But how do I prevent users from manipulating the releasing and versioning process? I also want to prevent them publishing their own releases to the “public” repository: only the build system is allowed to do that. Seems hard to do when they can modify the gradle build file.
This is typically something you would implement via security on the particular repository you intend to publish your artifacts to. In this way, only users (or build environments) with the right credentials would actually be able to perform a release.