Filter self out of package dependencies, for real this time #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Detect any attempts to call sudo during R CMD check. | |
| # pak's sysreqs feature probes for passwordless sudo, which CRAN flags. | |
| # This workflow confirms that we successfully suppress that probe. | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| name: sudo-tripwire.yaml | |
| permissions: read-all | |
| jobs: | |
| sudo-tripwire: | |
| runs-on: ubuntu-latest | |
| env: | |
| GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }} | |
| R_KEEP_PKG_SOURCE: yes | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: r-lib/actions/setup-pandoc@v2 | |
| - uses: r-lib/actions/setup-r@v2 | |
| with: | |
| r-version: release | |
| use-public-rspm: true | |
| - uses: r-lib/actions/setup-r-dependencies@v2 | |
| with: | |
| extra-packages: any::rcmdcheck | |
| needs: check | |
| - name: Install sudo tripwire | |
| run: | | |
| mkdir -p "$HOME/bin" | |
| cat > "$HOME/bin/sudo" << 'EOF' | |
| #!/bin/bash | |
| echo "SUDO CALLED with args: $*" >> /tmp/sudo-tripwire.log | |
| exit 1 | |
| EOF | |
| chmod +x "$HOME/bin/sudo" | |
| echo "$HOME/bin" >> $GITHUB_PATH | |
| - uses: r-lib/actions/check-r-package@v2 | |
| with: | |
| upload-snapshots: true | |
| build_args: 'c("--no-manual","--compact-vignettes=gs+qpdf")' | |
| - name: Check for sudo calls | |
| if: always() | |
| run: | | |
| if [ -f /tmp/sudo-tripwire.log ]; then | |
| echo "::error::sudo was called during R CMD check!" | |
| cat /tmp/sudo-tripwire.log | |
| exit 1 | |
| else | |
| echo "No sudo calls detected." | |
| fi |