Configure bandit for 'spoils' usage

i.e. B380: No os.path.join misuse.

See https://github.com/bugsink/spoils

rather than think-carefully-and-explain-with-nosec, just switch to
safe_join: this saves future readers the pain of validating whether
all assumptions are (still) correct at a (small) performance cost.

See #175

.github/workflows/ci.yml

@@ -51,9 +51,9 @@ jobs:
         with:
           python-version: 3.12
 
-      - name: Install Bandit
+      - name: Install Bandit and Plugins
         run: |
-          pip install bandit
+          pip install bandit spoils
 
       - name: Run Bandit and format results
         shell: bash

bugsink/settings/development.py

@@ -3,6 +3,7 @@ from .default import BASE_DIR, LOGGING, DATABASES, I_AM_RUNNING
 
 import os
 
+from django.utils._os import safe_join
 from sentry_sdk_extensions.transport import MoreLoudlyFailingTransport
 
 from bugsink.utils import deduce_allowed_hosts, eat_your_own_dogfood
@@ -112,7 +113,7 @@ if not I_AM_RUNNING == "TEST":
         "local_flat_files": {
             "STORAGE": "events.storage.FileEventStorage",
             "OPTIONS": {
-                "basepath": os.path.join(BASE_DIR, "filestorage"),
+                "basepath": safe_join(BASE_DIR, "filestorage"),
             },
             "USE_FOR_WRITE": True,
         },