feat(ci): add Docker Hub publishing for releases

- Dev branch: GHCR only (ghcr.io/host-uk/*)
- Main branch + tags: GHCR + Docker Hub (lthn/*)
- Requires DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.github/workflows/build.yml

@@ -1,17 +1,16 @@
 # Host UK Container Images
-# Publishes to GHCR with separate image repos
 #
-# GHCR: ghcr.io/host-uk/core-dev
-# GHCR: ghcr.io/host-uk/server-php
+# Dev branch:  ghcr.io/host-uk/{core-dev,server-php}:dev
+# Tags/Main:   ghcr.io/host-uk/{core-dev,server-php}:latest + lthn/{core-dev,server-php}:latest
 
 name: Build Images
 
 on:
   push:
-    branches: [dev]
+    branches: [dev, main]
     tags: ['v*']
   pull_request:
-    branches: [dev]
+    branches: [dev, main]
   workflow_dispatch:
 
 env:
@@ -37,8 +36,10 @@ jobs:
         include:
           - image: developer
             ghcr_name: core-dev
+            dockerhub_name: core-dev
           - image: server-php
             ghcr_name: server-php
+            dockerhub_name: server-php
 
     steps:
       - name: Checkout
@@ -58,17 +59,46 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Extract metadata
-        id: meta
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Determine if release build
+        id: release
+        run: |
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]] || [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            echo "is_release=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_release=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Extract metadata (GHCR only - dev builds)
+        if: steps.release.outputs.is_release == 'false'
+        id: meta-dev
         uses: docker/metadata-action@v5
         with:
           images: |
             ${{ env.GHCR_REGISTRY }}/host-uk/${{ matrix.ghcr_name }}
           tags: |
-            # dev branch -> dev tag
             type=ref,event=branch
-            # PR number
             type=ref,event=pr
+          flavor: |
+            latest=false
+
+      - name: Extract metadata (GHCR + Docker Hub - release builds)
+        if: steps.release.outputs.is_release == 'true'
+        id: meta-release
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.GHCR_REGISTRY }}/host-uk/${{ matrix.ghcr_name }}
+            lthn/${{ matrix.dockerhub_name }}
+          tags: |
+            # main branch -> latest
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
             # Semver tags (v1.0.0 -> 1.0.0, 1.0, 1, latest)
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
@@ -83,8 +113,8 @@ jobs:
           context: ./${{ matrix.image }}
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta-dev.outputs.tags || steps.meta-release.outputs.tags }}
+          labels: ${{ steps.meta-dev.outputs.labels || steps.meta-release.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -98,6 +128,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
 
     strategy:
+      fail-fast: false
       matrix:
         image: [developer, server-php]
         arch: [amd64, arm64]