security: remove vulnerable update_pylon_issue.yml workflow (#2206)

This workflow interpolated `${{ github.event.comment.body }}` directly
into a `run:` shell step, which allowed any GitHub user to execute
arbitrary code on the runner with the workflow's GITHUB_TOKEN by
posting a crafted issue/PR comment. That vector was exploited on
2026-04-24 to spoof PRs and publish a malicious package.

Removing the workflow entirely (rather than patching) since its only
function was auto-flipping a Pylon ticket to "waiting_on_you" on
comment, which can be reintroduced safely later via the env-var
indirection pattern and an author_association gate.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: haritamar