Add missing shebangs to exorcise Darwin sandbox heisenbug

[xokdvium]

Motivation

Adds missing shebangs that lead to unsafe forks that present themselves as SIGSEGV.

See 7b3d7eb and NixOS/nixpkgs#476794 Lix patch: https://gerrit.lix.systems/c/lix/+/4891

Context

---

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

[xokdvium]

@agucova cc. I don't have apple hardware to test this one. Could you give that a shot, since you were able to repro these kind of issues reliably?

[xokdvium]

Drafting: https://git.lix.systems/lix-project/lix/commit/45783a0435186b14509296f28d2466ab8a8157f0

[agucova]

@xokdvium sadly I couldn't replicate the original test failures on my M4 Max Macbook Pro, so I can't confirm whether this fixes the heisenbug or not

[xokdvium]

One observation is that hydra builds run on macOS 26. Maybe it has something to do with it?

[growler]

The issue happened in my setup like every run, M4 Pro/48 Gb/MacOS 26.2. There were three failing tests, each and any of them could pass any time, but never all three:

error: Cannot build '/nix/store/ybj24r8fdhnryj4pqi6v8h6j0bj1vdcd-nix-functional-tests-2.33.1.drv'.
...
       >  50/205 nix-functional-tests:main / nix-shell                               FAIL            3.19s   exit status 1
       > 138/205 nix-functional-tests:ca / nix-shell                                 FAIL            1.85s   exit status 1
       > 199/205 nix-functional-tests:flakes / shebang                               FAIL            2.27s   exit status 1

I can confirm that this PR fixes the issue for me.

[Eveeifyeve]

I will try on a M4 MacBook Pro with Tahoe 26.2 on it and try to run with sandboxed to relaxed, on and off tomorrow.

[agucova]

One observation is that hydra builds run on macOS 26. Maybe it has something to do with it?

Note I already tested on Tahoe 26.2

[xokdvium]

There were three failing tests

That's what we observe on hydra too. In the meantime I've opened a PR disabling those tests in nixpkgs NixOS/nixpkgs#481478. Since the rcfile change would be a breaking change this seems like the best way forward for the old versions.

[Eveeifyeve]

Huh weird It passed when I did a nom build "github:NixOS/nix?ref=pull/14969/head on this pr. There must be some flakiness on some systems, going on with the tests. But see my log, I got log below...

Log:

nix-functional-tests> Ok:                 170
nix-functional-tests> Expected Fail:      0
nix-functional-tests> Fail:               0
nix-functional-tests> Unexpected Pass:    0
nix-functional-tests> Skipped:            35
nix-functional-tests> Timeout:            0

Nix-info:

 - system: `"aarch64-darwin"`
 - host os: `Darwin 25.2.0, macOS 26.2`
 - multi-user?: `yes`
 - sandbox: `no`
 - version: `nix-env (Nix) 2.28.3`
 - channels(root): `"nixpkgs"`
 - nixpkgs: `/nix/store/0lc6kbmhkqk8vmgflpn2n1d1qb3vl2f5-source`

[Eveeifyeve]

I have ruled out all possibilities on my system. I have a feeling it's a bit flaky not an actual system issue.

[vcunat]

What do you mean? This PR is supposed to fix the issues, so it's expected that building on this PR would pass.

[Eveeifyeve]

What do you mean? This PR is supposed to fix the issues, so it's expected that building on this PR would pass.

Oh wait I forgot to test upstream... I will do that and compare.

[Eveeifyeve]

Still upstream passes... I feel like there needs to be talk about the flakiness. On some machines it will just work, then some won't work.