You could use .gitatrributes to filter the contents:
.gitattributes
secrets.h filter=secret merge=keepMine
.git/config
[filter "secret"] clean = echo "// replace the next line with the sensitive data" smudge = cat [merge "keepMine"] name = always keep mine during merge driver = /bin/true %O %A %B
I threw in a 'keepMine' merge to prevent accidental merges. However, AFAIK merge should not even kick in, as local changes would be effectively 'invisible' due to the clean
filter step. Regardless of what's actually in secrets.h
, the repo file will always contain:
// replace the next line with the sensitive data
E.g.:
/tmp/work$
echo '// agent 007 reporting for duty' > secrets.h
/tmp/work$
git status -s
M secrets.h
/tmp/work$
git diff
/tmp/work$
git cat-file -p HEAD:secrets.h
// secret contents not in repo