Hi,
I like the ci-pluign and want to thank you for that! This plugin makes build integration flexible and even simple. I hate Jenkins for having tons of unmanageable plugins installed just to generate a easy Maven build. It's much better to just script what you want to build.
Go on with that and keep it just simple and easy as it is!

I find your hint in the readme file concerning the security issue well and appropriate. Although I think that the ci-plugin is not more insecure than some custom construction in Jenkins & Co.

One simple solution maybe, if I can simply upload a signed script. This script than can maybe verified with the configured "build keys" by the executor. What did you think about this approach?

Although I think that the ci-plugin is not more insecure than some custom construction in Jenkins & Co.

Yes, that's right. The purpose of that notice is calling attention to users.

One simple solution maybe, if I can simply upload a signed script. This script than can maybe verified with the configured "build keys" by the executor. What did you think about this approach?

Hm, I think it's same as trusting specific users. Restricting that the build script can be set by only GitBucket administrators might be an easy solution.

yes you are right. If an attacker breaks in as an administrator he can also upload his own public key together with his "evil script". So at the end, signing scripts will not really increase security level. Maybe this would work only if the key must be uploaded to the servers filesystem into a 'root-protected' directory....

Awesome man, that’s the reason why I quit using Jenkins, GitLab Ci and then bamboo to finally use a simple solution, great job!