refactor(source): dedup shared helpers across static + dockerfile plugins

Extract the verbatim-duplicated helpers into shared homes:
- buildEnv -> plugin.BuildWorkloadEnv (base plugin pkg; a sourceName param
  preserves each plugin's slog prefix / log-scraper text)
- idShort -> plugin.IDShort
- commitStatusReporter -> staticsite.CommitStatusReporter, re-parameterized
  on primitives (owner/repo/sha/targetURL/enabled) so staticsite needs no
  dependency on the plugin package; reporter tests ported to staticsite
  (plus a new nil-provider case)

containerNameFor/imageTagFor are intentionally left per-plugin: their
prefixes differ (dw-site- vs tf-build-) and name real Docker resources,
so merging them would risk mis-routing. Behavior-preserving; the
static/dockerfile test suites pass unchanged.

Reviewed: go APPROVE (0 CRITICAL/HIGH).

internal/workload/plugin/source/dockerfile/commit_status_test.go

@@ -1,119 +1,11 @@
 package dockerfile
 
-import (
-	"context"
-	"errors"
-	"testing"
+import "testing"
 
-	"github.com/alexei/tinyforge/internal/staticsite"
-	"github.com/alexei/tinyforge/internal/workload/plugin"
-)
-
-// fakeProvider is a stub staticsite.GitProvider that records SetCommitStatus
-// calls. Unused interface methods panic so a mis-wired test is loud.
-type fakeProvider struct {
-	calls   []statusCall
-	failErr error
-}
-
-type statusCall struct {
-	owner, repo, sha string
-	status           staticsite.CommitStatus
-	targetURL, descr string
-}
-
-func (f *fakeProvider) SetCommitStatus(_ context.Context, owner, repo, sha string, status staticsite.CommitStatus, targetURL, description string) error {
-	f.calls = append(f.calls, statusCall{owner, repo, sha, status, targetURL, description})
-	return f.failErr
-}
-
-func (*fakeProvider) Name() string                                     { return "fake" }
-func (*fakeProvider) TestConnection(context.Context, string, string) error { panic("unused") }
-func (*fakeProvider) ListRepos(context.Context, string) ([]staticsite.RepoInfo, error) {
-	panic("unused")
-}
-func (*fakeProvider) ListBranches(context.Context, string, string) ([]string, error) {
-	panic("unused")
-}
-func (*fakeProvider) GetLatestCommitSHA(context.Context, string, string, string) (string, error) {
-	panic("unused")
-}
-func (*fakeProvider) ListTree(context.Context, string, string, string) ([]staticsite.FolderEntry, error) {
-	panic("unused")
-}
-func (*fakeProvider) DownloadFolder(context.Context, string, string, string, string, string) error {
-	panic("unused")
-}
-
-func sampleCfg() Config {
-	return Config{RepoOwner: "owner", RepoName: "svc", Branch: "main", Port: 8080}
-}
-
-// Enabled: forwards to the provider with the captured identifiers + target.
-func TestReporter_Enabled_Calls(t *testing.T) {
-	fp := &fakeProvider{}
-	cfg := sampleCfg()
-	cfg.ReportCommitStatus = true
-	r := newCommitStatusReporter(fp, cfg, "deadbeef", statusTargetURL("svc.example.com"))
-
-	w := plugin.Workload{Name: "svc"}
-	r.report(context.Background(), w, staticsite.CommitStatusPending, "Tinyforge: deploying")
-	r.report(context.Background(), w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
-
-	if len(fp.calls) != 2 {
-		t.Fatalf("calls = %d, want 2", len(fp.calls))
-	}
-	c := fp.calls[0]
-	if c.owner != "owner" || c.repo != "svc" || c.sha != "deadbeef" {
-		t.Errorf("identifiers wrong: %+v", c)
-	}
-	if c.targetURL != "https://svc.example.com" {
-		t.Errorf("targetURL = %q", c.targetURL)
-	}
-	if fp.calls[1].status != staticsite.CommitStatusSuccess {
-		t.Errorf("second status = %q, want success", fp.calls[1].status)
-	}
-}
-
-// Disabled: inert.
-func TestReporter_Disabled_NoCalls(t *testing.T) {
-	fp := &fakeProvider{}
-	cfg := sampleCfg() // ReportCommitStatus false
-	r := newCommitStatusReporter(fp, cfg, "deadbeef", "")
-	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusFailure, "x")
-	if len(fp.calls) != 0 {
-		t.Fatalf("expected no calls when disabled, got %d", len(fp.calls))
-	}
-}
-
-// Empty SHA: no call even when enabled.
-func TestReporter_EmptySHA_NoCalls(t *testing.T) {
-	fp := &fakeProvider{}
-	cfg := sampleCfg()
-	cfg.ReportCommitStatus = true
-	r := newCommitStatusReporter(fp, cfg, "", "")
-	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusPending, "x")
-	if len(fp.calls) != 0 {
-		t.Fatalf("expected no calls with empty SHA, got %d", len(fp.calls))
-	}
-}
-
-// Provider error is swallowed (best-effort).
-func TestReporter_ProviderError_Swallowed(t *testing.T) {
-	fp := &fakeProvider{failErr: errors.New("boom")}
-	cfg := sampleCfg()
-	cfg.ReportCommitStatus = true
-	r := newCommitStatusReporter(fp, cfg, "deadbeef", "")
-	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusFailure, "Tinyforge: build failed")
-	if len(fp.calls) != 1 {
-		t.Fatalf("expected the failing call to still be recorded, got %d", len(fp.calls))
-	}
-}
-
-func TestReporter_NilSafe(t *testing.T) {
-	var r *commitStatusReporter
-	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusSuccess, "x")
-}
+// The commit-status reporter itself now lives in internal/staticsite
+// (staticsite.CommitStatusReporter) and is covered by
+// internal/staticsite/commit_status_reporter_test.go. This file retains only
+// the dockerfile plugin's local statusTargetURL coverage.
 
 func TestStatusTargetURL(t *testing.T) {
 	if got := statusTargetURL(""); got != "" {

internal/workload/plugin/source/dockerfile/deploy.go

@@ -95,16 +95,16 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	// (deployStarted). The unchanged-SHA short-circuit below returns via
 	// healUnchanged before that flips, so no status is reported when
 	// nothing was built. retErr is the named return the defer inspects.
-	reporter := newCommitStatusReporter(provider, cfg, latestSHA, statusTargetURL(domain))
+	reporter := staticsite.NewCommitStatusReporter(provider, cfg.RepoOwner, cfg.RepoName, latestSHA, statusTargetURL(domain), cfg.ReportCommitStatus)
 	deployStarted := false
 	defer func() {
 		if !deployStarted {
 			return
 		}
 		if retErr != nil {
-			reporter.report(ctx, w, staticsite.CommitStatusFailure, "Tinyforge: build failed")
+			reporter.Report(ctx, w.Name, w.ID, staticsite.CommitStatusFailure, "Tinyforge: build failed")
 		} else {
-			reporter.report(ctx, w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
+			reporter.Report(ctx, w.Name, w.ID, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
 		}
 	}()
 
@@ -153,13 +153,13 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	updateStatus(deps, w, "syncing", prev.LastCommitSHA, "")
 	publishEvent(deps, w, "syncing")
 	deployStarted = true
-	reporter.report(ctx, w, staticsite.CommitStatusPending, "Tinyforge: deploying")
+	reporter.Report(ctx, w.Name, w.ID, staticsite.CommitStatusPending, "Tinyforge: deploying")
 
 	// Clone the repo into a temp dir. We always download the entire
 	// repo tree (folderPath = ""); a ContextPath subset is applied
 	// at build time, not at download time, so a Dockerfile in
 	// `./docker/Dockerfile` with `ContextPath=""` still works.
-	cloneDir, err := os.MkdirTemp("", "tf-build-"+idShort(w)+"-*")
+	cloneDir, err := os.MkdirTemp("", "tf-build-"+plugin.IDShort(w)+"-*")
 	if err != nil {
 		updateStatus(deps, w, "failed", prev.LastCommitSHA,
 			sanitizeError(fmt.Sprintf("create clone dir: %v", err), token))
@@ -205,7 +205,7 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 		return fmt.Errorf("docker build: %w", err)
 	}
 
-	env := buildEnv(deps, w.ID)
+	env := plugin.BuildWorkloadEnv(deps, w.ID, "dockerfile source")
 	containerPort := strconv.Itoa(cfg.Port)
 
 	settings, err := deps.Store.GetSettings()
@@ -394,46 +394,6 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	return nil
 }
 
-// commitStatusReporter pushes deploy outcomes back to the git provider as
-// a commit status, gated on the per-workload report_commit_status flag.
-// Strictly best-effort: every call is wrapped so a reporting failure is
-// logged at Warn and NEVER propagates to fail or block the deploy. Mirrors
-// the static plugin's reporter of the same name.
-type commitStatusReporter struct {
-	provider  staticsite.GitProvider
-	owner     string
-	repo      string
-	sha       string
-	targetURL string
-	enabled   bool
-}
-
-// newCommitStatusReporter builds a reporter from the decoded config. When
-// report_commit_status is off (or the SHA is empty) the returned reporter's
-// report method is inert.
-func newCommitStatusReporter(provider staticsite.GitProvider, cfg Config, sha, targetURL string) *commitStatusReporter {
-	return &commitStatusReporter{
-		provider:  provider,
-		owner:     cfg.RepoOwner,
-		repo:      cfg.RepoName,
-		sha:       sha,
-		targetURL: targetURL,
-		enabled:   cfg.ReportCommitStatus,
-	}
-}
-
-// report sends one commit status, swallowing (and logging) any error. Safe
-// to call on a disabled reporter or with a nil provider/empty SHA.
-func (r *commitStatusReporter) report(ctx context.Context, w plugin.Workload, status staticsite.CommitStatus, description string) {
-	if r == nil || !r.enabled || r.provider == nil || r.sha == "" {
-		return
-	}
-	if err := r.provider.SetCommitStatus(ctx, r.owner, r.repo, r.sha, status, r.targetURL, description); err != nil {
-		slog.Warn("dockerfile: commit-status report failed (ignored)",
-			"workload", w.Name, "status", string(status), "error", err)
-	}
-}
-
 // statusTargetURL derives the https URL the commit status links back to —
 // the workload's primary public face, or "" when it has none.
 func statusTargetURL(domain string) string {

internal/workload/plugin/source/dockerfile/env.go

@@ -1,37 +0,0 @@
-package dockerfile
-
-import (
-	"log/slog"
-
-	"github.com/alexei/tinyforge/internal/crypto"
-	"github.com/alexei/tinyforge/internal/workload/plugin"
-)
-
-// buildEnv flattens workload_env rows into the KEY=VALUE list Docker
-// expects. Mirrors the static plugin's env helper exactly so the two
-// plugins handle decrypt failures the same way: log + skip the one
-// entry rather than fail the deploy. Bricking a build because one
-// rotated key missed an env entry would be worse than running with
-// the variable unset and a single warning in the operator's log.
-func buildEnv(deps plugin.Deps, workloadID string) []string {
-	rows, err := deps.Store.ListWorkloadEnv(workloadID)
-	if err != nil {
-		slog.Warn("dockerfile source: list workload env", "workload", workloadID, "error", err)
-		return nil
-	}
-	out := make([]string, 0, len(rows))
-	for _, e := range rows {
-		value := e.Value
-		if e.Encrypted {
-			decrypted, err := crypto.Decrypt(deps.EncKey, e.Value)
-			if err != nil {
-				slog.Warn("dockerfile source: decrypt env value",
-					"workload", workloadID, "key", e.Key, "error", err)
-				continue
-			}
-			value = decrypted
-		}
-		out = append(out, e.Key+"="+value)
-	}
-	return out
-}

internal/workload/plugin/source/dockerfile/naming.go

@@ -6,27 +6,16 @@ import (
 	"github.com/alexei/tinyforge/internal/workload/plugin"
 )
 
-// idShort is the first 8 chars of the workload ID. Same shape as the
-// static plugin — workload names are not UNIQUE in the schema, the ID
-// short suffix is what keeps two same-named workloads from clobbering
-// each other's container/image artifacts.
-func idShort(w plugin.Workload) string {
-	if len(w.ID) < 8 {
-		return w.ID
-	}
-	return w.ID[:8]
-}
-
 // containerNameFor is the deterministic container name. Prefix `tf-build-`
 // distinguishes a dockerfile-built container from `dw-site-` (static) and
 // per-stage image names at a glance in `docker ps`.
 func containerNameFor(w plugin.Workload) string {
-	return fmt.Sprintf("tf-build-%s-%s", w.Name, idShort(w))
+	return fmt.Sprintf("tf-build-%s-%s", w.Name, plugin.IDShort(w))
 }
 
 // imageTagFor is the deterministic image tag the build step emits. Same
 // shape as the container name so `docker images` shows the linkage at a
 // glance.
 func imageTagFor(w plugin.Workload) string {
-	return fmt.Sprintf("tf-build-%s-%s:latest", w.Name, idShort(w))
+	return fmt.Sprintf("tf-build-%s-%s:latest", w.Name, plugin.IDShort(w))
 }