Get rid of dependencies

[ytterx]

As far as I can see this GitHub action depends on two dependencies that are not from GitHub them self or from verified users:

ilammy/msvc-dev-cmd
mamba-org/setup-micromamba

Would it be feasible to get rid of these two? As I need to whitelist certain GitHub actions due to policy, I now also need to whitelist these, but versions are for example not pinned down to specific patch versions. (See recent news on npm phishing and packaging issues)

At the minimum, versions should probably be pinned more specific, and maybe mamba-org/setup-micromamba@v1 should be upgraded to v2?

[wpbonelli]

Pinning specific versions seems like a good idea.

This action installs various toolchains from various package managers, in some cases without specifying a version explicitly. Is that a factor in your organization's threat model? If so, how does it compare to the risk of using 3rd party github actions?

Those two are only used with lfortran. Setup-micromamba because the mac runners don't have conda preinstalled, and conda is the easiest way to get lfortran. The MSVC action because this action tries to give you a compatible C/C++ toolchain too. That could be made optional. But my first response would be, if security is a big concern, probably best to manage installs yourself instead of using this action

[ytterx]

We are investigating how we want to proceed with building our code, still in the investigation phase if we can use this GitHub action or implement our own. It is fine if you want to keep the dependencies, we can work around that if we decide to go with this.

Thanks for your time and work!