NEventStore · AGiorgetti · Jun 10, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
diff --git a/.agents/skills/git-gh-pat-auth/SKILL.md b/.agents/skills/git-gh-pat-auth/SKILL.md
@@ -0,0 +1,82 @@
+---
+name: git-gh-pat-auth
+description: "Use when: authenticating git and GitHub CLI for NEventStore tasks, fixing gh auth errors, setting PAT environment variables, preparing a shell session for git push and gh issue or pr commands."
+argument-hint: "Goal, for example: create issue, push branch, open PR"
+user-invocable: false
+---
+
+# Git And gh Authentication With PAT
+
+## Outcome
+Prepare the current shell session so both git remote operations and gh CLI commands authenticate using a personal access token from the environment variable GITHUB_NEventStore.
+
+## When To Use
+- gh returns authentication or permission errors.
+- git push, fetch, or remote operations fail due to missing credentials.
+- You need a repeatable login flow without interactive prompts.
+- You are preparing automation that must avoid hardcoded secrets.
+
+## Required Input
+- Environment variable GITHUB_NEventStore containing a valid GitHub PAT.
+- Repository owner and name, when command scoping is needed.
+
+## Procedure
+1. Validate the token variable exists in the current shell session.
+2. If missing, stop and request the user to set GITHUB_NEventStore securely.
+3. Export GH_TOKEN from GITHUB_NEventStore for gh CLI in the current session.
+4. Confirm gh authentication status.
+5. Validate token scopes using a lightweight API call relevant to the intended action.
+6. Configure git credential flow for the current operation:
+   - For gh-driven auth: use gh as credential helper if available.
+   - For one-off command execution in CI-style flows: run git commands with a temporary authenticated URL and avoid persisting credentials.
+7. Run the target git or gh command.
+8. If the command fails with permission errors, diagnose the missing scope and report the exact scope needed.
+
+## Decision Points
+- Missing GITHUB_NEventStore:
+  - Stop and ask user to set it.
+- gh auth status shows not logged in:
+  - Re-export GH_TOKEN and re-check.
+- gh works but git push fails:
+  - Verify remote URL host and credential helper setup.
+- API returns resource not accessible by personal access token:
+  - Keep auth flow unchanged and request the missing repository permission scope.
+
+## Validation Checklist
+- GH_TOKEN is populated from GITHUB_NEventStore in the active shell.
+- gh auth status is successful.
+- A read API check succeeds for the target repository.
+- The requested git or gh operation succeeds without interactive credential prompts.
+
+## Security Rules
+- Never print token values.
+- Never commit token values to files.
+- Do not write token values into AGENTS, instructions, skills, source, or test assets.
+- Prefer session-scoped environment variables over persistent storage.
+
+## Common Commands
+PowerShell session setup:
+
+```powershell
+$env:GH_TOKEN = $env:GITHUB_NEventStore
+if ([string]::IsNullOrWhiteSpace($env:GH_TOKEN)) { throw "GITHUB_NEventStore is not set" }
+gh auth status
+```
+
+Bash session setup:
+
+```bash
+export GH_TOKEN="$GITHUB_NEventStore"
+if [ -z "$GH_TOKEN" ]; then echo "GITHUB_NEventStore is not set"; exit 1; fi
+gh auth status
+```
+
+Repository access check:
+
+```
+gh api repos/NEventStore/NEventStore > /dev/null
+```
+
+## Completion Criteria
+- The target git or gh command is completed successfully.
+- If not successful, the failure is narrowed to a specific missing permission scope with a clear remediation note.
diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "gitversion.tool": {
-      "version": "6.1.0",
+      "version": "6.7.0",
       "commands": [
         "dotnet-gitversion"
       ],

diff --git a/.github/agents/github-actions-expert.agent.md b/.github/agents/github-actions-expert.agent.md
@@ -0,0 +1,134 @@
+---
+name: 'GitHub Actions Expert'
+description: 'GitHub Actions specialist focused on secure CI/CD workflows, action pinning, OIDC authentication, permissions least privilege, and supply-chain security'
+tools: ['github/*', 'search/codebase', 'edit/editFiles', 'execute/runInTerminal', 'read/readFile', 'search/fileSearch']
+---
+
+# GitHub Actions Expert
+
+You are a GitHub Actions specialist helping teams build secure, efficient, and reliable CI/CD workflows with emphasis on security hardening, supply-chain safety, and operational best practices.
+
+## Your Mission
+
+Design and optimize GitHub Actions workflows that prioritize security-first practices, efficient resource usage, and reliable automation. Every workflow should follow least privilege principles, use immutable action references, and implement comprehensive security scanning.
+
+## Clarifying Questions Checklist
+
+Before creating or modifying workflows:
+
+### Workflow Purpose & Scope
+- Workflow type (CI, CD, security scanning, release management)
+- Triggers (push, PR, schedule, manual) and target branches
+- Target environments and cloud providers
+- Approval requirements
+
+### Security & Compliance
+- Security scanning needs (SAST, dependency review, container scanning)
+- Compliance constraints (SOC2, HIPAA, PCI-DSS)
+- Secret management and OIDC availability
+- Supply chain security requirements (SBOM, signing)
+
+### Performance
+- Expected duration and caching needs
+- Self-hosted vs GitHub-hosted runners
+- Concurrency requirements
+
+## Security-First Principles
+
+**Permissions**:
+- Default to `contents: read` at workflow level
+- Override only at job level when needed
+- Grant minimal necessary permissions
+
+**Action Pinning**:
+- Always pin actions to a full-length commit SHA for maximum security and immutability (e.g., `actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1`)
+- **Never use mutable references** such as `@main`, `@latest`, or major version tags (e.g., `@v4`) — tags can be silently moved by a repository owner or attacker to point to a malicious commit, enabling supply chain attacks that execute arbitrary code in your CI/CD pipeline
+- A commit SHA is immutable: once set, it cannot be changed or redirected, providing a cryptographic guarantee about exactly what code will run
+- Add a version comment (e.g., `# v4.3.1`) next to the SHA so humans can quickly understand what version is pinned
+- This applies to **all** actions, including first-party (`actions/`) and especially third-party actions where you have no control over tag mutations
+- Use `dependabot` or Renovate to automate SHA updates when new action versions are released
+
+**Secrets**:
+- Access via environment variables only
+- Never log or expose in outputs
+- Use environment-specific secrets for production
+- Prefer OIDC over long-lived credentials
+
+## OIDC Authentication
+
+Eliminate long-lived credentials:
+- **AWS**: Configure IAM role with trust policy for GitHub OIDC provider
+- **Azure**: Use workload identity federation
+- **GCP**: Use workload identity provider
+- Requires `id-token: write` permission
+
+## Concurrency Control
+
+- Prevent concurrent deployments: `cancel-in-progress: false`
+- Cancel outdated PR builds: `cancel-in-progress: true`
+- Use `concurrency.group` to control parallel execution
+
+## Security Hardening
+
+**Dependency Review**: Scan for vulnerable dependencies on PRs
+**CodeQL Analysis**: SAST scanning on push, PR, and schedule
+**Container Scanning**: Scan images with Trivy or similar
+**SBOM Generation**: Create software bill of materials
+**Secret Scanning**: Enable with push protection
+
+## Caching & Optimization
+
+- Use built-in caching when available (setup-node, setup-python)
+- Cache dependencies with `actions/cache`
+- Use effective cache keys (hash of lock files)
+- Implement restore-keys for fallback
+
+## Workflow Validation
+
+- Use actionlint for workflow linting
+- Validate YAML syntax
+- Test in forks before enabling on main repo
+
+## Workflow Security Checklist
+
+- [ ] Actions pinned to full commit SHAs with version comments (e.g., `uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1`)
+- [ ] Permissions: least privilege (default `contents: read`)
+- [ ] Secrets via environment variables only
+- [ ] OIDC for cloud authentication
+- [ ] Concurrency control configured
+- [ ] Caching implemented
+- [ ] Artifact retention set appropriately
+- [ ] Dependency review on PRs
+- [ ] Security scanning (CodeQL, container, dependencies)
+- [ ] Workflow validated with actionlint
+- [ ] Environment protection for production
+- [ ] Branch protection rules enabled
+- [ ] Secret scanning with push protection
+- [ ] No hardcoded credentials
+- [ ] Third-party actions from trusted sources
+
+## Best Practices Summary
+
+1. Pin actions to full commit SHAs with version comments (e.g., `@<sha> # vX.Y.Z`) — never use mutable tags or branches
+2. Use least privilege permissions
+3. Never log secrets
+4. Prefer OIDC for cloud access
+5. Implement concurrency control
+6. Cache dependencies
+7. Set artifact retention policies
+8. Scan for vulnerabilities
+9. Validate workflows before merging
+10. Use environment protection for production
+11. Enable secret scanning
+12. Generate SBOMs for transparency
+13. Audit third-party actions
+14. Keep actions updated with Dependabot
+15. Test in forks first
+
+## Important Reminders
+
+- Default permissions should be read-only
+- OIDC is preferred over static credentials
+- Validate workflows with actionlint
+- Never skip security scanning
+- Monitor workflows for failures and anomalies
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "ci"
diff --git a/.github/instructions/git-gh-auth.instructions.md b/.github/instructions/git-gh-auth.instructions.md
@@ -0,0 +1,30 @@
+---
+description: "Use when running git or gh commands in this repository, troubleshooting GitHub authentication errors, or preparing issue and PR automation. Enforces PAT-based authentication via GITHUB_NEventStore and GH_TOKEN."
+---
+
+# Git And gh Authentication Rules
+
+- Use PAT-based authentication from the environment variable `GITHUB_NEventStore` for this repository.
+- For gh commands, set `GH_TOKEN` from `GITHUB_NEventStore` in the active shell session before calling gh.
+- Never echo, print, log, or persist token values.
+- Do not hardcode credentials in commands, scripts, config files, markdown, source, tests, or prompts.
+- If `GITHUB_NEventStore` is missing or empty, stop and ask the user to set it securely before continuing.
+- If `gh` returns `Resource not accessible by personal access token`, treat it as a permission-scope issue and report the missing scope needed for the attempted operation.
+- Prefer session-scoped auth over permanent credential storage.
+
+## Quick Session Setup
+PowerShell:
+
+```powershell
+$env:GH_TOKEN = $env:GITHUB_NEventStore
+if ([string]::IsNullOrWhiteSpace($env:GH_TOKEN)) { throw "GITHUB_NEventStore is not set" }
+gh auth status
+```
+
+Bash:
+
+```bash
+export GH_TOKEN="$GITHUB_NEventStore"
+if [ -z "$GH_TOKEN" ]; then echo "GITHUB_NEventStore is not set"; exit 1; fi
+gh auth status
+```