Herald rules to trigger Authenticated Jenkins Build

I have been using Herald rules to automatically trigger Jenkins builds on commits to git repo branches for quite some time. Access to Jenkins and my git repos require authentication so I am using a HTTP POST request with a specific set of credentials. For the above to work I had to disable CSRF protection in Jenkins which was not optimal but until now it was a trade I was willing to make.

With the latest version of Jenkins (235.2) disabling CSRF is more difficult and I can see how it would not be allowed in future releases which means I would like to find a solution that does not require disabling CSRF.

Jenkins documentation talks about 2 methods:

  • Using a crumb to validate your HTTP POST request or
  • Using an API token with the HTTP POST request

To use a crumb I need to make 2 HTTP requests, the first HTTP request would get the crumb from Jenkins and the second request would use the crumb to authenticate. I was not able to find any documentation on how to connect 2 separate HTTP requests in Herald. Is that even possible?

The second method does not work either because as far as I can tell Herald only support username/password type credentials.

Is there any documentation or any other information available to help solve this problem?

The API token method does work (we’re using it successfully) – use the username the token is associated with and pass the token as the password.

See https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/ for some examples / additional background.