From fc607cd400554b9601c4169dd7debcade6aeb092 Mon Sep 17 00:00:00 2001
From: Zach <3724288+zedkipp@users.noreply.github.com>
Date: Wed, 11 Mar 2026 15:28:25 -0600
Subject: [PATCH] fix(nix): bump macOS SDK to 12.3 for Go 1.26 compatibility
 (#22963)

Go 1.26's crypto/x509 calls SecTrustCopyCertificateChain via cgo, a
Security framework function introduced in macOS 12. The devShell's
default stdenv uses the macOS 11 SDK, so clang can't find the symbol at
link time.

Override the devShell stdenv on Darwin with overrideSDK "12.3" so the
clang wrapper links against the 12.3 SDK, and update frontendPackages to
use apple_sdk_12_3 frameworks for consistency.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 flake.nix | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/flake.nix b/flake.nix
index 6b6a4309cf..cccd529c33 100644
--- a/flake.nix
+++ b/flake.nix
@@ -141,7 +141,7 @@
             python312Packages.setuptools # Needed for node-gyp
           ]
           ++ (lib.optionals stdenv.targetPlatform.isDarwin [
-            darwin.apple_sdk.frameworks.Foundation
+            darwin.apple_sdk_12_3.frameworks.Foundation
             xcbuild
           ]);
 
@@ -292,7 +292,13 @@
         inherit formatter;
 
         devShells = {
-          default = pkgs.mkShell {
+          default =
+            (pkgs.mkShell.override (
+              pkgs.lib.optionalAttrs pkgs.stdenv.isDarwin {
+                stdenv = pkgs.overrideSDK pkgs.stdenv "12.3";
+              }
+            ))
+            {
             buildInputs = devShellPackages;
 
             PLAYWRIGHT_BROWSERS_PATH = pkgs.playwright-driver.browsers;