Issue

You observe that after upgrading your instance to use Pipeline: Groovy version 2.85 or higher, running the pipeline code shown below causes the credentials to be shown in the pipeline view.

node("your_node") {
withCredentials([string(credentialsId: "secret", variable: "mySecret")]) {
   
sh "echo mock login --secret '${MYSECRET}'"
sh "echo starting"
sh "echo exiting"

wrap([$class: "MaskPasswordsBuildWrapper", varPasswordPairs: [[var: "mySecret", password: mySecret]]]) {
    
sh "echo mock login --secret '${MYSECRET}' # wrapped"
sh "echo starting #  wrapped with maskpassword"
sh "echo exiting # wrapped with maskpassword"

}
}
}

Environment

• CloudBees CI (CloudBees Core)
• CloudBees CI (CloudBees Core) on modern cloud platforms - Managed Master
• CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
• CloudBees CI (CloudBees Core) on traditional platforms - Client Master
• CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
• CloudBees Jenkins Enterprise
• CloudBees Jenkins Enterprise - Managed Master
• CloudBees Jenkins Enterprise - Operations Center
• CloudBees Jenkins Platform - Client Master
• CloudBees Jenkins Platform - Operations Center
• CloudBees Jenkins Distribution
• Jenkins LTS
• Pipeline: Groovy
• Blue Ocean
• Credentials Binding

Resolution

The issue is related to a change in the way that Pipeline: Groovy intercepts groovy string interpolation. This change was included in version 2.85.

In order to solve the problem, you will need to install Credentials Binding 1.24 or higher.

This version solves the issues listed below:

• JENKINS-63254
• JENKINS-47101

It’s best to use single quotes (;) to surround the commands for a sh step, instead of double quotes (") (like the example code above), so that the variable expansion happens on the build agent, instead of using groovy string interpolation.

Tested product/plugin versions

• CloudBees Jenkins Platform - Client Master 2.249.1.2
• Pipeline: Groovy 2.90
• Blue Ocean 1.23.3