A SimpleBuildWrapper might be an easier implementation route.

Not to be confused with credentials support in a Step or a compatible SCM or SimpleBuildStep implementation: this is about not just picking a credentialsId to pass on to another Step, but using the secrets held in the Credentials directly in some other way, such as in sh.

Current workaround is to define a credentials parameter for the flow, giving it a default value. This means that Build Now is replaced with Build with Parameters, even though you do not need to actually do anything except confirm, which is unfortunate. (Scheduled builds should still run fine.)

There are several possible designs here:

1. Use SimpleBuildWrapper, in some future LTS. No workflow dep from credentials-binding, which is nice, but will be months before it is available. Syntax would be a bit clunky due to use of step. Values are exposed only as environment variables, which is fine if they are being interpreted from external processes, but requires env.VARIABLE syntax if needed from Groovy code.

   step([$class: 'SecretBuildWrapper', bindings: [[$class: 'StringBinding', variable: 'SECRET', credentialsId: 'mysecret']]]) {
     sh 'echo $SECRET'
     writeFile file: 'secret.txt', text: env.SECRET
   }
   

2. Have a Step which takes a List<MultiBinding> and sets EnvVars overrides. Again potentially awkward if you need the secrets from Groovy code as opposed to being picked up directly by an external process.

   withCredentials([[$class: 'StringBinding', variable: 'SECRET', credentialsId: 'mysecret']]) {
     sh 'echo $SECRET'
     writeFile file: 'secret.txt', text: env.SECRET
   }
   

3. Have a Step which takes a List<MultiBinding> and returns the resulting Map<String,String> bindings, for use as you like. Unclear how this would work, since the step return value is not available from its body, and the SPI does not support passing local variables to a body.

   withCredentials(localVar: 'secrets', bindings: [[$class: 'StringBinding', variable: 'secret', credentialsId: 'mysecret']]) {
     sh "echo ${secrets.secret}"
     writeFile file: 'secret.txt', text: secrets.secret
   }
   

4. Have a Step which takes some other binding-like interface which has not yet been created, but which does not require the variable names to be specified. Again would require steps to be able to bind local variables. Unclear how to support multi-variable bindings like username/password.

   withCredentials(localVar: 'secret', binding: [$class: 'NoVarStringBinding', credentialsId: 'mysecret']) {
     sh "echo ${secret}"
     writeFile file: 'secret.txt', text: secret
   }
   

Currently going with #2 as this seems most practical.

Code changed in jenkins
User: Jesse Glick
Path:
pom.xml
src/main/java/org/jenkinsci/plugins/credentialsbinding/Binding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/MultiBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/SecretBuildWrapper.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/StringBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordMultiBinding.java
src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/config.jelly
src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help-bindings.html
src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help.html
http://jenkins-ci.org/commit/credentials-binding-plugin/f23dd15d1098d1d2873f6f8c1c97a9cee82c9c53
Log:
JENKINS-26051 First draft of withCredentials step.