Update to .toml example

[AndyScherzinger]

...and also update readme to reflect v4 and add checksums to the actions in use

[AndyScherzinger]

cc @carmenbianca since you pinged me a while ago about the latest changes bringing toml support etc.

So I thought I update your docs/example according to the latest version.

The GH action is also the exact same we use for the Nextcloud repositories (I just started migrating), i.e. https://github.com/nextcloud/.github/blob/master/workflow-templates/reuse.yml

---

Nice work with shipping v4 and having the GH action out too 🎉

[AndyScherzinger]

rebased to fix conflicts.

@mxmehl @carmenbianca any chance you can give me some feedback on the PR? No worries if you are busy - I can totally relate to that 👍

[mxmehl]

Sorry, I haven't seen this PR!

I wonder whether we actually need the REUSE.toml file, and why I added the dep5 file in the beginning. I'd be fine with deleting it.

Regarding the hashsums, I understand it from a security PoV, but I'd like to avoid that we need to update the vaues every time we release a new minor version. v4 in this regard should be stable. What do you think?

[AndyScherzinger]

I wonder whether we actually need the REUSE.toml file, and why I added the dep5 file in the beginning. I'd be fine with deleting it.

Can't tell why it was added but I am fine either way

Regarding the hashsums, I understand it from a security PoV, but I'd like to avoid that we need to update the values every time we release a new minor version. v4 in this regard should be stable. What do you think?

Your choice and decision of course. Yes, the hashsums are for security reasons with 2 aspects, the hash (supply chain attacks) and also pining it to a specific version to the CI run is reproducible, like reproducible builds (not a build but a CI check here). So you basically execute v4-latest whatever that means at a given point in time, so re-triggering a v4 run is not necessarily the same thing 2 hours later if a new version of the action has been released in between. So it is a trade-off. I'd say both ways are fine, whatever you prefer: traceability (exactly known version and explicit updates) or comfort (auto update, always being latest-major)

[mxmehl]

Thanks. So I'd like to ask for the following:

1. Remove the dep5 altogether, don't add REUSE.toml. It just has no benefit here.
2. Stick with the v4. I see the benefits of pinned versions but don't have the capability to sync these. If users want, they can find out the commit to pin themselves.

[AndyScherzinger]

@mxmehl applied all changes as discussed 👍

[mxmehl]

Thank you!

[AndyScherzinger]

My pleasure, thanks for merging 😊