Option 5, a custom merge driver, is probably the way to get closest to what you want. It is surprisingly easy to do. Below is an example of one that I think should get you pretty close to the behavior you desire.
First, create a merge driver script called merge-and-verify-driver. Make it executable and put it in a suitable location (you may want to consider checking this script into the repo, even, since the repo’s config file is going to depend on it). Git is going to execute this shell script to perform the merge of the sensitive files:
#!/bin/bash
git merge-file "${1}" "${2}" "${3}"
exit 1
This just does the default merge behavior that Git itself normally does. The key difference is that the script always returns non-zero (to indicate that there was a conflict, even if the merge was actually resolved without conflicts).
Next, you need to tell Git about the existence of your custom merge driver. You do this in the repo’s config file (.git/config):
[merge "verify"]
name = merge and verify driver
driver = ./merge-and-verify-driver %A %O %B
In this example, I’ve put merge-and-verify-driver in the repo’s top level directory (./). You will need to specify the path to the script accordingly.
Now, you just need to give the sensitive files the proper attributes so that the custom merge driver is used when merging those files. Add this to your .gitattributes file:
*.sensitive merge=verify
Here, I’ve told Git that any file with a name matching the pattern *.sensitive should use the custom merge driver. Obviously, you need to use pattern that is appropriate for your file(s).