ci: mirror image pushes to ghcr.io/shadowdao

Adds a second registry login + tag to both build-push workflows so each
build publishes to ghcr.io alongside the in-house Gitea registry. Single
build, two destinations — docker/build-push-action handles the multi-tag
push in one step.

Requires Gitea Actions secret GHCR_TOKEN (a classic PAT with
write:packages on the shadowdao user).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/build-push-coraza.yaml

@@ -34,6 +34,15 @@ jobs:
           username: ${{ secrets.CI_USER }}
           password: ${{ secrets.CI_TOKEN }}
 
+      # Mirror to GitHub Container Registry — see build-push.yaml for the
+      # secret/username convention.
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: shadowdao
+          password: ${{ secrets.GHCR_TOKEN }}
+
       - name: Build Image
         uses: docker/build-push-action@v6
         with:
@@ -42,3 +51,4 @@ jobs:
           push: true
           tags: |
             repo.anhonesthost.net/cloud-hosting-platform/coraza-spoa:latest
+            ghcr.io/shadowdao/coraza-spoa:latest