Update to .toml example#33
Conversation
|
cc @carmenbianca since you pinged me a while ago about the latest changes bringing toml support etc. So I thought I update your docs/example according to the latest version. The GH action is also the exact same we use for the Nextcloud repositories (I just started migrating), i.e. https://github.com/nextcloud/.github/blob/master/workflow-templates/reuse.yml Nice work with shipping v4 and having the GH action out too 🎉 |
|
rebased to fix conflicts. @mxmehl @carmenbianca any chance you can give me some feedback on the PR? No worries if you are busy - I can totally relate to that 👍 |
|
Sorry, I haven't seen this PR! I wonder whether we actually need the REUSE.toml file, and why I added the dep5 file in the beginning. I'd be fine with deleting it. Regarding the hashsums, I understand it from a security PoV, but I'd like to avoid that we need to update the vaues every time we release a new minor version. |
Can't tell why it was added but I am fine either way
Your choice and decision of course. Yes, the hashsums are for security reasons with 2 aspects, the hash (supply chain attacks) and also pining it to a specific version to the CI run is reproducible, like reproducible builds (not a build but a CI check here). So you basically execute v4-latest whatever that means at a given point in time, so re-triggering a v4 run is not necessarily the same thing 2 hours later if a new version of the action has been released in between. So it is a trade-off. I'd say both ways are fine, whatever you prefer: traceability (exactly known version and explicit updates) or comfort (auto update, always being latest-major) |
|
Thanks. So I'd like to ask for the following:
|
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
|
@mxmehl applied all changes as discussed 👍 |
|
My pleasure, thanks for merging 😊 |
...and also update readme to reflect v4 and add checksums to the actions in use