Created by: damccorm
This will allow the token to be passed on PRs in without concern of it being stolen by a changed script. Without this, an attacker could change the npm run coveralls command in package.json in their PR so that it does something bad (e.g. sends them the token).
See https://github.com/gulpjs/gulp/pull/2299#issuecomment-475003985