Get secretes from Jenkins

While moving CI scripts from Jenkins to GitHub Actions, I faced an issue with moving secrets and other environmental variables. Here are a few groove scripts that help me obtain most of the “Secret text”, “Username and password” and other creds that Jenkins stores.

Most of my CI scripts were using secretes from the Credentials section (Manage Jenkins -> Manage Credentials):
The easiest solution I found to obtain all the credentials and other secrets from Jenkins is using Groovy Script in Jenkins UI.
Open following address in browser:  {yourJenkinsInstallation}/script
And try one of both scripts to retrieve Jenkins secrets


import jenkins.*
import jenkins.model.*
import hudson.*
import hudson.model.*Object.metaClass.getPropertySafe =
{ delegate.hasProperty(it)?.getProperty(delegate) }

def jenkinsCredentials = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(

for (creds in jenkinsCredentials) {
print("id: " +;
for (attr in ["secret", "username", "password", "description"]) {
value = creds.getPropertySafe(attr);
if (value) {
print(" [" + attr + ":" + value + "] ");


import jenkins.model.*
import com.cloudbees.plugins.credentials.*
import com.cloudbees.plugins.credentials.impl.*
import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey
import com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl
import org.jenkinsci.plugins.plaincredentials.StringCredentials
import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl

def showRow = { credentialType, secretId, username = null, password = null, description = null ->
println("${credentialType} : ".padLeft(20) + secretId?.padRight(38)+" | " +username?.padRight(20)+" | " +password?.padRight(40) + " | " +description)

// set Credentials domain name (null means is it global)
domainName = null

credentialsStore = Jenkins.instance.getExtensionList('com.cloudbees.plugins.credentials.SystemCredentialsProvider')[0]?.getStore()
domain = new Domain(domainName, null, Collections.<DomainSpecification>emptyList())

if(it instanceof UsernamePasswordCredentialsImpl)
showRow("user/password",, it.username, it.password?.getPlainText(), it.description)
else if(it instanceof BasicSSHUserPrivateKey)
showRow("ssh priv key",, it.passphrase?.getPlainText(), it.privateKeySource?.getPrivateKey()?.getPlainText(), it.description)
else if(it instanceof AWSCredentialsImpl)
showRow("aws",, it.accessKey, it.secretKey?.getPlainText(), it.description)
else if(it instanceof StringCredentials)
showRow("secret text",, it.secret?.getPlainText(), '', it.description)
else if(it instanceof FileCredentialsImpl)
showRow("secret file",, it.content?.text, '', it.description)
showRow("something else",, '', '', '')


All the information for solving this issue I found online. Here are the useful links: