feat(deploy): commit-status reporting to Git providers

Report deploy status back to the Git provider as a commit status
(pending/success/failure) for git-sourced workloads (static + dockerfile).

- GitProvider.SetCommitStatus on gitea/github/gitlab over the existing
  SSRF-safe client; fixed "tinyforge" context so redeploys update one row.
  postJSON returns status-code-only errors (never echoes the upstream body,
  which a hostile provider could use to reflect the auth token into the
  best-effort log line).
- Best-effort deploy hook: pending on deploy start, success/failure on
  outcome, gated on a per-workload report_commit_status flag. Never fails or
  blocks a deploy; emits nothing on the unchanged-SHA short-circuit.
- UI ToggleSwitch (create + edit) + reportCommitStatus in sourceForms.ts
  + en/ru i18n.
- Tests: per-provider state mapping + request shape; reporter gating
  (enabled/disabled/empty-SHA/nil/error-swallow).

Reviewed via go-reviewer + security-reviewer (0 CRITICAL/HIGH; one MEDIUM
body-echo log-leak fixed).

internal/workload/plugin/source/static/deploy.go

@@ -40,7 +40,7 @@ const healthCheckDelay = 3 * time.Second
 // log-line format ("Static site \"%s\": %s") and event payload shapes
 // are preserved so log scrapers and SSE clients keep working through
 // the cutover.
-func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plugin.DeploymentIntent) error {
+func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plugin.DeploymentIntent) (retErr error) {
 	cfg, err := plugin.SourceConfigOf[Config](w)
 	if err != nil {
 		return fmt.Errorf("static source: decode config: %w", err)
@@ -88,6 +88,26 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	// proxy registration sees the same FQDN it did before.
 	domain := primaryDomain(deps, w)
 
+	// Commit-status reporter (best-effort; gated on cfg.ReportCommitStatus).
+	// Built here once latestSHA + domain are known. A deferred terminal
+	// report fires Success/Failure based on the deploy's outcome, but ONLY
+	// once an actual deploy began (deployStarted) — the unchanged-SHA
+	// short-circuit below returns before that flips, so no status is
+	// reported when nothing was deployed. retErr is the named return the
+	// defer inspects.
+	reporter := newCommitStatusReporter(provider, cfg, latestSHA, statusTargetURL(domain))
+	deployStarted := false
+	defer func() {
+		if !deployStarted {
+			return
+		}
+		if retErr != nil {
+			reporter.report(ctx, w, staticsite.CommitStatusFailure, "Tinyforge: deploy failed")
+		} else {
+			reporter.report(ctx, w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
+		}
+	}()
+
 	// Skip redeploy when nothing changed AND we have a live container +
 	// (if applicable) live proxy route. Manual deploys always force.
 	prevContainerID := ""
@@ -116,9 +136,13 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 		}
 	}
 
-	// Mark syncing.
+	// Mark syncing. From here on a deploy is genuinely underway, so the
+	// deferred terminal status report should fire. Push a "pending" commit
+	// status (best-effort) and arm the deferred Success/Failure report.
 	updateStatus(deps, w, "syncing", prev.LastCommitSHA, "")
 	publishEvent(deps, w, "syncing")
+	deployStarted = true
+	reporter.report(ctx, w, staticsite.CommitStatusPending, "Tinyforge: deploying")
 
 	// Build context — temp dir cleaned up on every exit path.
 	buildDir, err := os.MkdirTemp("", "dw-site-"+idShort(w)+"-*")
@@ -402,6 +426,59 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	return nil
 }
 
+// commitStatusReporter pushes deploy outcomes back to the git provider as
+// a commit status, gated on the per-workload report_commit_status flag.
+// It is strictly best-effort: every call is wrapped so a reporting failure
+// is logged at Warn and NEVER propagates to fail or block the deploy.
+//
+// The provider + identifiers are captured once at deploy start so the hot
+// transition points (pending/success/failure) read as one-liners. A nil
+// receiver (reporting disabled) makes report a no-op, so callers don't have
+// to guard each site.
+type commitStatusReporter struct {
+	provider  staticsite.GitProvider
+	owner     string
+	repo      string
+	sha       string
+	targetURL string
+	enabled   bool
+}
+
+// newCommitStatusReporter builds a reporter from the decoded config. When
+// report_commit_status is off (or the SHA is empty) the returned reporter's
+// report method is inert.
+func newCommitStatusReporter(provider staticsite.GitProvider, cfg Config, sha, targetURL string) *commitStatusReporter {
+	return &commitStatusReporter{
+		provider:  provider,
+		owner:     cfg.RepoOwner,
+		repo:      cfg.RepoName,
+		sha:       sha,
+		targetURL: targetURL,
+		enabled:   cfg.ReportCommitStatus,
+	}
+}
+
+// report sends one commit status, swallowing (and logging) any error. Safe
+// to call on a disabled reporter or with a nil provider/empty SHA.
+func (r *commitStatusReporter) report(ctx context.Context, w plugin.Workload, status staticsite.CommitStatus, description string) {
+	if r == nil || !r.enabled || r.provider == nil || r.sha == "" {
+		return
+	}
+	if err := r.provider.SetCommitStatus(ctx, r.owner, r.repo, r.sha, status, r.targetURL, description); err != nil {
+		slog.Warn("static site: commit-status report failed (ignored)",
+			"site", w.Name, "status", string(status), "error", err)
+	}
+}
+
+// statusTargetURL derives the https URL the commit status links back to —
+// the workload's primary public face, or "" when it has none.
+func statusTargetURL(domain string) string {
+	if domain == "" {
+		return ""
+	}
+	return "https://" + domain
+}
+
 // updateStatus writes the runtime state's status/error/commit fields
 // and fires the side effects the legacy Manager.updateStatus did:
 // failures land in the event log, and terminal transitions trigger an