What would you like?

• Add instructions to the CONTRIBUTING document about how external contributors should submit PRs that make changes to the core Cypress CircleCI Orb.

• If PR contributions can not be handled from external contributors, then the document should also clearly state this restriction.

Why is this needed?

• As described in Orb publishing does not work for contributor PRs #451, external contributors, who do not have access to the CIRCLECI_TOKEN, cannot have their PRs checked before submission.

• If such PRs are blindly merged into the master branch, any problems are discovered AFTER the merge, meaning that the master branch is in danger of becoming compromised and the corresponding PR may need to be reverted in order to correct the issue.

Other

A similar issue also affects external contributors to core CircleCI repos. CircleCI employees have had to copy the contents of PR changes from external contributors into their own internal branch and recreate the corresponding PR.

Suggestion

This is a suggestion for a process change:

1. An external contributor first requests a feature branch creation in https://github.com/cypress-io/circleci-orb/ through opening or commenting on an issue.
2. A https://github.com/cypress-io Member or other user with write privileges to https://github.com/cypress-io/circleci-orb/ sponsors the external contributor and creates a feature branch.
3. The external contributor creates a PR to target the feature branch instead of the master branch.
4. From the feature branch, the Cypress.io sponsor creates a PR to target the master branch. This PR has full access to the CIRCLECI_TOKEN and can therefore fully run all necessary CI checks.