Workflow question: Forks + Third Party Services

Example scenario:
I have an open source project, and on every PR I would like to run code coverage through a third party service (i.e. Coveralls). To upload results to Coveralls I must use a secure environment variable that contains my upload token. Now, on forks these variables are not allowed for obvious security reasons.

My question: Is there anyone actually using a workflow as I described on open source repositories? Seems like Travis has a “solve” for this by using JWTs and working with third parties that support these. ( )

Aside: This workflow is somewhat discussed here as well as a possible workaround where a human could look over the content of a PR decide if it should be built or not (if the PR contains suspect code that could exploit circles) and then could be triggered to build (if Circle supported overriding building of forks via an API trigger which it does not): API Trigger build of pull request from fork