After the new tickets opened, I re-try to reproduce the case with the new information. The migration of the credentials keys was meant to be done after InitMilestone.JOB_LOADED is triggered, from credentials, in SystemCredentialsProvider.forceLoadDuringStartup(). At this point the running user should be SYSTEM. I discovered that the migration could be triggered before, when the credentials are stored in folder, or when they are used in the configuration of an agent (like ssh-agents). But at this point, both migration were done using SYSTEM in my case and so, passing with success the permission check on RUN_SCRIPTS that was added especially for the security patch. So now, to go further, I need to have the logs from people that encountered the issues. Especially if they can reproduce the case, perhaps they could provide more information about all the plugins, the log file, the config file of their Jenkins, or anything else that could be useful (be careful to not upload credentials in plain text). What are you using as AuthorizationStrategy ? My hypothesis is something force the current running user to be anonymous instead of System during the startup/migration, (even temporally) and call the credentials while loading. "Call for witnesses" => People from this: Claudio B, Jon Brohauge, Stuart Whelan => People from JENKINS-54746: Florian Bäuerle, Darryl Pogue, Pieter-Jan Busschaert, Tom Ghyselinck, Makson Lee, Michael Mrozek, Torsten Landschoff, Matthew Stewart, Johannes Rudolph, Aaron Marasco, Beat Guggisberg => People from JENKINS-55971: Steve Graham |