diff --git a/.github/workflows/zig.yml b/.github/workflows/zig.yml
new file mode 100644
index 0000000000..40f05ee47b
--- /dev/null
+++ b/.github/workflows/zig.yml
@@ -0,0 +1,89 @@
+name: Zig compiler
+on:
+  push:
+    branches: [ '*' ]
+  pull_request:
+    branches: [ '*' ]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+jobs:
+  zig:
+    if: github.repository_owner == 'aws'
+    runs-on: ${{ matrix.os.name }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - name: windows-latest
+            target: x86_64-windows
+          - name: ubuntu-latest
+            target: x86_64-linux
+          - name: macos-latest
+            target: aarch64-macos
+    steps:
+      - name: Install NASM
+        uses: ilammy/setup-nasm@v1.5.1
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install ninja-build tool
+        uses: seanmiddleditch/gha-setup-ninja@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>= 1.18'
+      - name: Install zigcc
+        uses: jiacai2050/zigcc@v1.0.1
+        with:
+          zig-version: 0.14.0
+      - name: Locate zig not on Windows
+        if: matrix.os.name != 'windows-latest'
+        shell: bash
+        run: |
+          cat <<'EOF' > ${PWD}/zig-cc
+          #!/bin/bash
+          zig cc "$@"
+          EOF
+          chmod +x ${PWD}/zig-cc
+          cat <<'EOF' > ${PWD}/zig-c++
+          #!/bin/bash
+          zig c++ "$@"
+          EOF
+          chmod +x ${PWD}/zig-c++
+          echo "ZIGCC=${PWD}/zig-cc" >> $GITHUB_ENV
+          echo "ZIGCXX=${PWD}/zig-c++" >> $GITHUB_ENV
+      - name: Locate zig on Windows
+        if: matrix.os.name == 'windows-latest'
+        shell: bash
+        run: |
+          ZIGCC="python3 $(cygpath -m $(which zigcc))"
+          ZIGCXX="python3 $(cygpath -m $(which zigcxx))"
+          echo "ZIGCC=${ZIGCC}" >> $GITHUB_ENV
+          echo "ZIGCXX=${ZIGCXX}" >> $GITHUB_ENV
+      - name: Create toolchain
+        shell: bash
+        run: |
+          cat <<EOF > ./toolchain.cmake
+          set(CMAKE_C_COMPILER ${ZIGCC})
+          set(CMAKE_C_COMPILER_TARGET  ${{ matrix.os.target }})
+          set(CMAKE_CXX_COMPILER ${ZIGCXX})
+          set(CMAKE_CXX_COMPILER_TARGET ${{ matrix.os.target }})
+          set(CMAKE_ASM_COMPILER ${ZIGCC})
+          set(CMAKE_ASM_COMPILER_TARGET ${{ matrix.os.target }})
+          set(CMAKE_VERBOSE_MAKEFILE ON)
+          set(CMAKE_MESSAGE_LOG_LEVEL DEBUG)
+          EOF
+      - name: Setup CMake
+        shell: bash
+        run: |
+          printenv | sort
+          which zigcc
+          which zigcxx
+          cat ./toolchain.cmake
+          cmake '.' -B ./build -G Ninja -DCMAKE_TOOLCHAIN_FILE=./toolchain.cmake -DCMAKE_BUILD_TYPE=Release
+      - name: Build Project
+        shell: bash
+        run: |
+          cmake --build ./build --target run_tests --verbose
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9b27c5c7ae..062397aed3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -442,7 +442,7 @@ if(GCC OR CLANG)
     endif()
   endif()
 
-  if(MINGW)
+  if(MINGW AND NOT CLANG)
     # Some MinGW compilers set _WIN32_WINNT to an older version (Windows Server 2003)
     # See: https://learn.microsoft.com/en-us/cpp/porting/modifying-winver-and-win32-winnt?view=msvc-170
     # Support Windows 7 and later.
diff --git a/crypto/fipsmodule/rand/urandom.c b/crypto/fipsmodule/rand/urandom.c
index 136497d1c1..5e005b7370 100644
--- a/crypto/fipsmodule/rand/urandom.c
+++ b/crypto/fipsmodule/rand/urandom.c
@@ -66,7 +66,12 @@
 #endif  // OPENSSL_LINUX
 
 #if defined(OPENSSL_APPLE)
+#if __has_include(<CommonCrypto/CommonRandom.h>)
+#define AWS_LC_HAVE_COMMON_CRYPTO
 #include <CommonCrypto/CommonRandom.h>
+#else
+#define AWS_LC_USE_ARC4RANDOM
+#endif
 #endif
 
 #if defined(OPENSSL_FREEBSD)
@@ -80,6 +85,10 @@
 #endif
 
 #if defined(OPENSSL_OPENBSD)
+#define AWS_LC_USE_ARC4RANDOM
+#endif
+
+#if defined(AWS_LC_USE_ARC4RANDOM)
 #include <stdlib.h>
 #endif
 
@@ -250,16 +259,16 @@ static void init_once(void) {
   }
 #endif  // USE_NR_getrandom
 
-#if defined(OPENSSL_APPLE)
+#if defined(AWS_LC_HAVE_COMMON_CRYPTO)
   // To get system randomness on MacOS and iOS we use |CCRandomGenerateBytes|
   // function provided by Apple rather than /dev/urandom or |getentropy|
   // function which is available on MacOS but not on iOS.
   return;
 #endif
 
-#if defined(OPENSSL_OPENBSD)
+#if defined(AWS_LC_USE_ARC4RANDOM)
   // To get system randomness on OpenBSD we use |arc4random_buf| function
-  // which is recommended to use for C APIs rather then /dev/urandom.
+  // which is recommended to use for C APIs rather than /dev/urandom.
   // See https://man.openbsd.org/arc4random.3
   return;
 #endif
@@ -350,7 +359,8 @@ static void wait_for_entropy(void) {
   }
 
 #if defined(BORINGSSL_FIPS) && !defined(URANDOM_BLOCKS_FOR_ENTROPY) && \
-    !(defined(OPENSSL_APPLE) || defined(OPENSSL_OPENBSD)) // On MacOS, iOS, and OpenBSD we don't use /dev/urandom.
+    !(defined(AWS_LC_HAVE_COMMON_CRYPTO) || defined(AWS_LC_USE_ARC4RANDOM))
+  // On MacOS, iOS, and OpenBSD we don't use /dev/urandom.
 
   // In FIPS mode on platforms where urandom doesn't block at startup, we ensure
   // that the kernel has sufficient entropy before continuing. This is
@@ -388,7 +398,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
     return 1;
   }
 
-#if defined(OPENSSL_APPLE)
+#if defined(AWS_LC_HAVE_COMMON_CRYPTO)
   // To get system randomness on MacOS and iOS we use |CCRandomGenerateBytes|
   // rather than |getentropy| and /dev/urandom.
   if (CCRandomGenerateBytes(out, len) == kCCSuccess) {
@@ -399,7 +409,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
   }
 #endif
 
-#if defined(OPENSSL_OPENBSD)
+#if defined(AWS_LC_USE_ARC4RANDOM)
   // Return value is void, no error to check
   arc4random_buf(out, len);
   return 1;