TrogonStack · yordis · Nov 1, 2025 · Aug 24, 2025 · Copilot · Nov 1, 2025
diff --git a/.github/workflows/build-container-debian-lts.yml b/.github/workflows/build-container-debian-lts.yml
@@ -24,3 +24,4 @@ jobs:
     with:
       container-runtime: bookworm-slim
       runtime: linux-x64
+    secrets: inherit
diff --git a/.github/workflows/build-container-reusable.yml b/.github/workflows/build-container-reusable.yml
@@ -44,6 +44,8 @@ jobs:
           build-args: |
             CONTAINER_RUNTIME=${{ inputs.container-runtime }}
             RUNTIME=${{ inputs.runtime }}
+          secrets: |
+            nuget_auth_token=${{ secrets.GITHUB_TOKEN }}
       - name: Verify Build
         run: |
           docker run --rm eventstore --insecure --what-if
@@ -57,6 +59,8 @@ jobs:
           build-args: |
             CONTAINER_RUNTIME=${{ inputs.container-runtime }}
             RUNTIME=${{ inputs.runtime }}
+          secrets: |
+            nuget_auth_token=${{ secrets.GITHUB_TOKEN }}
       - name: Run Tests
         run: |
           docker run \

diff --git a/.github/workflows/build-container-ubuntu-lts.yml b/.github/workflows/build-container-ubuntu-lts.yml
@@ -24,3 +24,4 @@ jobs:
     with:
       container-runtime: noble
       runtime: linux-x64
+    secrets: inherit
diff --git a/.github/workflows/build-reusable.yml b/.github/workflows/build-reusable.yml
@@ -10,7 +10,16 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
+  nuget-source:
+    name: Auth with GitHub Packages
+    uses: ./.github/workflows/nuget-auth.yml
+    with:
+      working-directory: src
   build:
     strategy:
       fail-fast: false
@@ -33,6 +42,8 @@ jobs:
           dotnet-version: 8.0.x
       - name: Compile
         shell: bash
+        env:
+          NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           dotnet build --configuration ${{ matrix.configuration }} -p:Platform=${{ inputs.arch }} src/EventStore.sln
       - name: Verify Build

diff --git a/.github/workflows/build-ubuntu-lts-arm64.yml b/.github/workflows/build-ubuntu-lts-arm64.yml
@@ -24,3 +24,4 @@ jobs:
     with:
       os: ubuntu-24.04-arm
       arch: arm64
+    secrets: inherit
diff --git a/.github/workflows/build-ubuntu-lts-x64.yml b/.github/workflows/build-ubuntu-lts-x64.yml
@@ -24,3 +24,4 @@ jobs:
     with:
       os: ubuntu-24.04
       arch: x64
+    secrets: inherit
diff --git a/.github/workflows/common.yml b/.github/workflows/common.yml
@@ -18,6 +18,10 @@ on:
       - "samples/**"
       - "**.md"
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   vulnerability-scan:
     runs-on: ubuntu-latest
@@ -29,12 +33,20 @@ jobs:
         uses: actions/setup-dotnet@v4
         with:
           dotnet-version: 8.0.x
+      - name: Set up .NET NuGet authentication
+        run: |
+          dotnet nuget add source "https://nuget.pkg.github.com/TrogonStack/index.json" \
+            --name "github" \
+            --username ${{ github.actor }} \
+            --password ${{ secrets.GITHUB_TOKEN }} \
+            --store-password-in-clear-text
       - name: Scan for Vulnerabilities
         run: |
           cd src
           dotnet restore
           dotnet list package --vulnerable --include-transitive | tee vulnerabilities.txt
           ! cat vulnerabilities.txt | grep -q "has the following vulnerable packages"
+
   protolock:
     runs-on: ubuntu-latest
     name: Protolock Status
@@ -48,9 +60,6 @@ jobs:
   docker-compose:
     runs-on: ubuntu-latest
     name: Docker Compose Smoke Test
-    permissions:
-      contents: read
-      packages: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -61,6 +70,9 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker Compose Smoke Test
+        env:
+          DOCKER_BUILDKIT: 1
+          NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           docker compose build
           docker compose up --detach

diff --git a/.github/workflows/nuget-auth.yml b/.github/workflows/nuget-auth.yml
@@ -0,0 +1,46 @@
+name: NuGet Auth + Restore
+
+on:
+  workflow_call:
+    inputs:
+      working-directory:
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  restore:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Authenticate NuGet GitHub Packages
+        run: |
+          dotnet nuget add source https://nuget.pkg.github.com/TrogonStack/index.json \
+            --name github \
+            --username "${{ github.actor }}" \
+            --password "${{ secrets.GITHUB_TOKEN }}" \
+            --store-password-in-clear-text
+
+      - name: Verify NuGet Source Configuration
+        run: |
+          echo "Listing configured NuGet sources:"
+          dotnet nuget list source
+          echo ""
+          echo "Verifying GitHub Packages authentication:"
+          dotnet nuget verify --source github || echo "Verification failed, but continuing..."
+
+      - name: Test Package Restore
+        working-directory: ${{ inputs.working-directory }}
+        run: |
+          echo "Testing package restore with authenticated source:"
+          dotnet restore --verbosity normal
diff --git a/.github/workflows/pull-request-check.yml b/.github/workflows/pull-request-check.yml
diff --git a/Dockerfile b/Dockerfile
@@ -11,8 +11,19 @@ WORKDIR /build/ci
 COPY ./ci ./
 
 WORKDIR /build/src
-COPY ./src/EventStore.sln ./src/*/*.csproj ./src/Directory.Build.* ./src/Directory.Packages.* ./
+COPY ./src/EventStore.sln ./src/*/*.csproj ./src/Directory.Build.* ./src/Directory.Packages.* ./src/NuGet.Config ./
 RUN for file in $(ls *.csproj); do mkdir -p ./${file%.*}/ && mv $file ./${file%.*}/; done
+
+# Configure NuGet authentication for GitHub Packages using Docker secrets
+RUN --mount=type=secret,id=nuget_auth_token \
+    if [ -f /run/secrets/nuget_auth_token ]; then \
+        NUGET_AUTH_TOKEN=$(cat /run/secrets/nuget_auth_token) && \
+        dotnet nuget update source github \
+        --username docker \
+        --password "$NUGET_AUTH_TOKEN" \
+        --store-password-in-clear-text; \
+    fi
+
 RUN dotnet restore --runtime=${RUNTIME}
 COPY ./src .
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -24,7 +24,10 @@ services:
       - volumes-provisioner
 
   esdb-node1:
-    build: ./
+    build: 
+      context: ./
+      secrets:
+        - nuget_auth_token
     env_file:
       - shared.env
     environment:
@@ -46,7 +49,10 @@ services:
       - cert-gen
 
   esdb-node2:
-    build: ./
+    build: 
+      context: ./
+      secrets:
+        - nuget_auth_token
     env_file:
       - shared.env
     environment:
@@ -68,7 +74,10 @@ services:
       - cert-gen
 
   esdb-node3:
-    build: ./
+    build: 
+      context: ./
+      secrets:
+        - nuget_auth_token
     env_file:
       - shared.env
     environment:
@@ -97,3 +106,7 @@ networks:
       driver: default
       config:
         - subnet: 172.30.240.0/24
+
+secrets:
+  nuget_auth_token:
+    environment: NUGET_AUTH_TOKEN
diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props
@@ -12,9 +12,9 @@
     <PackageVersion Include="DotNext.Unsafe" Version="5.22.0" />
     <PackageVersion Include="EventStore.Client" Version="21.2.0" />
     <PackageVersion Include="EventStore.Client.Grpc.Streams" Version="23.3.3" />
-    <PackageVersion Include="EventStore.Plugins" Version="24.10.3" />
     <!--Version 8 and beyond are free for open-source projects and non-commercial use, but commercial use requires a paid license-->
     <PackageVersion Include="FluentAssertions" Version="6.12.2" />
+    <PackageVersion Include="FluentStorage.AWS" Version="5.5.0" />
     <PackageVersion Include="GitHubActionsTestLogger" Version="2.4.1">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
@@ -49,6 +49,7 @@
     <PackageVersion Include="Microsoft.Extensions.FileProviders.Composite" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.FileProviders.Embedded" Version="8.0.18" />
     <PackageVersion Include="Microsoft.FASTER.Core" Version="1.9.16" />
+    <PackageVersion Include="Microsoft.IO.RecyclableMemoryStream" Version="3.0.1" />
     <PackageVersion Include="Microsoft.Net.Http.Headers" Version="8.0.18" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageVersion Include="Microsoft.OpenApi.Readers" Version="1.6.24" />
@@ -62,7 +63,7 @@
     <PackageVersion Include="OpenTelemetry.Exporter.Prometheus.AspNetCore" Version="1.4.0" />
     <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.4.0" />
     <PackageVersion Include="Quickenshtein" Version="1.5.1" />
-    <PackageVersion Include="Scrutor" Version="4.2.2" />
+    <PackageVersion Include="Scrutor" Version="5.1.2" />
     <PackageVersion Include="Serilog" Version="4.3.0" />
     <PackageVersion Include="Serilog.Enrichers.Process" Version="3.0.0" />
     <PackageVersion Include="Serilog.Enrichers.Thread" Version="4.0.0" />
@@ -83,11 +84,14 @@
     <PackageVersion Include="System.IO.Pipelines" Version="8.0.0" />
     <PackageVersion Include="System.Linq.Async" Version="6.0.3" />
     <PackageVersion Include="System.Net.Http" Version="4.3.4" />
+    <PackageVersion Include="System.Private.Uri" Version="4.3.2" />
     <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="8.0.1" />
     <PackageVersion Include="System.Security.Cryptography.Xml" Version="8.0.2" />
     <PackageVersion Include="System.ServiceModel.Http" Version="6.2.0" />
     <PackageVersion Include="System.Text.Json" Version="8.0.6" />
     <PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
+    <PackageVersion Include="System.Threading.Channels" Version="9.0.8" />
+    <PackageVersion Include="TrogonEventStore.Plugins" Version="24.10.9" />
     <PackageVersion Include="xunit" Version="2.9.3" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.2">
       <PrivateAssets>all</PrivateAssets>

diff --git a/src/EventStore.Common/EventStore.Common.csproj b/src/EventStore.Common/EventStore.Common.csproj
@@ -26,6 +26,7 @@
 		<PackageReference Include="Serilog.Sinks.Async" />
 		<PackageReference Include="Serilog.Sinks.File" />
 		<PackageReference Include="Serilog.Sinks.Console" />
+		<PackageReference Include="System.Private.Uri" />
 
 		<PackageReference Include="System.Security.Cryptography.Pkcs" />
 		<PackageReference Include="System.Text.RegularExpressions" />

diff --git a/src/EventStore.Common/Utils/Helper.cs b/src/EventStore.Common/Utils/Helper.cs
@@ -7,7 +7,7 @@ namespace EventStore.Common.Utils;
 
 public static class Helper
 {
-	public static readonly UTF8Encoding UTF8NoBom = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false);
+	public static readonly UTF8Encoding UTF8NoBom = new(encoderShouldEmitUTF8Identifier: false);
 
 	public static void EatException(Action action)
 	{
@@ -20,6 +20,17 @@ public static void EatException(Action action)
 		}
 	}
 
+	public static void EatException<TArg>(TArg arg, Action<TArg> action)
+	{
+		try
+		{
+			action(arg);
+		}
+		catch (Exception)
+		{
-		catch (Exception)
-		{
+		catch (Exception ex)
+		{
+			System.Diagnostics.Trace.TraceError("Exception swallowed in EatException<TArg>: " + ex);
-		catch (Exception)
-		{
+		catch (Exception ex)
+		{
+			System.Diagnostics.Trace.TraceError("Exception swallowed in EatException<TArg>: " + ex);
+		}
+	}
+
 	public static T EatException<T>(Func<T> action, T defaultValue = default(T))
 	{
 		try