Getting an issue with "Failed to decrypt field token" after migrating secrets

[terrymun]

We are trying to migrate from using inlined, encrypted tokens in our Renovate bot config, e.g.:

"hostRules": [
  {
    "matchHost": "https://api.github.com/repos/<ORG_NAME>/",
    "hostType": "github-tags",
    "encrypted": {
      "token": "{{ secrets.GITHUB_HOST_TOKEN }}"
    }
  }
],

We followed the guide and created a token called GITHUB_HOST_TOKEN on the app settings page:

However, the app still complains that it is unable to decrypt the token:

The relevant part of the debug log is as follow:

DEBUG: Found encrypted config
{
  "config": {
    "token": "***********"
  }
}

DEBUG: Trying to decrypt token
DEBUG: Trying to decrypt with old private key
DEBUG: Could not decrypt using default padding
DEBUG: Could not decrypt using PKCS1 padding
INFO: Repository has invalid config
{
  "error": {
    "validationError": "Failed to decrypt field token. Please re-encrypt and try again.",
    "message": "config-validation",
    "stack": "Error: config-validation\n    at decryptConfig (/usr/local/renovate/lib/config/decrypt.ts:162:27)\n    at decryptConfig (/usr/local/renovate/lib/config/decrypt.ts:208:13)\n    at mergeRenovateConfig (/usr/local/renovate/lib/workers/repository/init/merge.ts:218:27)\n    at getRepoConfig (/usr/local/renovate/lib/workers/repository/init/config.ts:14:12)\n    at initRepo (/usr/local/renovate/lib/workers/repository/init/index.ts:56:12)\n    at Object.renovateRepository (/usr/local/renovate/lib/workers/repository/index.ts:64:14)\n    at attributes.repository (/usr/local/renovate/lib/workers/global/index.ts:202:11)\n    at start (/usr/local/renovate/lib/workers/global/index.ts:187:7)\n    at /usr/local/renovate/lib/renovate.ts:18:22"
  }
}

For additional contexts, we have:

• tried using the original encrypted token and pasting it as-is
• tried creating a new encrypted token and pasting it as-is
• tried pasting the plain text, unencrypted token