More details:
I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker):
jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true')
^ per: https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6
I then generated a new token for my user, and set up my Github repo webhook as follows:
url: https://dev-jenkins.url.gov/job/testjob/build
secret: <user-token> (with admin/owner perms)
application/json
Then click apply and then click the test button from github. 403.
I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security.
Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.
There are also these items in the 2.204.6 upgrade doc:
- Remove Enable Security checkbox in the Global Security configuration. (issue 40228)
- Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509)
These are not options in the UI in 2.222.1
Are you sure you have set up the CSRF Token correctly? Please also provide the REST API request you are invoking