Readers should be aware, your SQL code examples are vulnerable to SQL injection! See the documentation for psycopg about properly passing parameters to SQL queries. Putting aside the security implications, even during legitimate use cases, this service will break the moment you use apostrophes in a commit message.
If you use Python’s builtin string formatter, it will not properly escape strings before substituting them in the query. Instead, pass the parameters directly to the psycopg execute method, and use their string formatting syntax. It will automatically convert the string parameters to valid, escaped SQL.
These rules apply for any other place where you’re generating code from code. When you’re generating string literals, make sure they’re escaped correctly, or you will have a headache later.