	cfg.ReportCommitStatus = true
+	r := newCommitStatusReporter(fp, cfg, "abc123", "")
+
+	// Should not panic / propagate.
+	r.report(context.Background(), plugin.Workload{Name: "site"}, staticsite.CommitStatusFailure, "Tinyforge: deploy failed")
+	if len(fp.calls) != 1 {
+		t.Fatalf("expected the failing call to still be recorded, got %d", len(fp.calls))
+	}
+}
+
+// A nil reporter (constructed only when needed in some call paths) is safe.
+func TestReporter_NilSafe(t *testing.T) {
+	var r *commitStatusReporter
+	// Must not panic.
+	r.report(context.Background(), plugin.Workload{Name: "site"}, staticsite.CommitStatusSuccess, "x")
+}
+
+func TestStatusTargetURL(t *testing.T) {
+	if got := statusTargetURL(""); got != "" {
+		t.Errorf("empty domain -> %q, want \"\"", got)
+	}
+	if got := statusTargetURL("x.example.com"); got != "https://x.example.com" {
+		t.Errorf("got %q", got)
+	}
+}

internal/workload/plugin/source/static/deploy.go

@@ -40,7 +40,7 @@ const healthCheckDelay = 3 * time.Second
 // log-line format ("Static site \"%s\": %s") and event payload shapes
 // are preserved so log scrapers and SSE clients keep working through
 // the cutover.
-func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plugin.DeploymentIntent) error {
+func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plugin.DeploymentIntent) (retErr error) {
 	cfg, err := plugin.SourceConfigOf[Config](w)
 	if err != nil {
 		return fmt.Errorf("static source: decode config: %w", err)
@@ -88,6 +88,26 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	// proxy registration sees the same FQDN it did before.
 	domain := primaryDomain(deps, w)
 
+	// Commit-status reporter (best-effort; gated on cfg.ReportCommitStatus).
+	// Built here once latestSHA + domain are known. A deferred terminal
+	// report fires Success/Failure based on the deploy's outcome, but ONLY
+	// once an actual deploy began (deployStarted) — the unchanged-SHA
+	// short-circuit below returns before that flips, so no status is
+	// reported when nothing was deployed. retErr is the named return the
+	// defer inspects.
+	reporter := newCommitStatusReporter(provider, cfg, latestSHA, statusTargetURL(domain))
+	deployStarted := false
+	defer func() {
+		if !deployStarted {
+			return
+		}
+		if retErr != nil {
+			reporter.report(ctx, w, staticsite.CommitStatusFailure, "Tinyforge: deploy failed")
+		} else {
+			reporter.report(ctx, w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
+		}
+	}()
+
 	// Skip redeploy when nothing changed AND we have a live container +
 	// (if applicable) live proxy route. Manual deploys always force.
 	prevContainerID := ""
@@ -116,9 +136,13 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 		}
 	}
 
-	// Mark syncing.
+	// Mark syncing. From here on a deploy is genuinely underway, so the
+	// deferred terminal status report should fire. Push a "pending" commit
+	// status (best-effort) and arm the deferred Success/Failure report.
 	updateStatus(deps, w, "syncing", prev.LastCommitSHA, "")
 	publishEvent(deps, w, "syncing")
+	deployStarted = true
+	reporter.report(ctx, w, staticsite.CommitStatusPending, "Tinyforge: deploying")
 
 	// Build context — temp dir cleaned up on every exit path.
 	buildDir, err := os.MkdirTemp("", "dw-site-"+idShort(w)+"-*")
@@ -402,6 +426,59 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	return nil
 }
 
+// commitStatusReporter pushes deploy outcomes back to the git provider as
+// a commit status, gated on the per-workload report_commit_status flag.
+// It is strictly best-effort: every call is wrapped so a reporting failure
+// is logged at Warn and NEVER propagates to fail or block the deploy.
+//
+// The provider + identifiers are captured once at deploy start so the hot
+// transition points (pending/success/failure) read as one-liners. A nil
+// receiver (reporting disabled) makes report a no-op, so callers don't have
+// to guard each site.
+type commitStatusReporter struct {
+	provider  staticsite.GitProvider
+	owner     string
+	repo      string
+	sha       string
+	targetURL string
+	enabled   bool
+}
+
+// newCommitStatusReporter builds a reporter from the decoded config. When
+// report_commit_status is off (or the SHA is empty) the returned reporter's
+// report method is inert.
+func newCommitStatusReporter(provider staticsite.GitProvider, cfg Config, sha, targetURL string) *commitStatusReporter {
+	return &commitStatusReporter{
+		provider:  provider,
+		owner:     cfg.RepoOwner,
+		repo:      cfg.RepoName,
+		sha:       sha,
+		targetURL: targetURL,
+		enabled:   cfg.ReportCommitStatus,
+	}
+}
+
+// report sends one commit status, swallowing (and logging) any error. Safe
+// to call on a disabled reporter or with a nil provider/empty SHA.
+func (r *commitStatusReporter) report(ctx context.Context, w plugin.Workload, status staticsite.CommitStatus, description string) {
+	if r == nil || !r.enabled || r.provider == nil || r.sha == "" {
+		return
+	}
+	if err := r.provider.SetCommitStatus(ctx, r.owner, r.repo, r.sha, status, r.targetURL, description); err != nil {
+		slog.Warn("static site: commit-status report failed (ignored)",
+			"site", w.Name, "status", string(status), "error", err)
+	}
+}
+
+// statusTargetURL derives the https URL the commit status links back to —
+// the workload's primary public face, or "" when it has none.
+func statusTargetURL(domain string) string {
+	if domain == "" {
+		return ""
+	}
+	return "https://" + domain
+}
+
 // updateStatus writes the runtime state's status/error/commit fields
 // and fires the side effects the legacy Manager.updateStatus did:
 // failures land in the event log, and terminal transitions trigger an

internal/workload/plugin/source/static/static.go

@@ -37,6 +37,10 @@ type Config struct {
 	RenderMarkdown bool   `json:"render_markdown"`
 	StorageEnabled bool   `json:"storage_enabled"`
 	StorageLimitMB int    `json:"storage_limit_mb"`
+	// ReportCommitStatus, when true, pushes the deploy outcome back to the
+	// git provider as a commit status (pending/success/failure) on the
+	// deployed SHA. Best-effort — a reporting failure never fails a deploy.
+	ReportCommitStatus bool `json:"report_commit_status"`
 }
 
 type source struct{}