refactor(source): dedup shared helpers across static + dockerfile plugins

Extract the verbatim-duplicated helpers into shared homes: - buildEnv -> plugin.BuildWorkloadEnv (base plugin pkg; a sourceName param preserves each plugin's slog prefix / log-scraper text) - idShort -> plugin.IDShort - commitStatusReporter -> staticsite.CommitStatusReporter, re-parameterized on primitives (owner/repo/sha/targetURL/enabled) so staticsite needs no dependency on the plugin package; reporter tests ported to staticsite (plus a new nil-provider case) containerNameFor/imageTagFor are intentionally left per-plugin: their prefixes differ (dw-site- vs tf-build-) and name real Docker resources, so merging them would risk mis-routing. Behavior-preserving; the static/dockerfile test suites pass unchanged. Reviewed: go APPROVE (0 CRITICAL/HIGH).
2026-05-29 14:57:30 +03:00
parent 7576f54e76
commit bd7a11d4e7
14 changed files with 272 additions and 453 deletions
@@ -0,0 +1,55 @@
 package staticsite
 import (
 	"context"
 	"log/slog"
 )
 // CommitStatusReporter pushes deploy outcomes back to the git provider as a
 // commit status, gated on the per-workload report_commit_status flag. It is
 // strictly best-effort: every call is wrapped so a reporting failure is logged
 // at Warn and NEVER propagates to fail or block the deploy.
 //
 // The provider + identifiers are captured once at deploy start so the hot
 // transition points (pending/success/failure) read as one-liners. A nil
 // receiver (reporting disabled) makes Report a no-op, so callers don't have to
 // guard each transition.
 //
 // It lives in the staticsite package (alongside GitProvider / CommitStatus)
 // rather than the plugin package so the source plugins can share it without
 // staticsite taking a dependency on plugin. It is parameterized on primitives
 // (not plugin.Workload) for the same reason.
 type CommitStatusReporter struct {
 	provider  GitProvider
 	owner     string
 	repo      string
 	sha       string
 	targetURL string
 	enabled   bool
 }
 // NewCommitStatusReporter builds a reporter from the resolved deploy inputs.
 // When enabled is false (report_commit_status off) or the SHA is empty, the
 // returned reporter's Report method is inert.
 func NewCommitStatusReporter(provider GitProvider, owner, repo, sha, targetURL string, enabled bool) *CommitStatusReporter {
 	return &CommitStatusReporter{
 		provider:  provider,
 		owner:     owner,
 		repo:      repo,
 		sha:       sha,
 		targetURL: targetURL,
 		enabled:   enabled,
 	}
 }
 // Report sends one commit status, swallowing (and logging) any error. Safe to
 // call on a nil/disabled reporter or with a nil provider/empty SHA.
 func (r *CommitStatusReporter) Report(ctx context.Context, workloadName, workloadID string, status CommitStatus, description string) {
 	if r == nil || !r.enabled || r.provider == nil || r.sha == "" {
 		return
 	}
 	if err := r.provider.SetCommitStatus(ctx, r.owner, r.repo, r.sha, status, r.targetURL, description); err != nil {
 		slog.Warn("commit-status report failed (ignored)",
 			"workload", workloadName, "workload_id", workloadID, "status", string(status), "error", err)
 	}
 }
@@ -0,0 +1,122 @@
 package staticsite
 import (
 	"context"
 	"errors"
 	"testing"
 )
 // fakeReporterProvider is a stub GitProvider that records SetCommitStatus
 // calls. Only the methods the reporter exercises are meaningful; the rest
 // satisfy the interface and panic if ever hit so a mis-wired test is loud.
 type fakeReporterProvider struct {
 	calls   []reporterStatusCall
 	failErr error // when set, SetCommitStatus returns it (best-effort path)
 }
 type reporterStatusCall struct {
 	owner, repo, sha string
 	status           CommitStatus
 	targetURL, descr string
 }
 func (f *fakeReporterProvider) SetCommitStatus(_ context.Context, owner, repo, sha string, status CommitStatus, targetURL, description string) error {
 	f.calls = append(f.calls, reporterStatusCall{owner, repo, sha, status, targetURL, description})
 	return f.failErr
 }
 func (*fakeReporterProvider) Name() string { return "fake" }
 func (*fakeReporterProvider) TestConnection(context.Context, string, string) error {
 	panic("unused")
 }
 func (*fakeReporterProvider) ListRepos(context.Context, string) ([]RepoInfo, error) {
 	panic("unused")
 }
 func (*fakeReporterProvider) ListBranches(context.Context, string, string) ([]string, error) {
 	panic("unused")
 }
 func (*fakeReporterProvider) GetLatestCommitSHA(context.Context, string, string, string) (string, error) {
 	panic("unused")
 }
 func (*fakeReporterProvider) ListTree(context.Context, string, string, string) ([]FolderEntry, error) {
 	panic("unused")
 }
 func (*fakeReporterProvider) DownloadFolder(context.Context, string, string, string, string, string) error {
 	panic("unused")
 }
 // Enabled: forwards to the provider with the captured identifiers + target.
 func TestCommitStatusReporter_Enabled_Calls(t *testing.T) {
 	fp := &fakeReporterProvider{}
 	r := NewCommitStatusReporter(fp, "owner", "pages", "abc123", "https://app.example.com", true)
 	r.Report(context.Background(), "site", "wid-1", CommitStatusPending, "Tinyforge: deploying")
 	r.Report(context.Background(), "site", "wid-1", CommitStatusSuccess, "Tinyforge: deployed")
 	if len(fp.calls) != 2 {
 		t.Fatalf("calls = %d, want 2", len(fp.calls))
 	}
 	first := fp.calls[0]
 	if first.owner != "owner" || first.repo != "pages" || first.sha != "abc123" {
 		t.Errorf("identifiers wrong: %+v", first)
 	}
 	if first.status != CommitStatusPending {
 		t.Errorf("first status = %q, want pending", first.status)
 	}
 	if first.targetURL != "https://app.example.com" {
 		t.Errorf("targetURL = %q", first.targetURL)
 	}
 	if fp.calls[1].status != CommitStatusSuccess {
 		t.Errorf("second status = %q, want success", fp.calls[1].status)
 	}
 }
 // Disabled: the reporter is inert.
 func TestCommitStatusReporter_Disabled_NoCalls(t *testing.T) {
 	fp := &fakeReporterProvider{}
 	r := NewCommitStatusReporter(fp, "owner", "pages", "abc123", "", false)
 	r.Report(context.Background(), "site", "wid-1", CommitStatusSuccess, "x")
 	if len(fp.calls) != 0 {
 		t.Fatalf("expected no calls when disabled, got %d", len(fp.calls))
 	}
 }
 // An empty SHA (e.g. a provider that couldn't resolve the branch) must not
 // produce a status call even when reporting is enabled.
 func TestCommitStatusReporter_EmptySHA_NoCalls(t *testing.T) {
 	fp := &fakeReporterProvider{}
 	r := NewCommitStatusReporter(fp, "owner", "pages", "", "", true)
 	r.Report(context.Background(), "site", "wid-1", CommitStatusPending, "x")
 	if len(fp.calls) != 0 {
 		t.Fatalf("expected no calls with empty SHA, got %d", len(fp.calls))
 	}
 }
 // A provider error must be swallowed (best-effort) — Report never panics or
 // propagates. We assert it returns normally after a failing provider call.
 func TestCommitStatusReporter_ProviderError_Swallowed(t *testing.T) {
 	fp := &fakeReporterProvider{failErr: errors.New("boom")}
 	r := NewCommitStatusReporter(fp, "owner", "pages", "abc123", "", true)
 	// Should not panic / propagate.
 	r.Report(context.Background(), "site", "wid-1", CommitStatusFailure, "Tinyforge: deploy failed")
 	if len(fp.calls) != 1 {
 		t.Fatalf("expected the failing call to still be recorded, got %d", len(fp.calls))
 	}
 }
 // A nil reporter (constructed only when needed in some call paths) is safe.
 func TestCommitStatusReporter_NilSafe(t *testing.T) {
 	var r *CommitStatusReporter
 	// Must not panic.
 	r.Report(context.Background(), "site", "wid-1", CommitStatusSuccess, "x")
 }
 // A nil provider on an enabled reporter is also a no-op (defensive guard).
 func TestCommitStatusReporter_NilProvider_NoPanic(t *testing.T) {
 	r := NewCommitStatusReporter(nil, "owner", "pages", "abc123", "", true)
 	// Must not panic.
 	r.Report(context.Background(), "site", "wid-1", CommitStatusSuccess, "x")
 }
@@ -0,0 +1,43 @@
 package plugin
 import (
 	"log/slog"
 	"github.com/alexei/tinyforge/internal/crypto"
 )
 // BuildWorkloadEnv flattens workload_env rows into the KEY=VALUE list Docker
 // expects. Shared by the source plugins (static, dockerfile) so they all
 // handle decrypt failures the same way.
 //
 // Encrypted rows are decrypted lazily so plaintext never lives in the store
 // output. A decrypt failure logs and skips the entry rather than failing the
 // whole deploy: bricking a sync/build because one rotated key missed an env
 // entry would be worse than running with the variable unset and surfacing the
 // warning.
 //
 // sourceName is the slog prefix the caller wants on the two warning lines
 // (e.g. "static source" / "dockerfile source") so existing log scrapers keep
 // matching the per-source message text.
 func BuildWorkloadEnv(deps Deps, workloadID, sourceName string) []string {
 	rows, err := deps.Store.ListWorkloadEnv(workloadID)
 	if err != nil {
 		slog.Warn(sourceName+": list workload env", "workload", workloadID, "error", err)
 		return nil
 	}
 	out := make([]string, 0, len(rows))
 	for _, e := range rows {
 		value := e.Value
 		if e.Encrypted {
 			decrypted, err := crypto.Decrypt(deps.EncKey, e.Value)
 			if err != nil {
 				slog.Warn(sourceName+": decrypt env value",
 					"workload", workloadID, "key", e.Key, "error", err)
 				continue
 			}
 			value = decrypted
 		}
 		out = append(out, e.Key+"="+value)
 	}
 	return out
 }
@@ -0,0 +1,17 @@
 package plugin
 // IDShort returns the first 8 chars of a workload ID, used as the uniqueness
 // suffix on the Docker resources (container, image, volume) a source plugin
 // materializes. Workload names are not UNIQUE in the schema today; including
 // the ID short prevents two workloads with the same name from clobbering each
 // other's container, image, or storage volume.
 //
 // Shared by the source plugins (static, dockerfile). Each plugin still owns
 // its own container/image NAME format (the human-readable prefix differs by
 // source kind) — only the ID-short derivation is common.
 func IDShort(w Workload) string {
 	if len(w.ID) < 8 {
 		return w.ID
 	}
 	return w.ID[:8]
 }
@@ -1,119 +1,11 @@
 package dockerfile
-import (
+import "testing"
 	"context"
 	"errors"
 	"testing"
-	"github.com/alexei/tinyforge/internal/staticsite"
+// The commit-status reporter itself now lives in internal/staticsite
-	"github.com/alexei/tinyforge/internal/workload/plugin"
+// (staticsite.CommitStatusReporter) and is covered by
-)
+// internal/staticsite/commit_status_reporter_test.go. This file retains only
-
+// the dockerfile plugin's local statusTargetURL coverage.
 // fakeProvider is a stub staticsite.GitProvider that records SetCommitStatus
 // calls. Unused interface methods panic so a mis-wired test is loud.
 type fakeProvider struct {
 	calls   []statusCall
 	failErr error
 }
 type statusCall struct {
 	owner, repo, sha string
 	status           staticsite.CommitStatus
 	targetURL, descr string
 }
 func (f *fakeProvider) SetCommitStatus(_ context.Context, owner, repo, sha string, status staticsite.CommitStatus, targetURL, description string) error {
 	f.calls = append(f.calls, statusCall{owner, repo, sha, status, targetURL, description})
 	return f.failErr
 }
 func (*fakeProvider) Name() string                                     { return "fake" }
 func (*fakeProvider) TestConnection(context.Context, string, string) error { panic("unused") }
 func (*fakeProvider) ListRepos(context.Context, string) ([]staticsite.RepoInfo, error) {
 	panic("unused")
 }
 func (*fakeProvider) ListBranches(context.Context, string, string) ([]string, error) {
 	panic("unused")
 }
 func (*fakeProvider) GetLatestCommitSHA(context.Context, string, string, string) (string, error) {
 	panic("unused")
 }
 func (*fakeProvider) ListTree(context.Context, string, string, string) ([]staticsite.FolderEntry, error) {
 	panic("unused")
 }
 func (*fakeProvider) DownloadFolder(context.Context, string, string, string, string, string) error {
 	panic("unused")
 }
 func sampleCfg() Config {
 	return Config{RepoOwner: "owner", RepoName: "svc", Branch: "main", Port: 8080}
 }
 // Enabled: forwards to the provider with the captured identifiers + target.
 func TestReporter_Enabled_Calls(t *testing.T) {
 	fp := &fakeProvider{}
 	cfg := sampleCfg()
 	cfg.ReportCommitStatus = true
 	r := newCommitStatusReporter(fp, cfg, "deadbeef", statusTargetURL("svc.example.com"))
 	w := plugin.Workload{Name: "svc"}
 	r.report(context.Background(), w, staticsite.CommitStatusPending, "Tinyforge: deploying")
 	r.report(context.Background(), w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
 	if len(fp.calls) != 2 {
 		t.Fatalf("calls = %d, want 2", len(fp.calls))
 	}
 	c := fp.calls[0]
 	if c.owner != "owner" || c.repo != "svc" || c.sha != "deadbeef" {
 		t.Errorf("identifiers wrong: %+v", c)
 	}
 	if c.targetURL != "https://svc.example.com" {
 		t.Errorf("targetURL = %q", c.targetURL)
 	}
 	if fp.calls[1].status != staticsite.CommitStatusSuccess {
 		t.Errorf("second status = %q, want success", fp.calls[1].status)
 	}
 }
 // Disabled: inert.
 func TestReporter_Disabled_NoCalls(t *testing.T) {
 	fp := &fakeProvider{}
 	cfg := sampleCfg() // ReportCommitStatus false
 	r := newCommitStatusReporter(fp, cfg, "deadbeef", "")
 	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusFailure, "x")
 	if len(fp.calls) != 0 {
 		t.Fatalf("expected no calls when disabled, got %d", len(fp.calls))
 	}
 }
 // Empty SHA: no call even when enabled.
 func TestReporter_EmptySHA_NoCalls(t *testing.T) {
 	fp := &fakeProvider{}
 	cfg := sampleCfg()
 	cfg.ReportCommitStatus = true
 	r := newCommitStatusReporter(fp, cfg, "", "")
 	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusPending, "x")
 	if len(fp.calls) != 0 {
 		t.Fatalf("expected no calls with empty SHA, got %d", len(fp.calls))
 	}
 }
 // Provider error is swallowed (best-effort).
 func TestReporter_ProviderError_Swallowed(t *testing.T) {
 	fp := &fakeProvider{failErr: errors.New("boom")}
 	cfg := sampleCfg()
 	cfg.ReportCommitStatus = true
 	r := newCommitStatusReporter(fp, cfg, "deadbeef", "")
 	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusFailure, "Tinyforge: build failed")
 	if len(fp.calls) != 1 {
 		t.Fatalf("expected the failing call to still be recorded, got %d", len(fp.calls))
 	}
 }
 func TestReporter_NilSafe(t *testing.T) {
 	var r *commitStatusReporter
 	r.report(context.Background(), plugin.Workload{Name: "svc"}, staticsite.CommitStatusSuccess, "x")
 }
 func TestStatusTargetURL(t *testing.T) {
 	if got := statusTargetURL(""); got != "" {
@@ -95,16 +95,16 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	// (deployStarted). The unchanged-SHA short-circuit below returns via
 	// healUnchanged before that flips, so no status is reported when
 	// nothing was built. retErr is the named return the defer inspects.
-	reporter := newCommitStatusReporter(provider, cfg, latestSHA, statusTargetURL(domain))
+	reporter := staticsite.NewCommitStatusReporter(provider, cfg.RepoOwner, cfg.RepoName, latestSHA, statusTargetURL(domain), cfg.ReportCommitStatus)
 	deployStarted := false
 	defer func() {
 		if !deployStarted {
 			return
 		}
 		if retErr != nil {
-			reporter.report(ctx, w, staticsite.CommitStatusFailure, "Tinyforge: build failed")
+			reporter.Report(ctx, w.Name, w.ID, staticsite.CommitStatusFailure, "Tinyforge: build failed")
 		} else {
-			reporter.report(ctx, w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
+			reporter.Report(ctx, w.Name, w.ID, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
 		}
 	}()
@@ -153,13 +153,13 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	updateStatus(deps, w, "syncing", prev.LastCommitSHA, "")
 	publishEvent(deps, w, "syncing")
 	deployStarted = true
-	reporter.report(ctx, w, staticsite.CommitStatusPending, "Tinyforge: deploying")
+	reporter.Report(ctx, w.Name, w.ID, staticsite.CommitStatusPending, "Tinyforge: deploying")
 	// Clone the repo into a temp dir. We always download the entire
 	// repo tree (folderPath = ""); a ContextPath subset is applied
 	// at build time, not at download time, so a Dockerfile in
 	// `./docker/Dockerfile` with `ContextPath=""` still works.
-	cloneDir, err := os.MkdirTemp("", "tf-build-"+idShort(w)+"-*")
+	cloneDir, err := os.MkdirTemp("", "tf-build-"+plugin.IDShort(w)+"-*")
 	if err != nil {
 		updateStatus(deps, w, "failed", prev.LastCommitSHA,
 			sanitizeError(fmt.Sprintf("create clone dir: %v", err), token))
@@ -205,7 +205,7 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 		return fmt.Errorf("docker build: %w", err)
 	}
-	env := buildEnv(deps, w.ID)
+	env := plugin.BuildWorkloadEnv(deps, w.ID, "dockerfile source")
 	containerPort := strconv.Itoa(cfg.Port)
 	settings, err := deps.Store.GetSettings()
@@ -394,46 +394,6 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	return nil
 }
 // commitStatusReporter pushes deploy outcomes back to the git provider as
 // a commit status, gated on the per-workload report_commit_status flag.
 // Strictly best-effort: every call is wrapped so a reporting failure is
 // logged at Warn and NEVER propagates to fail or block the deploy. Mirrors
 // the static plugin's reporter of the same name.
 type commitStatusReporter struct {
 	provider  staticsite.GitProvider
 	owner     string
 	repo      string
 	sha       string
 	targetURL string
 	enabled   bool
 }
 // newCommitStatusReporter builds a reporter from the decoded config. When
 // report_commit_status is off (or the SHA is empty) the returned reporter's
 // report method is inert.
 func newCommitStatusReporter(provider staticsite.GitProvider, cfg Config, sha, targetURL string) *commitStatusReporter {
 	return &commitStatusReporter{
 		provider:  provider,
 		owner:     cfg.RepoOwner,
 		repo:      cfg.RepoName,
 		sha:       sha,
 		targetURL: targetURL,
 		enabled:   cfg.ReportCommitStatus,
 	}
 }
 // report sends one commit status, swallowing (and logging) any error. Safe
 // to call on a disabled reporter or with a nil provider/empty SHA.
 func (r *commitStatusReporter) report(ctx context.Context, w plugin.Workload, status staticsite.CommitStatus, description string) {
 	if r == nil || !r.enabled || r.provider == nil || r.sha == "" {
 		return
 	}
 	if err := r.provider.SetCommitStatus(ctx, r.owner, r.repo, r.sha, status, r.targetURL, description); err != nil {
 		slog.Warn("dockerfile: commit-status report failed (ignored)",
 			"workload", w.Name, "status", string(status), "error", err)
 	}
 }
 // statusTargetURL derives the https URL the commit status links back to —
 // the workload's primary public face, or "" when it has none.
 func statusTargetURL(domain string) string {
@@ -1,37 +0,0 @@
 package dockerfile
 import (
 	"log/slog"
 	"github.com/alexei/tinyforge/internal/crypto"
 	"github.com/alexei/tinyforge/internal/workload/plugin"
 )
 // buildEnv flattens workload_env rows into the KEY=VALUE list Docker
 // expects. Mirrors the static plugin's env helper exactly so the two
 // plugins handle decrypt failures the same way: log + skip the one
 // entry rather than fail the deploy. Bricking a build because one
 // rotated key missed an env entry would be worse than running with
 // the variable unset and a single warning in the operator's log.
 func buildEnv(deps plugin.Deps, workloadID string) []string {
 	rows, err := deps.Store.ListWorkloadEnv(workloadID)
 	if err != nil {
 		slog.Warn("dockerfile source: list workload env", "workload", workloadID, "error", err)
 		return nil
 	}
 	out := make([]string, 0, len(rows))
 	for _, e := range rows {
 		value := e.Value
 		if e.Encrypted {
 			decrypted, err := crypto.Decrypt(deps.EncKey, e.Value)
 			if err != nil {
 				slog.Warn("dockerfile source: decrypt env value",
 					"workload", workloadID, "key", e.Key, "error", err)
 				continue
 			}
 			value = decrypted
 		}
 		out = append(out, e.Key+"="+value)
 	}
 	return out
 }
@@ -6,27 +6,16 @@ import (
 	"github.com/alexei/tinyforge/internal/workload/plugin"
 )
 // idShort is the first 8 chars of the workload ID. Same shape as the
 // static plugin — workload names are not UNIQUE in the schema, the ID
 // short suffix is what keeps two same-named workloads from clobbering
 // each other's container/image artifacts.
 func idShort(w plugin.Workload) string {
 	if len(w.ID) < 8 {
 		return w.ID
 	}
 	return w.ID[:8]
 }
 // containerNameFor is the deterministic container name. Prefix `tf-build-`
 // distinguishes a dockerfile-built container from `dw-site-` (static) and
 // per-stage image names at a glance in `docker ps`.
 func containerNameFor(w plugin.Workload) string {
-	return fmt.Sprintf("tf-build-%s-%s", w.Name, idShort(w))
+	return fmt.Sprintf("tf-build-%s-%s", w.Name, plugin.IDShort(w))
 }
 // imageTagFor is the deterministic image tag the build step emits. Same
 // shape as the container name so `docker images` shows the linkage at a
 // glance.
 func imageTagFor(w plugin.Workload) string {
-	return fmt.Sprintf("tf-build-%s-%s:latest", w.Name, idShort(w))
+	return fmt.Sprintf("tf-build-%s-%s:latest", w.Name, plugin.IDShort(w))
 }
@@ -1,134 +1,11 @@
 package static
-import (
+import "testing"
 	"context"
 	"errors"
 	"testing"
-	"github.com/alexei/tinyforge/internal/staticsite"
+// The commit-status reporter itself now lives in internal/staticsite
-	"github.com/alexei/tinyforge/internal/workload/plugin"
+// (staticsite.CommitStatusReporter) and is covered by
-)
+// internal/staticsite/commit_status_reporter_test.go. This file retains only
-
+// the static plugin's local statusTargetURL coverage.
 // fakeProvider is a stub staticsite.GitProvider that records SetCommitStatus
 // calls. Only the methods the reporter exercises are meaningful; the rest
 // satisfy the interface and panic if ever hit so a mis-wired test is loud.
 type fakeProvider struct {
 	calls   []statusCall
 	failErr error // when set, SetCommitStatus returns it (best-effort path)
 }
 type statusCall struct {
 	owner, repo, sha   string
 	status             staticsite.CommitStatus
 	targetURL, descr   string
 }
 func (f *fakeProvider) SetCommitStatus(_ context.Context, owner, repo, sha string, status staticsite.CommitStatus, targetURL, description string) error {
 	f.calls = append(f.calls, statusCall{owner, repo, sha, status, targetURL, description})
 	return f.failErr
 }
 func (*fakeProvider) Name() string { return "fake" }
 func (*fakeProvider) TestConnection(context.Context, string, string) error {
 	panic("unused")
 }
 func (*fakeProvider) ListRepos(context.Context, string) ([]staticsite.RepoInfo, error) {
 	panic("unused")
 }
 func (*fakeProvider) ListBranches(context.Context, string, string) ([]string, error) {
 	panic("unused")
 }
 func (*fakeProvider) GetLatestCommitSHA(context.Context, string, string, string) (string, error) {
 	panic("unused")
 }
 func (*fakeProvider) ListTree(context.Context, string, string, string) ([]staticsite.FolderEntry, error) {
 	panic("unused")
 }
 func (*fakeProvider) DownloadFolder(context.Context, string, string, string, string, string) error {
 	panic("unused")
 }
 func sampleCfg() Config {
 	return Config{RepoOwner: "owner", RepoName: "pages", Branch: "main"}
 }
 // When report_commit_status is enabled, the reporter forwards to the
 // provider with the owner/repo/sha + target URL it was built with.
 func TestReporter_Enabled_Calls(t *testing.T) {
 	fp := &fakeProvider{}
 	cfg := sampleCfg()
 	cfg.ReportCommitStatus = true
 	r := newCommitStatusReporter(fp, cfg, "abc123", statusTargetURL("app.example.com"))
 	w := plugin.Workload{Name: "site"}
 	r.report(context.Background(), w, staticsite.CommitStatusPending, "Tinyforge: deploying")
 	r.report(context.Background(), w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
 	if len(fp.calls) != 2 {
 		t.Fatalf("calls = %d, want 2", len(fp.calls))
 	}
 	first := fp.calls[0]
 	if first.owner != "owner" || first.repo != "pages" || first.sha != "abc123" {
 		t.Errorf("identifiers wrong: %+v", first)
 	}
 	if first.status != staticsite.CommitStatusPending {
 		t.Errorf("first status = %q, want pending", first.status)
 	}
 	if first.targetURL != "https://app.example.com" {
 		t.Errorf("targetURL = %q", first.targetURL)
 	}
 	if fp.calls[1].status != staticsite.CommitStatusSuccess {
 		t.Errorf("second status = %q, want success", fp.calls[1].status)
 	}
 }
 // When report_commit_status is disabled, the reporter is inert.
 func TestReporter_Disabled_NoCalls(t *testing.T) {
 	fp := &fakeProvider{}
 	cfg := sampleCfg() // ReportCommitStatus defaults to false
 	r := newCommitStatusReporter(fp, cfg, "abc123", "")
 	r.report(context.Background(), plugin.Workload{Name: "site"}, staticsite.CommitStatusSuccess, "x")
 	if len(fp.calls) != 0 {
 		t.Fatalf("expected no calls when disabled, got %d", len(fp.calls))
 	}
 }
 // An empty SHA (e.g. a provider that couldn't resolve the branch) must not
 // produce a status call even when reporting is enabled.
 func TestReporter_EmptySHA_NoCalls(t *testing.T) {
 	fp := &fakeProvider{}
 	cfg := sampleCfg()
 	cfg.ReportCommitStatus = true
 	r := newCommitStatusReporter(fp, cfg, "", "")
 	r.report(context.Background(), plugin.Workload{Name: "site"}, staticsite.CommitStatusPending, "x")
 	if len(fp.calls) != 0 {
 		t.Fatalf("expected no calls with empty SHA, got %d", len(fp.calls))
 	}
 }
 // A provider error must be swallowed (best-effort) — report never panics or
 // propagates. We assert it returns normally after a failing provider call.
 func TestReporter_ProviderError_Swallowed(t *testing.T) {
 	fp := &fakeProvider{failErr: errors.New("boom")}
 	cfg := sampleCfg()
 	cfg.ReportCommitStatus = true
 	r := newCommitStatusReporter(fp, cfg, "abc123", "")
 	// Should not panic / propagate.
 	r.report(context.Background(), plugin.Workload{Name: "site"}, staticsite.CommitStatusFailure, "Tinyforge: deploy failed")
 	if len(fp.calls) != 1 {
 		t.Fatalf("expected the failing call to still be recorded, got %d", len(fp.calls))
 	}
 }
 // A nil reporter (constructed only when needed in some call paths) is safe.
 func TestReporter_NilSafe(t *testing.T) {
 	var r *commitStatusReporter
 	// Must not panic.
 	r.report(context.Background(), plugin.Workload{Name: "site"}, staticsite.CommitStatusSuccess, "x")
 }
 func TestStatusTargetURL(t *testing.T) {
 	if got := statusTargetURL(""); got != "" {
@@ -93,16 +93,16 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	// short-circuit below returns before that flips, so no status is
 	// reported when nothing was deployed. retErr is the named return the
 	// defer inspects.
-	reporter := newCommitStatusReporter(provider, cfg, latestSHA, statusTargetURL(domain))
+	reporter := staticsite.NewCommitStatusReporter(provider, cfg.RepoOwner, cfg.RepoName, latestSHA, statusTargetURL(domain), cfg.ReportCommitStatus)
 	deployStarted := false
 	defer func() {
 		if !deployStarted {
 			return
 		}
 		if retErr != nil {
-			reporter.report(ctx, w, staticsite.CommitStatusFailure, "Tinyforge: deploy failed")
+			reporter.Report(ctx, w.Name, w.ID, staticsite.CommitStatusFailure, "Tinyforge: deploy failed")
 		} else {
-			reporter.report(ctx, w, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
+			reporter.Report(ctx, w.Name, w.ID, staticsite.CommitStatusSuccess, "Tinyforge: deployed")
 		}
 	}()
@@ -140,10 +140,10 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	updateStatus(deps, w, "syncing", prev.LastCommitSHA, "")
 	publishEvent(deps, w, "syncing")
 	deployStarted = true
-	reporter.report(ctx, w, staticsite.CommitStatusPending, "Tinyforge: deploying")
+	reporter.Report(ctx, w.Name, w.ID, staticsite.CommitStatusPending, "Tinyforge: deploying")
 	// Build context — temp dir cleaned up on every exit path.
-	buildDir, err := os.MkdirTemp("", "dw-site-"+idShort(w)+"-*")
+	buildDir, err := os.MkdirTemp("", "dw-site-"+plugin.IDShort(w)+"-*")
 	if err != nil {
 		updateStatus(deps, w, "failed", prev.LastCommitSHA,
 			sanitizeError(fmt.Sprintf("create temp dir: %v", err), token))
@@ -215,7 +215,7 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 		return fmt.Errorf("build image: %w", err)
 	}
-	env := buildEnv(deps, w.ID)
+	env := plugin.BuildWorkloadEnv(deps, w.ID, "static source")
 	containerPort := "80"
 	if mode == "deno" {
@@ -424,50 +424,6 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	return nil
 }
 // commitStatusReporter pushes deploy outcomes back to the git provider as
 // a commit status, gated on the per-workload report_commit_status flag.
 // It is strictly best-effort: every call is wrapped so a reporting failure
 // is logged at Warn and NEVER propagates to fail or block the deploy.
 //
 // The provider + identifiers are captured once at deploy start so the hot
 // transition points (pending/success/failure) read as one-liners. A nil
 // receiver (reporting disabled) makes report a no-op, so callers don't have
 // to guard each site.
 type commitStatusReporter struct {
 	provider  staticsite.GitProvider
 	owner     string
 	repo      string
 	sha       string
 	targetURL string
 	enabled   bool
 }
 // newCommitStatusReporter builds a reporter from the decoded config. When
 // report_commit_status is off (or the SHA is empty) the returned reporter's
 // report method is inert.
 func newCommitStatusReporter(provider staticsite.GitProvider, cfg Config, sha, targetURL string) *commitStatusReporter {
 	return &commitStatusReporter{
 		provider:  provider,
 		owner:     cfg.RepoOwner,
 		repo:      cfg.RepoName,
 		sha:       sha,
 		targetURL: targetURL,
 		enabled:   cfg.ReportCommitStatus,
 	}
 }
 // report sends one commit status, swallowing (and logging) any error. Safe
 // to call on a disabled reporter or with a nil provider/empty SHA.
 func (r *commitStatusReporter) report(ctx context.Context, w plugin.Workload, status staticsite.CommitStatus, description string) {
 	if r == nil || !r.enabled || r.provider == nil || r.sha == "" {
 		return
 	}
 	if err := r.provider.SetCommitStatus(ctx, r.owner, r.repo, r.sha, status, r.targetURL, description); err != nil {
 		slog.Warn("static site: commit-status report failed (ignored)",
 			"site", w.Name, "status", string(status), "error", err)
 	}
 }
 // statusTargetURL derives the https URL the commit status links back to —
 // the workload's primary public face, or "" when it has none.
 func statusTargetURL(domain string) string {
@@ -1,42 +0,0 @@
 package static
 import (
 	"log/slog"
 	"github.com/alexei/tinyforge/internal/crypto"
 	"github.com/alexei/tinyforge/internal/workload/plugin"
 )
 // buildEnv flattens workload_env rows into the KEY=VALUE list Docker
 // expects. Mirrors image/image.go:buildEnv but without an embedded
 // cfg.Env map — the static source only carries env via workload_env
 // today (legacy static_site_secrets has been replaced by the unified
 // workload_env table during the workload refactor).
 //
 // Encrypted rows are decrypted lazily so plaintext never lives in the
 // store output. A decrypt failure logs and skips the entry rather than
 // failing the whole deploy: bricking a sync because one rotated key
 // missed an env entry would be worse than running with the variable
 // unset and surfacing the warning.
 func buildEnv(deps plugin.Deps, workloadID string) []string {
 	rows, err := deps.Store.ListWorkloadEnv(workloadID)
 	if err != nil {
 		slog.Warn("static source: list workload env", "workload", workloadID, "error", err)
 		return nil
 	}
 	out := make([]string, 0, len(rows))
 	for _, e := range rows {
 		value := e.Value
 		if e.Encrypted {
 			decrypted, err := crypto.Decrypt(deps.EncKey, e.Value)
 			if err != nil {
 				slog.Warn("static source: decrypt env value",
 					"workload", workloadID, "key", e.Key, "error", err)
 				continue
 			}
 			value = decrypted
 		}
 		out = append(out, e.Key+"="+value)
 	}
 	return out
 }
@@ -12,7 +12,7 @@ import (
 )
 func TestIdShort_TruncatesLongID(t *testing.T) {
-	got := idShort(plugin.Workload{ID: "abcd1234-5678-1234-abcd-deadbeef0000"})
+	got := plugin.IDShort(plugin.Workload{ID: "abcd1234-5678-1234-abcd-deadbeef0000"})
 	if got != "abcd1234" {
 		t.Fatalf("idShort = %q, want %q", got, "abcd1234")
 	}
@@ -20,14 +20,14 @@ func TestIdShort_TruncatesLongID(t *testing.T) {
 func TestIdShort_ShortIDPassesThrough(t *testing.T) {
 	// IDs shorter than 8 chars must not panic on slicing.
-	got := idShort(plugin.Workload{ID: "abc"})
+	got := plugin.IDShort(plugin.Workload{ID: "abc"})
 	if got != "abc" {
 		t.Fatalf("idShort = %q, want %q", got, "abc")
 	}
 }
 func TestIdShort_ExactlyEightChars(t *testing.T) {
-	got := idShort(plugin.Workload{ID: "12345678"})
+	got := plugin.IDShort(plugin.Workload{ID: "12345678"})
 	if got != "12345678" {
 		t.Fatalf("idShort = %q, want %q", got, "12345678")
 	}
@@ -7,31 +7,18 @@ import (
 	"github.com/alexei/tinyforge/internal/workload/plugin"
 )
 // idShort returns the first 8 chars of a workload ID, used as the
 // uniqueness suffix on every Docker resource (container, image,
 // volume) the static source materializes. Workload names are not
 // UNIQUE in the schema today; including the ID short prevents two
 // workloads with the same name from clobbering each other's
 // container, image, or storage volume.
 func idShort(w plugin.Workload) string {
 	if len(w.ID) < 8 {
 		return w.ID
 	}
 	return w.ID[:8]
 }
 // containerNameFor is the deterministic container name. Includes
 // w.Name for visual continuity in `docker ps` plus the ID short for
 // uniqueness.
 func containerNameFor(w plugin.Workload) string {
-	return fmt.Sprintf("dw-site-%s-%s", w.Name, idShort(w))
+	return fmt.Sprintf("dw-site-%s-%s", w.Name, plugin.IDShort(w))
 }
 // imageTagFor is the deterministic image tag — same shape as the
 // container name so the linkage between an image and the workload
 // that owns it stays obvious from `docker images`.
 func imageTagFor(w plugin.Workload) string {
-	return fmt.Sprintf("dw-site-%s-%s:latest", w.Name, idShort(w))
+	return fmt.Sprintf("dw-site-%s-%s:latest", w.Name, plugin.IDShort(w))
 }
 // siteVolumeKey is the input to docker.SiteVolumeName / EnsureSiteVolume
@@ -41,7 +28,7 @@ func imageTagFor(w plugin.Workload) string {
 // envelope. Including idShort prevents two workloads sharing a name
 // from sharing one persistent volume.
 func siteVolumeKey(w plugin.Workload) string {
-	return fmt.Sprintf("%s-%s", w.Name, idShort(w))
+	return fmt.Sprintf("%s-%s", w.Name, plugin.IDShort(w))
 }
 // sanitizeError clamps an error string so persisting it (in
@@ -300,7 +300,7 @@ func TestBuildEnv_PlainValues(t *testing.T) {
 		}
 	}
-	got := buildEnv(deps, wid)
+	got := plugin.BuildWorkloadEnv(deps, wid, "static source")
 	gotSet := map[string]bool{}
 	for _, line := range got {
 		gotSet[line] = true
@@ -331,7 +331,7 @@ func TestBuildEnv_DecryptsEncryptedValues(t *testing.T) {
 		t.Fatalf("seed encrypted env: %v", err)
 	}
-	got := buildEnv(deps, wid)
+	got := plugin.BuildWorkloadEnv(deps, wid, "static source")
 	if len(got) != 1 {
 		t.Fatalf("buildEnv returned %d, want 1: %v", len(got), got)
 	}
@@ -363,7 +363,7 @@ func TestBuildEnv_SkipsRowsThatFailToDecrypt(t *testing.T) {
 		}
 	}
-	got := buildEnv(deps, wid)
+	got := plugin.BuildWorkloadEnv(deps, wid, "static source")
 	// Expect AAA_GOOD and CCC_PLAIN; BBB_BAD silently skipped. Check by
 	// set membership so the assertion doesn't depend on ListWorkloadEnv
 	// preserving any particular order.
@@ -393,7 +393,7 @@ func TestBuildEnv_SkipsRowsThatFailToDecrypt(t *testing.T) {
 func TestBuildEnv_EmptyOnMissingWorkload(t *testing.T) {
 	deps, _ := testDeps(t)
-	got := buildEnv(deps, "wid-no-env")
+	got := plugin.BuildWorkloadEnv(deps, "wid-no-env", "static source")
 	if len(got) != 0 {
 		t.Errorf("buildEnv returned %d, want 0: %v", len(got), got)
 	}
@@ -414,7 +414,7 @@ func TestBuildEnv_StoreFailurePropagatesAsEmpty(t *testing.T) {
 	}
 	deps := plugin.Deps{Store: st}
-	got := buildEnv(deps, "anything")
+	got := plugin.BuildWorkloadEnv(deps, "anything", "static source")
 	if len(got) != 0 {
 		t.Errorf("buildEnv returned %d, want 0 on store failure: %v", len(got), got)
 	}