Backport SharpCompress removal from ConsolidateCalamariPackages to 2026.1

[enf0rc3]

Background

We want to bump/remove the vulnerable SharpCompress version in Octopus Server 2026.1, but cannot while Calamari.ConsolidateCalamariPackages still depends on SharpCompress. That library is loaded in-process by Server, so a Server-side SharpCompress bump breaks it at runtime: the 0.x API renamed ZipArchive.Open -> OpenArchive, throwing MissingMethodException.

The same problem was already resolved on 2026.2 / main by switching the library to System.IO.Compression. This PR backports that work to 2026.1.

Discussed in Slack: https://octopusdeploy.slack.com/archives/C03SG0LFJHX/p1781237251289469

Results

Straight cherry-picks (merge commits, -m 1) of:

• ConsolidatePackages: Use System.IO.Compression and slightly tweak extraction loop #1913 - switch ConsolidateCalamariPackages from SharpCompress to System.IO.Compression
• Fix handling of duplicate files in the Calamari package, add tests #1926 - fix duplicate-file regression introduced by ConsolidatePackages: Use System.IO.Compression and slightly tweak extraction loop #1913, add tests

Both are required and applied in order: #1913 alone ships the duplicate-file bug that #1926 fixes.

Note: the SharpCompress <PackageReference> on 2026.1 carried a <NoWarn>NU1902</NoWarn> suppression that did not exist on main, so the cherry-pick could not auto-remove it. It was removed manually; the project csproj now matches main exactly.

This is a self-contained Calamari change and does not require a corresponding Server change (per #1913). It unblocks the separate, planned Server SharpCompress bump.

[APErebus]

LGTM. Just a friendly reminder to do a normal commit, not a squash 😃