Replace peter-evans/dockerhub-description and snok/container-retention-policy with first-party alternatives

[Copilot]

Eliminates two third-party Actions dependencies by replacing them with direct API calls using tooling already available on GitHub-hosted runners (gh CLI, PowerShell Invoke-RestMethod).

push-container-images.yml — Docker Hub description updates

Replaces 4× peter-evans/dockerhub-description steps with a single PowerShell step that authenticates against the Docker Hub REST API and PATCHes all four repositories in a loop:

$loginResponse = Invoke-RestMethod -Uri "https://hub.docker.com/v2/users/login" -Method Post ...
$token = $loginResponse.token

foreach ($repo in $repos) {
    $readmeContent = Get-Content -Raw $repo.readme
    Invoke-RestMethod -Uri "https://hub.docker.com/v2/repositories/particular/$($repo.name)/" `
        -Method Patch -Headers @{ Authorization = "******" } -Body ...
}

Credentials are injected via env: to avoid interpolating secrets directly into the script body.

clean-ghcr.yml — GHCR image retention

Replaces snok/container-retention-policy with a bash step using gh api + jq. Replicates the original policy: delete versions older than 2 weeks that are untagged or have tags matching pr-* / *-alpha.* (tag-selection: both).

gh api --paginate "/orgs/particular/packages/container/${image}/versions" | \
  jq -r --arg cutoff "$cutoff" \
    '.[] | select(.updated_at < $cutoff)
         | select(.metadata.container.tags | (length == 0 or any(.[]; test("^pr-") or test("-alpha\\."))))
         | .id' \
| while read -r version_id; do
    gh api --method DELETE "/orgs/particular/packages/container/${image}/versions/${version_id}"
  done

Explicit permissions: packages: write added to the job since the default GITHUB_TOKEN scope doesn't guarantee it.