close-master-prs: Use env variables and drop permission to job level

.github/workflows/close-master-prs.yml

@@ -1,29 +1,32 @@
 name: Close PRs to master
 
+# WARNING: Do NOT use org level secrets or checkout any code in this
+# workflow
+
 on:
   pull_request_target:
     types: [opened]
     branches:
       - master
   workflow_dispatch:
 
-permissions:
-  pull-requests: write
-
 jobs:
   close:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Check and close
         run: |
-          has_label=$(gh pr view "${{ github.event.pull_request.number }}" --json labels -q '.labels | any(.name == "leave-open")')
+          has_label=$(gh pr view "$PR_NUM" --json labels -q '.labels | any(.name == "leave-open")')
           if [[ "$has_label" != "true" ]]; then
               echo "leave-open label not found. Closing."
-              gh pr --repo "$REPO" close "${{ github.event.pull_request.number }}" -c "$COMMENT"
+              gh pr close "$PR_NUM" -c "$COMMENT"
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: ${{ github.repository }}
+          PR_NUM: ${{ github.event.pull_request.number }}
           COMMENT: >
               This PR is automatically closed because application submission
               PRs must be made against the new-pr branch. If this is done