A SimpleBuildWrapper might be an easier implementation route.

Not to be confused with credentials support in a Step or a compatible SCM or SimpleBuildStep implementation: this is about not just picking a credentialsId to pass on to another Step, but using the secrets held in the Credentials directly in some other way, such as in sh.

Current workaround is to define a credentials parameter for the flow, giving it a default value. This means that Build Now is replaced with Build with Parameters, even though you do not need to actually do anything except confirm, which is unfortunate. (Scheduled builds should still run fine.)

There are several possible designs here:

1. Use SimpleBuildWrapper, in some future LTS. No workflow dep from credentials-binding, which is nice, but will be months before it is available. Syntax would be a bit clunky due to use of step. Values are exposed only as environment variables, which is fine if they are being interpreted from external processes, but requires env.VARIABLE syntax if needed from Groovy code.

   step([$class: 'SecretBuildWrapper', bindings: [[$class: 'StringBinding', variable: 'SECRET', credentialsId: 'mysecret']]]) {
     sh 'echo $SECRET'
     writeFile file: 'secret.txt', text: env.SECRET
   }
   

2. Have a Step which takes a List<MultiBinding> and sets EnvVars overrides. Again potentially awkward if you need the secrets from Groovy code as opposed to being picked up directly by an external process.

   withCredentials([[$class: 'StringBinding', variable: 'SECRET', credentialsId: 'mysecret']]) {
     sh 'echo $SECRET'
     writeFile file: 'secret.txt', text: env.SECRET
   }
   

3. Have a Step which takes a List<MultiBinding> and returns the resulting Map<String,String> bindings, for use as you like. Unclear how this would work, since the step return value is not available from its body, and the SPI does not support passing local variables to a body.

   withCredentials(localVar: 'secrets', bindings: [[$class: 'StringBinding', variable: 'secret', credentialsId: 'mysecret']]) {
     sh "echo ${secrets.secret}"
     writeFile file: 'secret.txt', text: secrets.secret
   }
   

4. Have a Step which takes some other binding-like interface which has not yet been created, but which does not require the variable names to be specified. Again would require steps to be able to bind local variables. Unclear how to support multi-variable bindings like username/password.

   withCredentials(localVar: 'secret', binding: [$class: 'NoVarStringBinding', credentialsId: 'mysecret']) {
     sh "echo ${secret}"
     writeFile file: 'secret.txt', text: secret
   }
   

Currently going with #2 as this seems most practical.

Code changed in jenkins
User: Jesse Glick
Path:
pom.xml
src/main/java/org/jenkinsci/plugins/credentialsbinding/Binding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/MultiBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/SecretBuildWrapper.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/StringBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordMultiBinding.java
src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/config.jelly
src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help-bindings.html
src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help.html
http://jenkins-ci.org/commit/credentials-binding-plugin/f23dd15d1098d1d2873f6f8c1c97a9cee82c9c53
Log:
JENKINS-26051 First draft of withCredentials step.

Code changed in jenkins
User: Jesse Glick
Path:
pom.xml
src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
http://jenkins-ci.org/commit/credentials-binding-plugin/707c1d82c1efa0c42e8daff6d487196c2c6dacbd
Log:
Trying to test JENKINS-26051 across restarts but blocked by JENKINS-26137.

Code changed in jenkins
User: Jesse Glick
Path:
aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java
support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/serialization/RiverWriter.java
http://jenkins-ci.org/commit/workflow-plugin/3d3fa348ed9c34e4492b2733802bc47416824e30
Log:
JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
Also need to wait for the build to finish (JENKINS-26399).

Code changed in jenkins
User: Jesse Glick
Path:
pom.xml
src/main/java/org/jenkinsci/plugins/credentialsbinding/Binding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/MultiBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/SecretBuildWrapper.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/StringBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordBinding.java
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordMultiBinding.java
src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/config.jelly
src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help.html
src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
http://jenkins-ci.org/commit/credentials-binding-plugin/15908dbe49b8184ba327b3d480ac10ba2a09e6b4
Log:
Merge pull request #3 from jenkinsci/workflow-JENKINS-26051

[FIXED JENKINS-26051] withCredentials step

Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/91e5d8e1a9af...15908dbe49b8

Code changed in jenkins
User: Jesse Glick
Path:
COMPATIBILITY.md
http://jenkins-ci.org/commit/workflow-plugin/5a9ae5b6704a95e548db86333ebccbbaceba56f3
Log:
JENKINS-26051 Noting.

Code changed in jenkins
User: Jesse Glick
Path:
support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/serialization/RiverWriter.java
http://jenkins-ci.org/commit/workflow-support-plugin/18ad074331b663f565633bf4fa8523ac68dc1a69
Log:
JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
Also need to wait for the build to finish (JENKINS-26399).
Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

Code changed in jenkins
User: Jesse Glick
Path:
aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java
http://jenkins-ci.org/commit/workflow-basic-steps-plugin/85812e78a3ab6c837b59002082e30bdc16294688
Log:
JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
Also need to wait for the build to finish (JENKINS-26399).
Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

Code changed in jenkins
User: Jesse Glick
Path:
aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java
http://jenkins-ci.org/commit/workflow-scm-step-plugin/7583bf18eda2968bebc10024b52aee00a3614149
Log:
JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
Also need to wait for the build to finish (JENKINS-26399).
Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

Code changed in jenkins
User: Jesse Glick
Path:
aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java
http://jenkins-ci.org/commit/workflow-cps-plugin/89c28b4fca0eb81cf369ff699f7a4d801fc83e83
Log:
JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
Also need to wait for the build to finish (JENKINS-26399).
Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

Code changed in jenkins
User: Jesse Glick
Path:
aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java
http://jenkins-ci.org/commit/workflow-multibranch-plugin/fe863c4a5ba855d65cd68588a71e5293f0bdf641
Log:
JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
Also need to wait for the build to finish (JENKINS-26399).
Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30