The normal workflow for git with http/https URLs is to first try to access the URL unauthenticated and only send credentials after that requests was denied with a 401 HTTP response. This might interact badly with git host rate limiting (see, for example https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147112 in GitLab) or even external rate-limiting in WAFs.

Git acquired a new option (http.proactiveAuth) in v2.46.0, which avoids this step. It would be nice if Jenkins could set this flag on clone/fetch operations.

For reference: This is something that actually happened to me: Multiple CI jobs (mixed GitLab Runner & Jenkins CI nodes) were running on the same k8s node and their combined Git requests triggered a rate-limit of that IP in GitLab