feat(release): publish netclawd Docker image to Docker Hub alongside GHCR

[Aaronontheweb]

Context

The containerize-daemon-and-evals change (PR upcoming) adds a
publish-docker job to publish_release_binaries.yml that publishes
the netclawd image to GitHub Container Registry (GHCR) on release tags:

• ghcr.io/aaronontheweb/netclawd:latest
• ghcr.io/aaronontheweb/netclawd:${version}
• ghcr.io/aaronontheweb/netclawd:v${major}.${minor}

GHCR was chosen because it needs no additional secret wiring
(secrets.GITHUB_TOKEN is sufficient) and creates the package
automatically on first push.

Problem

GHCR is lower-discoverability than Docker Hub for new users. Many
operators default to docker pull <name> expecting Docker Hub as the
implicit registry. Publishing only to GHCR forces them to prefix the
registry explicitly (docker pull ghcr.io/aaronontheweb/netclawd),
which is friction.

Proposal

Extend publish-docker to push the same image digest to Docker Hub as
a second destination:

• aaronontheweb/netclawd:latest
• aaronontheweb/netclawd:${version}
• aaronontheweb/netclawd:v${major}.${minor}

Prerequisites

• Create the `aaronontheweb/netclawd` repository on Docker Hub manually
  before the first push (Docker Hub does not auto-create repos on push
  the way GHCR does).
• Add `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN` secrets to the repo
  settings.
• Add a second `docker/login-action@v3` step to the `publish-docker`
  job targeting Docker Hub.
• Tag the built image with both registries (`docker tag`) and push
  both.

Related

• PR: `feat(daemon): containerize netclawd and rewire evals` (upcoming)
• OpenSpec change: `openspec/changes/containerize-daemon-and-evals`