I will second the submodule answer, but try to provide some clarification. First, git does not deal with files but with commits. There is no way to filter files or paths in a branch because a branch is really a pointer to a commit. When you exclude or ignore you are just keeping files from being added to your repository. none of the 'sensitive files' files are even in the repository, just in your working directory.
The submodule is just a reference to another repository stored in your repository, and a specific commit that that checked out repository is tracking. you can say update using
git submodule update --recursive sensitive-files
In order to simplify things, you can commit symlinks in the proper place pointing to the submodule path.
ln -sf sensitive-files/shadow passwd
Then add the symlink as you would any other file..
Remember the submodule is just a checked out git repository, you can easily restrict access to that actual repository and make the main one public.
Updated:
Sorry I missed the notification, if you are still working on this.
You can have multiple symlinks in your private repository referencing the private repository (submodule) which is checked out in a subdirectory.Each of the databases or whatever used by the Rails instance could be a symlink into that private subdirectory.
Also, you don' t need a remote pointing to the private repository, just an entry in the .gitmodules file which is maintained automatically by git submodule. You would still need to protect the private repository so that only your Heroku instance could access it. For that I would suggest installing gitosis on a server if you can or use some other private git hosting solution. Add the public ssh key matching your instances private key tothe list of allowed users. (I'm not familiar with how to do this in Heroku.)
When you push your changes to heroku it should recursive download all the submodules mentioned in the repository.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…