My pipeline script started failing after updating Ansible plugin to 217.v1696cee03265. I expect the changes for SECURITY-3017 caused this. My pipeline script does this:

{{
script.steps.withCredentials([
[$class: 'FileBinding', credentialsId: ansibleVaultCredentialsId, variable: 'VAULT_FILE']
]) {
script.steps.ansiblePlaybook(
playbook: ... blah blah,
extras: "--vault-password-file=${script.env.VAULT_FILE}"
)
}
}}

In the output of the script I see
{{
Warning: A secret was passed to "ansiblePlaybook" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [VAULT_FILE]
}}

and then an exception is thrown:
{{
java.lang.NullPointerException
at org.jenkinsci.plugins.ansible.AbstractAnsibleInvocation.appendExtraVars(AbstractAnsibleInvocation.java:124)
at org.jenkinsci.plugins.ansible.AnsiblePlaybookInvocation.appendExtraVars(AnsiblePlaybookInvocation.java:31)
at org.jenkinsci.plugins.ansible.AnsiblePlaybookInvocation.buildCommandLine(AnsiblePlaybookInvocation.java:117)
...
}}

Note however I am not passing a secret via string interpolation. The secret is going into a file, and the environment variable contents is the file name, not the secret itself.

I understand that the file binding approach has it's own issues, but the code changes with SECURITY-3017 appear to have made without considering the use of file binding for secrets.