In JENKINS-30116, I identified that the notifyCommit URLs should not have security applied to them. I was worried there were other URLs that shouldn't be secured either, but was unable to find a list on the Jenkins wiki.

Today I noticed that if you click the 'Delegate to servlet container' option in the security settings, it provides a full list:

These URLs (and URLs starting with these prefixes plus a /) should require no authentication. If possible, configure your container to pass these requests straight to Jenkins without requiring login.

cli
git
jnlpJars
subversion
whoAmI

Can you add this to the changes you made in JENKINS-30116?