security: remove vulnerable update_pylon_issue.yml workflow

[haritamar]

Summary

• Deletes .github/workflows/update_pylon_issue.yml, which contained a GitHub Actions script-injection vulnerability.
• The step echo \"Comment Body: \${{ github.event.comment.body }}\" interpolated the comment body directly into a shell run: block, letting any GitHub user execute arbitrary code on the runner with the workflow's GITHUB_TOKEN (and other secrets) by posting a crafted comment.
• This vector was exploited on 2026-04-24 22:10 UTC by a throwaway account, which used the runner's token to create spoofed PRs (Automated Update: release/v0.23.2 (#2188) #2202, Automated Update: release/v0.23.2 (#2188) #2203, Automated Update: release/v0.23.2 (#2188) #2204) and trigger the release workflow — publishing a malicious elementary-data 0.23.3 to PyPI.

Why a full delete (not a patch)

The workflow's only function was flipping a Pylon ticket state to waiting_on_you on every issue/PR comment. Removing it stops the bleeding now; if the Pylon integration is still wanted, it should be reintroduced separately with:

• env-var indirection (env: COMMENT_BODY: \${{ github.event.comment.body }} + \"\$COMMENT_BODY\" in the script), and
• an author_association gate (e.g. only OWNER/MEMBER/COLLABORATOR) so untrusted commenters can't trigger it.

Follow-ups not in this PR

• Yank/delete elementary-data 0.23.3 on PyPI.
• Inspect/remove the Docker image pushed by run 24914446630.
• Rotate any secrets exposed to that run (PyPI publish token, Docker registry creds, PYLON_API_KEY).
• Delete leftover branches api-automated-upd-1777068796, api-automated-upd-1777069005, api-spoof-upd-1777069022 and close PRs Automated Update: release/v0.23.2 (#2188) #2202, Automated Update: release/v0.23.2 (#2188) #2203, Automated Update: release/v0.23.2 (#2188) #2204.
• Audit other workflows for the same \${{ github.event.* }} → run: pattern.

Test plan

• Confirm no other workflow depends on this file.
• Confirm Pylon ticket state automation loss is acceptable until a hardened replacement lands.

Summary by CodeRabbit

• Chores
  • Removed automated workflow that previously synchronized pull request activity with an external issue tracking system.

[github-actions]

👋 @haritamar
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fe2a58ca-4733-4d1d-9b0a-e9360684d8db

📥 Commits

Reviewing files that changed from the base of the PR and between e5af7e7 and 13abb36.

📒 Files selected for processing (1)

• .github/workflows/update_pylon_issue.yml

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

---

📝 Walkthrough

Walkthrough

A GitHub workflow file that synchronized issue comments with a Pylon ticket tracking system has been removed. The workflow previously listened for issue comment events, extracted ticket identifiers, and updated ticket state via the Pylon API.

Changes

Cohort / File(s)	Summary
Workflow Removal .github/workflows/update_pylon_issue.yml	Deleted workflow that listened for issue_comment events, retrieved issue/PR body via GitHub REST API, extracted Pylon ticket UUIDs from HTML comments, and issued PATCH requests to Pylon API to update ticket state to "waiting_on_you".

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A workflow once danced with Pylon's bright API,
Syncing tickets with comments, so clever and spry,
But now it has vanished, removed from our sight,
Farewell to the automation, we bid you goodnight! 🌙

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/remove-vulnerable-comment-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}