For the previous plugin security release, the security team had a great experience with the "new" process described in this wiki page (releasing to a staging repo, not pushing commits):

https://wiki.jenkins-ci.org/display/SECURITY/SECURITY+issues+in+plugins

A similar process needs to be possible (and documented) with Gradle JPI plugin based plugins.