revert: drop docker hub description sync job

The sync-description job added in #1544 fails in CI because the
DOCKERHUB_USERNAME secret is set to the org name (manifestdotbuild),
which works for docker/login-action (registry API) but is rejected by
docker-pushrm's web-API login endpoint — you can't log into
hub.docker.com as an org, only as a user with access to the org.

Fixing this properly would require either rotating DOCKERHUB_USERNAME
to a personal user's login (risks affecting other workflows that might
rely on the org-scoped semantic) or adding a second set of secrets for
the sync job only. Neither is worth it right now — maintainer will
keep updating the Docker Hub description manually.

Revert:
- Remove sync-description job from .github/workflows/docker.yml
- Remove the push: main trigger that existed only to fire sync-description
- Remove the CLAUDE.md 'Docker Hub description' subsection
- Remove the sync-description mentions from the 'Cutting a Docker
  release' checklist and the CI triggers summary table
- Add a step 4 to the release checklist reminding the maintainer to
  copy docker/DOCKER_README.md to the Docker Hub page by hand

Not reverted (intentionally kept):
- docker/DOCKER_README.md content refresh (drop deprecated npm badge,
  update 'personal AI agents' framing, add Image tags section, etc.)
- docker/DOCKER_README.md removal from the pull_request paths filter
  (content-only PRs shouldn't trigger a 7-minute multi-arch rebuild)

Author: brunobuddy

.github/workflows/docker.yml

@@ -7,11 +7,6 @@ on:
         description: "Optional version override (e.g. 5.38.1). Leave blank to use the current version from packages/manifest/package.json."
         required: false
         type: string
-  push:
-    branches: [main]
-    paths:
-      - "docker/DOCKER_README.md"
-      - ".github/workflows/docker.yml"
   pull_request:
     branches: [main]
     paths:
@@ -114,32 +109,3 @@ jobs:
           for tag in ${TAGS}; do
             cosign sign --yes "${tag}@${DIGEST}"
           done
-
-  sync-description:
-    name: Sync Docker Hub description
-    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Push README to Docker Hub
-        env:
-          DOCKER_USER: ${{ secrets.DOCKERHUB_USERNAME }}
-          DOCKER_PASS: ${{ secrets.DOCKERHUB_TOKEN }}
-        run: |
-          # Pinned to immutable digest for supply-chain safety.
-          # The underlying tool is chko/docker-pushrm:1. When bumping the tag,
-          # fetch the current digest with:
-          #   TOKEN=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:chko/docker-pushrm:pull" | jq -r .token)
-          #   curl -sI -H "Authorization: Bearer $TOKEN" \
-          #     -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
-          #     https://registry-1.docker.io/v2/chko/docker-pushrm/manifests/1 | grep -i docker-content-digest
-          docker run --rm \
-            -v "$GITHUB_WORKSPACE/docker/DOCKER_README.md:/data/README.md:ro" \
-            -e DOCKER_USER \
-            -e DOCKER_PASS \
-            chko/docker-pushrm@sha256:812a950e5be7dca26cef33b61eb2076bfcfb6c2a8ec96c126371fc049c3b6608 \
-            --file /data/README.md \
-            --short "Smart LLM router for personal AI agents. Cut costs up to 70%." \
-            --debug \
-            manifestdotbuild/manifest

CLAUDE.md

@@ -506,24 +506,19 @@ Changesets are **not** required on every PR — they're optional and only meanin
 
 1. Merge the pending `chore: version packages` PR to land the version bump in `packages/manifest/package.json`.
 2. Go to **GitHub Actions → Docker → Run workflow**, leave the `version` input blank, click Run.
-3. The `publish` job reads `packages/manifest/package.json`, resolves the version automatically, and pushes `manifestdotbuild/manifest:{version}` + `{major}.{minor}` + `{major}` + `sha-<short>` to Docker Hub. The image is multi-arch (amd64 + arm64) and cosign-signed. The `sync-description` job also runs in the same workflow_dispatch and pushes the latest `docker/DOCKER_README.md` to the Docker Hub repo description.
+3. The `publish` job reads `packages/manifest/package.json`, resolves the version automatically, and pushes `manifestdotbuild/manifest:{version}` + `{major}.{minor}` + `{major}` + `sha-<short>` to Docker Hub. The image is multi-arch (amd64 + arm64) and cosign-signed.
+4. **Manually update the Docker Hub description** on hub.docker.com by copy-pasting the current contents of `docker/DOCKER_README.md`. (Automating this sync hit a wall because `docker-pushrm` and the Docker Hub web API need a personal-user PAT and the existing secrets are scoped to the org — tracked as a follow-up, not blocking releases.)
 
 To retag an older commit or publish a hotfix version that doesn't match the current `package.json`, pass a semver string in the `version` input and it overrides the package.json lookup.
 
-### Docker Hub description
-
-`docker/DOCKER_README.md` is the source of truth for the Docker Hub repo description at [`manifestdotbuild/manifest`](https://hub.docker.com/r/manifestdotbuild/manifest). The `sync-description` job in `docker.yml` pushes it to Docker Hub via the [`chko/docker-pushrm`](https://github.com/christian-korneck/docker-pushrm) container image (standalone `docker run`, no third-party GitHub Action). It uses the same `DOCKERHUB_USERNAME` / `DOCKERHUB_TOKEN` secrets as the publish job — the Docker Hub PAT needs write access to the repo, which the existing token already has for image pushes. Edits to `docker/DOCKER_README.md` are treated as doc-only: they do **not** trigger the PR validate job (no point rebuilding multi-arch images for content changes), and they auto-sync to Docker Hub on merge to main via a dedicated `push:` trigger with a narrow paths filter. The `chko/docker-pushrm` image is pinned to an immutable digest in the workflow — when bumping, re-fetch the digest via `docker manifest inspect chko/docker-pushrm:1` or the registry API (see the inline comment in `docker.yml`).
-
 ### Summary of what CI does on each trigger
 
 | Trigger | What happens |
 |---------|--------------|
 | PR opened/updated (runtime files) | `ci.yml` runs tests, lint, typecheck, coverage. `docker.yml` validates the Docker build (no push). `changeset-check` warns softly if no changeset is present. |
-| PR opened/updated (`docker/DOCKER_README.md` only) | No Docker CI runs — content-only change, nothing to validate. |
 | Merge to `main` | `release.yml` runs `changesets/action` to open or update the `chore: version packages` PR. **No auto-publish** — neither npm nor Docker. |
 | Merge of `chore: version packages` PR | `release.yml` runs again. Version bump in `packages/manifest/package.json` and the CHANGELOG update land on `main`. Still no image publish. |
-| Merge of a PR that touched `docker/DOCKER_README.md` | `docker.yml` `sync-description` job runs, pushing the new README to Docker Hub via `chko/docker-pushrm`. No image rebuild. |
-| Manual `workflow_dispatch` on `Docker` workflow | `publish` job reads `packages/manifest/package.json` and pushes a new image tag to Docker Hub. `sync-description` also runs in parallel and re-syncs the Docker Hub description. This is the **only** path that publishes image artifacts. |
+| Manual `workflow_dispatch` on `Docker` workflow | Reads `packages/manifest/package.json` and pushes a new image tag to Docker Hub. This is the **only** path that publishes anything. |
 
 ## Code Coverage (Codecov)