diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml
new file mode 100644
index 000000000..6dfc82774
--- /dev/null
+++ b/.github/workflows/update-vendor-hash.yml
@@ -0,0 +1,53 @@
+# Nix builds require a pre-computed hash (vendorHash) of all Go dependencies.
+# This hash lives in flake.nix and must match the actual dependencies exactly —
+# if go.mod/go.sum change but vendorHash isn't updated, the Nix build breaks.
+#
+# This workflow automatically recalculates the hash whenever Go dependencies
+# change, so contributors don't need Nix installed locally to keep it in sync.
+#
+# Similar workflows in other repos:
+#   https://github.com/open-component-model/ocm/blob/main/.github/workflows/flake_vendorhash.yaml
+#   https://github.com/Tarow/dockdns/blob/main/.github/workflows/go_vendorhash.yaml
+#   https://github.com/Mic92/sops-nix/blob/master/.github/workflows/update-vendor-hash.yml
+name: Update Nix vendorHash
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - go.mod
+      - go.sum
+  pull_request:
+    branches:
+      - master
+    paths:
+      - go.mod
+      - go.sum
+
+jobs:
+  update-vendor-hash:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.head_ref || github.ref_name }}
+
+      - uses: DeterminateSystems/nix-installer-action@main
+
+      # nix-update recalculates vendorHash by building the Go module fetcher,
+      # comparing the expected vs actual hash, and patching flake.nix in-place.
+      # --version=skip tells it to only update hashes, not the package version.
+      - name: Update vendorHash
+        run: nix run nixpkgs#nix-update -- --flake --version=skip flow-cli
+
+      - name: Commit updated vendorHash
+        run: |
+          git diff --quiet flake.nix && exit 0
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add flake.nix
+          git commit -m "flake: update vendorHash"
+          git push
diff --git a/flake.nix b/flake.nix
index 743d5ba1c..e1b04ebcc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,6 +11,15 @@
       let
         pkgs = import nixpkgs { inherit system; };
 
+        # Pin Go 1.25 — onflow/crypto v0.25.4 is incompatible with Go 1.26
+        # (see https://github.com/onflow/crypto/issues/40).
+        # Go 1.26 changed ecdsa.PrivateKey.ECDH() to go through a FIPS path
+        # that dereferences PublicKey.X/Y before they are set, causing a nil
+        # pointer panic in goecdsaPrivateKey(). Remove this pin once
+        # onflow/crypto ships a Go 1.26-compatible release.
+        go = pkgs.go_1_25;
+        buildGoModule = pkgs.buildGoModule.override { inherit go; };
+
         # Version detection:
         # - When building from a git tag (e.g., nix build github:onflow/flow-cli/v2.14.2),
         #   the version is extracted from the tag.
@@ -33,12 +42,12 @@
       in
       {
         packages = {
-          flow-cli = pkgs.buildGoModule {
+          flow-cli = buildGoModule {
             pname = "flow-cli";
             version = version;
             src = ./.;
 
-            vendorHash = "sha256-EYQfXvHiRftod45Rvi7dUHF+3G5PyDtdM+HmJsE5r4I=";
+            vendorHash = "sha256-TjNZgqQ5U2ZkOck/pG68789hkTKjV7zP4xxRxxJQcdw=";
             proxyVendor = true;
 
             subPackages = [ "cmd/flow" ];
@@ -81,7 +90,7 @@
 
         devShells.default = pkgs.mkShell {
           buildInputs = with pkgs; [
-            go
+            go_1_25
             golangci-lint
             gotools
             gopls