Say we have some automation that tests POST requests. Those POST request won't work without being included CSRF-token because of Rails build-in CSRF protection.
What is the best practice for running automation in this case?
Do we need to include CSRF token with every custom non-GET request? (if 'yes' then 'how?')
Or it's better to configure app to disable CSRF protection for automation stuff?
I'm not sure what made you ask that question in the first place, but i'm glad to answer it :)
Short answer is that it depends of the tools you're going to use for automation tests. If you're going to use the tools in your answer's tags - cucumber with watir - then everything works as expected since these tools will automate the browser directly.
This means that the tests will behave similarly to real life user - if the CSRF token check works for real life user then it will work also in your automated tests. You are not going to make any POST requests manually with these tests (at least you shouldn't), but you will fill out a form on the web page and submit that form - this means that CSRF token generated by Rails will be also submitted and everything will be fine and dandy.
However if for some strange reason you need to craft POST requests manually then you have to disable the CSRF check for test environment.