chore(ci): add Docker Hub as secondary container registry

Publish Docker images to both Docker Hub (docker.io/wikid82/charon) and
GitHub Container Registry (ghcr.io/wikid82/charon) for maximum reach.

Add Docker Hub login with secret existence check for graceful fallback
Update docker/metadata-action to generate tags for both registries
Add Cosign keyless signing for both GHCR and Docker Hub images
Attach SBOM to Docker Hub via cosign attach sbom
Add Docker Hub signature verification to supply-chain-verify workflow
Update README with Docker Hub badges and dual registry examples
Update getting-started.md with both registry options
Supply chain security maintained: identical tags, signatures, and SBOMs
on both registries. PR images remain GHCR-only.

docs/getting-started.md

@@ -28,7 +28,10 @@ Create a file called `docker-compose.yml`:
 ```yaml
 services:
   charon:
-    image: ghcr.io/wikid82/charon:latest
+    # Docker Hub (recommended)
+    image: wikid82/charon:latest
+    # Alternative: GitHub Container Registry
+    # image: ghcr.io/wikid82/charon:latest
     container_name: charon
     restart: unless-stopped
     ports:
@@ -50,6 +53,22 @@ docker-compose up -d
 
 ### Option B: Docker Run (One Command)
 
+**Docker Hub (recommended):**
+
+```bash
+docker run -d \
+  --name charon \
+  -p 80:80 \
+  -p 443:443 \
+  -p 8080:8080 \
+  -v ./charon-data:/app/data \
+  -v /var/run/docker.sock:/var/run/docker.sock:ro \
+  -e CHARON_ENV=production \
+  wikid82/charon:latest
+```
+
+**Alternative (GitHub Container Registry):**
+
 ```bash
 docker run -d \
   --name charon \