security: remove legacy publish-state-file write

[BYK]

Summary

Drops the legacy-location write that #7886 added as a rollout aid for getsentry/craft#797. Craft 2.26.0 ships the new-location read/write and is now live on getsentry/craft:latest, so the dual-write is no longer needed.

Context

• security: dual-write publish state file to safe location #7886 (merged): started dual-writing the publish-state file to BOTH the legacy cwd location AND the safe $XDG_STATE_HOME/craft/ location, so both old and new Craft images could find it during the rollout.
• security(publish): move publish-state file out of repo cwd craft#797 (merged, shipped in 2.26.0 at 2026-04-21T20:10Z): Craft reads/writes only the safe location.
• This PR: drop the legacy write. The new-write logic is unchanged from what security: dual-write publish state file to safe location #7886 already exercises in production.

Verification

• Pulled the released craft 2.26.0 binary, seeded a state file at the new location only, ran craft publish 9.9.9 against a synthetic repo, and confirmed Craft logged Found publish state file, resuming from there... and honoured the published field to skip the target. End-to-end confirmation of the new-location read path with the 2.26.0 binary.
• Bash filename generation and Craft's Node filename generation produce byte-identical strings — verified earlier (in security: dual-write publish state file to safe location #7886 description) and unchanged here.
• YAML still parses (python3 -c "import yaml; yaml.safe_load(...)").

Diff

8 insertions, 17 deletions: the legacy block is removed, comment updated to name the actual Craft PR (#797) that shipped the reader, and the remaining variables lose their new_ prefix since there's only one location now.

Rollback

If something regresses, revert this PR; #7886's dual-write code returns and both locations are written again. Old Craft images would still work off the legacy location.