diff --git a/.github/workflows/sudo-tripwire.yaml b/.github/workflows/sudo-tripwire.yaml
new file mode 100644
index 000000000..414ff3a97
--- /dev/null
+++ b/.github/workflows/sudo-tripwire.yaml
@@ -0,0 +1,61 @@
+# Detect any attempts to call sudo during R CMD check.
+# pak's sysreqs feature probes for passwordless sudo, which CRAN flags.
+# This workflow confirms that we successfully suppress that probe.
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+name: sudo-tripwire.yaml
+
+permissions: read-all
+
+jobs:
+  sudo-tripwire:
+    runs-on: ubuntu-latest
+
+    env:
+      GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
+      R_KEEP_PKG_SOURCE: yes
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: r-lib/actions/setup-pandoc@v2
+
+      - uses: r-lib/actions/setup-r@v2
+        with:
+          r-version: release
+          use-public-rspm: true
+
+      - uses: r-lib/actions/setup-r-dependencies@v2
+        with:
+          extra-packages: any::rcmdcheck
+          needs: check
+
+      - name: Install sudo tripwire
+        run: |
+          mkdir -p "$HOME/bin"
+          cat > "$HOME/bin/sudo" << 'EOF'
+          #!/bin/bash
+          echo "SUDO CALLED with args: $*" >> /tmp/sudo-tripwire.log
+          exit 1
+          EOF
+          chmod +x "$HOME/bin/sudo"
+          echo "$HOME/bin" >> $GITHUB_PATH
+
+      - uses: r-lib/actions/check-r-package@v2
+        with:
+          upload-snapshots: true
+          build_args: 'c("--no-manual","--compact-vignettes=gs+qpdf")'
+
+      - name: Check for sudo calls
+        if: always()
+        run: |
+          if [ -f /tmp/sudo-tripwire.log ]; then
+            echo "::error::sudo was called during R CMD check!"
+            cat /tmp/sudo-tripwire.log
+            exit 1
+          else
+            echo "No sudo calls detected."
+          fi
diff --git a/R/zzz.R b/R/zzz.R
index 97281faf5..6bf3ac82c 100644
--- a/R/zzz.R
+++ b/R/zzz.R
@@ -14,5 +14,15 @@ devtools_default_options <- list(
     options(devtools_default_options[toset])
   }
 
+  # On certain linux systems, pak might call `sudo`, as a probe for
+  # capabilities. That lays the ground work for a potential need to work with
+  # sysreqs, but that's not necessary in this case and CRAN flags the
+  # `sudo -s id` as problematic. Setting `pkg.sysreq` to `FALSE` prevents
+  # pak from even checking this.
+  # https://pak.r-lib.org/reference/pak-config.html#pak-configuration
+  if (Sys.getenv("_R_CHECK_PACKAGE_NAME_", "") != "") {
+    options(pkg.sysreqs = FALSE)
+  }
+
   invisible()
 }