diff --git a/cmd/gh/main.go b/cmd/gh/main.go
index a0eba09a5..e20452808 100644
--- a/cmd/gh/main.go
+++ b/cmd/gh/main.go
@@ -163,12 +163,19 @@ func main() {
 
 	newRelease := <-updateMessageChan
 	if newRelease != nil {
-		ghExe, _ := os.Executable()
+		isHomebrew := false
+		if ghExe, err := os.Executable(); err == nil {
+			isHomebrew = isUnderHomebrew(ghExe)
+		}
+		if isHomebrew && isRecentRelease(newRelease.PublishedAt) {
+			// do not notify Homebrew users before the version bump had a chance to get merged into homebrew-core
+			return
+		}
 		fmt.Fprintf(stderr, "\n\n%s %s → %s\n",
 			ansi.Color("A new release of gh is available:", "yellow"),
 			ansi.Color(buildVersion, "cyan"),
 			ansi.Color(newRelease.Version, "cyan"))
-		if suggestBrewUpgrade(newRelease, ghExe) {
+		if isHomebrew {
 			fmt.Fprintf(stderr, "To upgrade, run: %s\n", "brew update && brew upgrade gh")
 		}
 		fmt.Fprintf(stderr, "%s\n\n",
@@ -265,13 +272,12 @@ func apiVerboseLog() api.ClientOption {
 	return api.VerboseLog(colorable.NewColorable(os.Stderr), logTraffic, colorize)
 }
 
-// Suggest to `brew upgrade gh` only if gh was found under homebrew prefix and when the release was
-// published over 24h ago, allowing homebrew-core ample time to merge the formula bump.
-func suggestBrewUpgrade(rel *update.ReleaseInfo, ghBinary string) bool {
-	if rel.PublishedAt.IsZero() || time.Since(rel.PublishedAt) < time.Duration(time.Hour*24) {
-		return false
-	}
+func isRecentRelease(publishedAt time.Time) bool {
+	return !publishedAt.IsZero() && time.Since(publishedAt) < time.Hour*24
+}
 
+// Check whether the gh binary was found under the Homebrew prefix
+func isUnderHomebrew(ghBinary string) bool {
 	brewExe, err := safeexec.LookPath("brew")
 	if err != nil {
 		return false
diff --git a/pkg/cmd/auth/gitcredential/helper.go b/pkg/cmd/auth/gitcredential/helper.go
index c62cef3a8..4f80afbe7 100644
--- a/pkg/cmd/auth/gitcredential/helper.go
+++ b/pkg/cmd/auth/gitcredential/helper.go
@@ -11,8 +11,10 @@ import (
 	"github.com/spf13/cobra"
 )
 
+const tokenUser = "x-access-token"
+
 type config interface {
-	Get(string, string) (string, error)
+	GetWithSource(string, string) (string, string, error)
 }
 
 type CredentialOptions struct {
@@ -98,13 +100,19 @@ func helperRun(opts *CredentialOptions) error {
 		return err
 	}
 
-	gotUser, _ := cfg.Get(wants["host"], "user")
-	gotToken, _ := cfg.Get(wants["host"], "oauth_token")
+	var gotUser string
+	gotToken, source, _ := cfg.GetWithSource(wants["host"], "oauth_token")
+	if strings.HasSuffix(source, "_TOKEN") {
+		gotUser = tokenUser
+	} else {
+		gotUser, _, _ = cfg.GetWithSource(wants["host"], "user")
+	}
+
 	if gotUser == "" || gotToken == "" {
 		return cmdutil.SilentError
 	}
 
-	if wants["username"] != "" && !strings.EqualFold(wants["username"], gotUser) {
+	if wants["username"] != "" && gotUser != tokenUser && !strings.EqualFold(wants["username"], gotUser) {
 		return cmdutil.SilentError
 	}
 
diff --git a/pkg/cmd/auth/gitcredential/helper_test.go b/pkg/cmd/auth/gitcredential/helper_test.go
index 336d4ef34..c8f449526 100644
--- a/pkg/cmd/auth/gitcredential/helper_test.go
+++ b/pkg/cmd/auth/gitcredential/helper_test.go
@@ -10,8 +10,8 @@ import (
 
 type tinyConfig map[string]string
 
-func (c tinyConfig) Get(host, key string) (string, error) {
-	return c[fmt.Sprintf("%s:%s", host, key)], nil
+func (c tinyConfig) GetWithSource(host, key string) (string, string, error) {
+	return c[fmt.Sprintf("%s:%s", host, key)], c["_source"], nil
 }
 
 func Test_helperRun(t *testing.T) {
@@ -29,6 +29,7 @@ func Test_helperRun(t *testing.T) {
 				Operation: "get",
 				Config: func() (config, error) {
 					return tinyConfig{
+						"_source":                 "/Users/monalisa/.config/gh/hosts.yml",
 						"example.com:user":        "monalisa",
 						"example.com:oauth_token": "OTOKEN",
 					}, nil
@@ -53,6 +54,7 @@ func Test_helperRun(t *testing.T) {
 				Operation: "get",
 				Config: func() (config, error) {
 					return tinyConfig{
+						"_source":                 "/Users/monalisa/.config/gh/hosts.yml",
 						"example.com:user":        "monalisa",
 						"example.com:oauth_token": "OTOKEN",
 					}, nil
@@ -78,6 +80,7 @@ func Test_helperRun(t *testing.T) {
 				Operation: "get",
 				Config: func() (config, error) {
 					return tinyConfig{
+						"_source":                 "/Users/monalisa/.config/gh/hosts.yml",
 						"example.com:user":        "monalisa",
 						"example.com:oauth_token": "OTOKEN",
 					}, nil
@@ -101,6 +104,7 @@ func Test_helperRun(t *testing.T) {
 				Operation: "get",
 				Config: func() (config, error) {
 					return tinyConfig{
+						"_source":          "/Users/monalisa/.config/gh/hosts.yml",
 						"example.com:user": "monalisa",
 					}, nil
 				},
@@ -119,6 +123,7 @@ func Test_helperRun(t *testing.T) {
 				Operation: "get",
 				Config: func() (config, error) {
 					return tinyConfig{
+						"_source":                 "/Users/monalisa/.config/gh/hosts.yml",
 						"example.com:user":        "monalisa",
 						"example.com:oauth_token": "OTOKEN",
 					}, nil
@@ -133,6 +138,31 @@ func Test_helperRun(t *testing.T) {
 			wantStdout: "",
 			wantStderr: "",
 		},
+		{
+			name: "token from env",
+			opts: CredentialOptions{
+				Operation: "get",
+				Config: func() (config, error) {
+					return tinyConfig{
+						"_source":                 "GITHUB_ENTERPRISE_TOKEN",
+						"example.com:oauth_token": "OTOKEN",
+					}, nil
+				},
+			},
+			input: heredoc.Doc(`
+				protocol=https
+				host=example.com
+				username=hubot
+			`),
+			wantErr: false,
+			wantStdout: heredoc.Doc(`
+				protocol=https
+				host=example.com
+				username=x-access-token
+				password=OTOKEN
+			`),
+			wantStderr: "",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {