diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index bc4ff63f..42523239 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.23.x
       - name: Check Go module tidiness
@@ -51,7 +51,7 @@ jobs:
     name: Test
     strategy:
       matrix:
-        go-version: [ 1.22.x, 1.23.x ]
+        go-version: [ 1.23.x ]
         platform: [ ubuntu-latest, macos-latest, windows-latest ]
     runs-on: ${{ matrix.platform }}
     steps:
diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 00000000..dd3d002b
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1,2 @@
+# Default
+* @gogs/core
diff --git a/repo_tag.go b/repo_tag.go
index e5843702..342979f3 100644
--- a/repo_tag.go
+++ b/repo_tag.go
@@ -248,6 +248,8 @@ func (r *Repository) CreateTag(name, rev string, opts ...CreateTagOptions) error
 			cmd.AddCommitter(opt.Author)
 		}
 	} else {
+		// 🚨 SECURITY: Prevent including unintended options in the path to the Git command.
+		cmd.AddArgs("--end-of-options")
 		cmd.AddArgs(name)
 	}