I would still (and do) do both, in the case that your site (for whatever reason) is still under/or simply accessible to HTTP, then a man in the middle attack could still happen and replace your script with another.
For self hosted dynamic scripts, I just add a task in my build process to calc the sha and add it to the <src integrity="sha..." >
Otherwise just calc it and hardcode it once for 3rd party, legacy scripts...
For self hosted dynamic scripts, I just add a task in my build process to calc the sha and add it to the <src integrity="sha..." >
Otherwise just calc it and hardcode it once for 3rd party, legacy scripts...