I am on the Coveralls.io site and it says:

If you intend to submit coverage data via a private CI or command line other than Travis Pro, add the following line to your .coveralls.yml :

repo_token: k8hiVxiMr6UyolotPFQerkKWwOoYfbB

Note: Do not make your repo token public.

My question is - what is the best way to include this token in the .coveralls.yml file but make it private?

One would be to not check in .coveralls.yml into version control, but this seems very inconvenient. Also, it could accidentally make into version control, and then that would be bad.

The other idea would be to make it an env variable, but then how would I read that into YAML? How would that work on CI/CD servers? It wouldn't.

So what the heck do I do?

TLDR;

Export COVERALLS_REPO_TOKEN as an environment variable in the job on your CI server.

From the Docs

When using CircleCI, Jenkins, Semaphore, or Codeship you must either include your repo token in a .coveralls.yml file or, if you don't want it under source control, set it in your build config like this in the "Test Commands" (CircleCI) or "Build Commands" (Semaphore) section of the project settings:

COVERALLS_REPO_TOKEN=asdfasdf bundle exec rspec spec