Try to detect sudo calls

jennybc · jennybc · commit 678d7a3bb387 · 2026-03-13T14:08:52.000-07:00
diff --git a/.github/workflows/sudo-tripwire.yaml b/.github/workflows/sudo-tripwire.yaml
@@ -0,0 +1,60 @@
+# Detect any attempts to call sudo during R CMD check.
+# pak's sysreqs feature probes for passwordless sudo, which CRAN flags.
+# This workflow confirms that we successfully suppress that probe.
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+name: sudo-tripwire.yaml
+
+permissions: read-all
+
+jobs:
+  sudo-tripwire:
+    runs-on: ubuntu-latest
+
+    env:
+      GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
+      R_KEEP_PKG_SOURCE: yes
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: r-lib/actions/setup-pandoc@v2
+
+      - uses: r-lib/actions/setup-r@v2
+        with:
+          r-version: release
+          use-public-rspm: true
+
+      - uses: r-lib/actions/setup-r-dependencies@v2
+        with:
+          extra-packages: any::rcmdcheck
+          needs: check
+
+      - name: Install sudo tripwire
+        run: |
+          mkdir -p "$HOME/bin"
+          cat > "$HOME/bin/sudo" << 'EOF'
+          #!/bin/bash
+          echo "SUDO CALLED with args: $*" >&2
+          exit 1
+          EOF
+          chmod +x "$HOME/bin/sudo"
+          echo "$HOME/bin" >> $GITHUB_PATH
+
+      - uses: r-lib/actions/check-r-package@v2
+        with:
+          upload-snapshots: true
+          build_args: 'c("--no-manual","--compact-vignettes=gs+qpdf")'
+
+      - name: Check for sudo calls
+        if: always()
+        run: |
+          if grep -r "SUDO CALLED" '${{ runner.temp }}/package.Rcheck/' 2>/dev/null; then
+            echo "::error::sudo was called during R CMD check!"
+            exit 1
+          else
+            echo "No sudo calls detected."
+          fi
