From 678d7a3bb3872fa2fd991cf49b7ed9970cb4e9b1 Mon Sep 17 00:00:00 2001
From: Jenny Bryan <jenny.f.bryan@gmail.com>
Date: Fri, 13 Mar 2026 14:08:52 -0700
Subject: [PATCH 1/4] Try to detect sudo calls

---
 .github/workflows/sudo-tripwire.yaml | 60 ++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 .github/workflows/sudo-tripwire.yaml

diff --git a/.github/workflows/sudo-tripwire.yaml b/.github/workflows/sudo-tripwire.yaml
new file mode 100644
index 000000000..79b15b1e1
--- /dev/null
+++ b/.github/workflows/sudo-tripwire.yaml
@@ -0,0 +1,60 @@
+# Detect any attempts to call sudo during R CMD check.
+# pak's sysreqs feature probes for passwordless sudo, which CRAN flags.
+# This workflow confirms that we successfully suppress that probe.
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+name: sudo-tripwire.yaml
+
+permissions: read-all
+
+jobs:
+  sudo-tripwire:
+    runs-on: ubuntu-latest
+
+    env:
+      GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
+      R_KEEP_PKG_SOURCE: yes
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: r-lib/actions/setup-pandoc@v2
+
+      - uses: r-lib/actions/setup-r@v2
+        with:
+          r-version: release
+          use-public-rspm: true
+
+      - uses: r-lib/actions/setup-r-dependencies@v2
+        with:
+          extra-packages: any::rcmdcheck
+          needs: check
+
+      - name: Install sudo tripwire
+        run: |
+          mkdir -p "$HOME/bin"
+          cat > "$HOME/bin/sudo" << 'EOF'
+          #!/bin/bash
+          echo "SUDO CALLED with args: $*" >&2
+          exit 1
+          EOF
+          chmod +x "$HOME/bin/sudo"
+          echo "$HOME/bin" >> $GITHUB_PATH
+
+      - uses: r-lib/actions/check-r-package@v2
+        with:
+          upload-snapshots: true
+          build_args: 'c("--no-manual","--compact-vignettes=gs+qpdf")'
+
+      - name: Check for sudo calls
+        if: always()
+        run: |
+          if grep -r "SUDO CALLED" '${{ runner.temp }}/package.Rcheck/' 2>/dev/null; then
+            echo "::error::sudo was called during R CMD check!"
+            exit 1
+          else
+            echo "No sudo calls detected."
+          fi

From 7bc873daf5908c42f415656e8d0b5d756aee79db Mon Sep 17 00:00:00 2001
From: Jenny Bryan <jenny.f.bryan@gmail.com>
Date: Fri, 13 Mar 2026 14:21:54 -0700
Subject: [PATCH 2/4] Log to a file

---
 .github/workflows/sudo-tripwire.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sudo-tripwire.yaml b/.github/workflows/sudo-tripwire.yaml
index 79b15b1e1..414ff3a97 100644
--- a/.github/workflows/sudo-tripwire.yaml
+++ b/.github/workflows/sudo-tripwire.yaml
@@ -38,7 +38,7 @@ jobs:
           mkdir -p "$HOME/bin"
           cat > "$HOME/bin/sudo" << 'EOF'
           #!/bin/bash
-          echo "SUDO CALLED with args: $*" >&2
+          echo "SUDO CALLED with args: $*" >> /tmp/sudo-tripwire.log
           exit 1
           EOF
           chmod +x "$HOME/bin/sudo"
@@ -52,8 +52,9 @@ jobs:
       - name: Check for sudo calls
         if: always()
         run: |
-          if grep -r "SUDO CALLED" '${{ runner.temp }}/package.Rcheck/' 2>/dev/null; then
+          if [ -f /tmp/sudo-tripwire.log ]; then
             echo "::error::sudo was called during R CMD check!"
+            cat /tmp/sudo-tripwire.log
             exit 1
           else
             echo "No sudo calls detected."

From f702c33a8eaa68255815a443aed9fb7bd2231ba1 Mon Sep 17 00:00:00 2001
From: Jenny Bryan <jenny.f.bryan@gmail.com>
Date: Fri, 13 Mar 2026 14:44:50 -0700
Subject: [PATCH 3/4] pak should never call sudo during `R CMD check`

We can test and document devtools's use of pak without doing any sysreq stuff, which is what the `sudo` probe relates to.
---
 R/zzz.R | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/R/zzz.R b/R/zzz.R
index 97281faf5..5ac8dcdad 100644
--- a/R/zzz.R
+++ b/R/zzz.R
@@ -14,5 +14,12 @@ devtools_default_options <- list(
     options(devtools_default_options[toset])
   }
 
+  # Prevent pak from trying to install system requirements during R CMD check.
+  # On certain linux systems, it might call `sudo`, as a probe for capabilities.
+  # That is flagged by CRAN as problematic.
+  if (Sys.getenv("_R_CHECK_PACKAGE_NAME_", "") != "") {
+    options(pkg.sysreqs = FALSE)
+  }
+
   invisible()
 }

From 58d6e3b8d0f906c70f600d3b864856faf1176ea4 Mon Sep 17 00:00:00 2001
From: Jenny Bryan <jenny.f.bryan@gmail.com>
Date: Fri, 13 Mar 2026 15:19:24 -0700
Subject: [PATCH 4/4] Work on the comment

---
 R/zzz.R | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/R/zzz.R b/R/zzz.R
index 5ac8dcdad..6bf3ac82c 100644
--- a/R/zzz.R
+++ b/R/zzz.R
@@ -14,9 +14,12 @@ devtools_default_options <- list(
     options(devtools_default_options[toset])
   }
 
-  # Prevent pak from trying to install system requirements during R CMD check.
-  # On certain linux systems, it might call `sudo`, as a probe for capabilities.
-  # That is flagged by CRAN as problematic.
+  # On certain linux systems, pak might call `sudo`, as a probe for
+  # capabilities. That lays the ground work for a potential need to work with
+  # sysreqs, but that's not necessary in this case and CRAN flags the
+  # `sudo -s id` as problematic. Setting `pkg.sysreq` to `FALSE` prevents
+  # pak from even checking this.
+  # https://pak.r-lib.org/reference/pak-config.html#pak-configuration
   if (Sys.getenv("_R_CHECK_PACKAGE_NAME_", "") != "") {
     options(pkg.sysreqs = FALSE)
   }