How to put secure password in Jenkins Groovy parameter script

My overall goal is to create a build parameter in Jenkins which is a drop down for only release branches. I have been at this for some time and know there are many ways to do this. Let me run through a few that I have attempted and reason why particular methods will not work for my scenario and why the one I am attempting to do is likely the most suited for my application. ## My Current Attempt ## Right now I have Active Choice Parameter. (Others such as Extensible Choice and Extended Choice are also fine), and it has my groovy script in there. Which works exactly how I want it to, except I have to put in plain text my username and password for git.

def getBranches = ("git ls-remote https://:@github.com//.git ").execute()

def branchNameList = getBranches.text.readLines().collect {
  it.split()
}

def releaseBranchList = branchNameList.findAll { it =~ /refs\/heads\/release-candidate-20.*/ }

def humanReadableReleaseBranchList = releaseBranchList.collect {
  it.replaceAll('refs/heads/', '')
}

return humanReadableReleaseBranchList

I know this is not the prettiest, I'm new to groovy. ## What I've tried ## I have of course tried without the : and it fails. I also have tried user secret text or files option in the Build Environment section in order to try and get the environment variables of the github credentials. But after much fighting with this and reading the parameter plugin docs (active choice, extended choice, etc), apparently they do not have access to these environment variables. Those are apparently only accessible once it hits the build step. Unless I am misunderstanding. Which I did try just to make sure, but was unsuccessful. Here is an example of how I tried to get them. - Under Build Environment I selected the "User secret text or file - Gave it a name and selected my github creds - Then in the Groovy Active Parameter script I did something like the following (FYI: I tried several methods, not just this one. If you know of another way please let me know)

def envVars = Jenkins.instance.getGlobalNodeProperties().getEnvVars() 
def GITHUB_USER = envVars['GITHUB_USER']
def GITHUB_PASS = envVars['GITHUB_PASS']
def getBranches = ("git ls-remote https://GITHUB_USER:GITHUB_PASS@github.com//.git ").execute()

Again, I tried many ways. Maybe my syntax was wrong, again I'm very new to Groovy. I did trying something like def getBranches = ("git ls-remote https://" + GITHUB_USER + ":" + GITHUB_PASS + "@github.com//.git").execute() and def getBranches = ("git ls-remote https://${GITHUB_USER}:${GITHUB_PASS}@github.com//.git ").execute() ## Why I chose this method ## I know there are other approaches such as Jenkinsfile's for pipelines. I originally tried that. I did not have much success but I'm happy to try again if I can get past some things that were not working for me such as: - The git ls-remote repo is different than the repo which will container the Jenkinsfile. I could but I really don't want to put the Jenkinsfile in the repo I'm trying to porform the git options on because of the struggle of having to go through a ton of QA steps because it is application code. I can move much faster if I have my Jenkinsfile in a devops repo separate from the application code. - Adding the dynamic parameter did not always seem to update - I also tried using the github api, and for some reason, I got different branch results. Maybe I can attempt this again and figure out why, but I sunk a lot of time into this with no avail. I just wanted to check if there is possibly another solution I havn't found before turning to the Jenkinsfile Pipeline Multirepo checkout approach.