Better reporting around dependencies needed for task #13

	# Detect any attempts to call sudo during R CMD check.
	# pak's sysreqs feature probes for passwordless sudo, which CRAN flags.
	# This workflow confirms that we successfully suppress that probe.
	on:
	push:
	branches: [main, master]
	pull_request:

	name: sudo-tripwire.yaml

	permissions: read-all

	jobs:
	sudo-tripwire:
	runs-on: ubuntu-latest

	env:
	GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
	R_KEEP_PKG_SOURCE: yes

	steps:
	- uses: actions/checkout@v4

	- uses: r-lib/actions/setup-pandoc@v2

	- uses: r-lib/actions/setup-r@v2
	with:
	r-version: release
	use-public-rspm: true

	- uses: r-lib/actions/setup-r-dependencies@v2
	with:
	extra-packages: any::rcmdcheck
	needs: check

	- name: Install sudo tripwire
	run: \|
	mkdir -p "$HOME/bin"
	cat > "$HOME/bin/sudo" << 'EOF'
	#!/bin/bash
	echo "SUDO CALLED with args: $*" >> /tmp/sudo-tripwire.log
	exit 1
	EOF
	chmod +x "$HOME/bin/sudo"
	echo "$HOME/bin" >> $GITHUB_PATH

	- uses: r-lib/actions/check-r-package@v2
	with:
	upload-snapshots: true
	build_args: 'c("--no-manual","--compact-vignettes=gs+qpdf")'

	- name: Check for sudo calls
	if: always()
	run: \|
	if [ -f /tmp/sudo-tripwire.log ]; then
	echo "::error::sudo was called during R CMD check!"
	cat /tmp/sudo-tripwire.log
	exit 1
	else
	echo "No sudo calls detected."
	fi

Provide feedback