diff --git a/build-node-image.sh b/build-node-image.sh
index c0d1fddf..9afa0e64 100755
--- a/build-node-image.sh
+++ b/build-node-image.sh
@@ -33,9 +33,125 @@ fi
 # https://github.com/CentOS/centos-bootc/issues/393
 mkdir -p /var/opt
 
-# this is where all the real work happens
-rpm-ostree experimental compose treefile-apply \
-    --var "osversion=${ID}-${VERSION_ID}" /run/src/packages-openshift.yaml
+# Disable repos that don't match the current OS version to avoid 401 errors
+# when rpm-ostree tries to access all repos. This replicates the conditional-include
+# logic that was previously in packages-openshift.yaml.
+if [ "$ID" = "rhel" ]; then
+    if [ "$VERSION_ID" = "9.8" ]; then
+        # Disable rhel-10.2 and centos repos for rhel-9.8 builds
+        for repo in /etc/yum.repos.d/{ocp,git,secret}.repo; do
+            [ -f "$repo" ] && sed -i -E '/^\[(rhel-10\.2|c10s)/,/^$/s/^enabled=1$/enabled=0/g' "$repo"
+        done
+    elif [ "$VERSION_ID" = "10.2" ]; then
+        # Disable rhel-9 and centos repos for rhel-10.2 builds
+        for repo in /etc/yum.repos.d/{ocp,git,secret}.repo; do
+            [ -f "$repo" ] && sed -i -E '/^\[(rhel-9|c10s)/,/^$/s/^enabled=1$/enabled=0/g' "$repo"
+        done
+    fi
+elif [ "$ID" = "centos" ] && [ "$VERSION_ID" = "10" ]; then
+    # Disable rhel repos for centos-10 builds
+    for repo in /etc/yum.repos.d/{ocp,git,secret}.repo; do
+        [ -f "$repo" ] && sed -i -E '/^\[rhel-/,/^$/s/^enabled=1$/enabled=0/g' "$repo"
+    done
+fi
+
+# Install the OCP packages. Repos have been configured above.
+rpm-ostree install \
+    cri-o cri-tools conmon-rs \
+    openshift-clients openshift-kubelet \
+    openvswitch3.5 \
+    NetworkManager-ovs \
+    ose-aws-ecr-image-credential-provider \
+    ose-azure-acr-image-credential-provider \
+    ose-gcp-gcr-image-credential-provider \
+    ose-crio-credential-provider
+
+# --- postprocess steps ---
+# These were previously in the `postprocess` section of packages-openshift.yaml.
+
+# Disable any built-in repos. We need to work in disconnected environments by
+# default, and default-enabled repos will be attempted to be fetched by
+# rpm-ostree when doing node-local kernel overrides today for e.g. kernel-rt.
+mkdir -p /etc/yum.repos.d
+for x in $(find /etc/yum.repos.d/ -name '*.repo'); do
+    # ignore repo files that are mountpoints since they're likely secrets
+    if ! mountpoint "$x"; then
+        sed -i -e 's/enabled\s*=\s*1/enabled=0/g' "$x"
+    fi
+done
+
+# Enable librhsm which enables host subscriptions to work in containers
+# https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
+ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
+ln -sr /run/secrets/rhsm /etc/rhsm-host
+
+# Manually modify SELinux booleans that are needed for OCP use cases
+semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
+semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
+
+# https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
+# https://bugzilla.redhat.com/show_bug.cgi?id=1796537
+mkdir -p /usr/share/containers/oci/hooks.d
+
+# crio conmon symlink
+mkdir -p /usr/libexec/crio
+ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
+
+# Inject OpenShift-specific release fields
+cat >> /usr/lib/os-release <<EOF
+OPENSHIFT_VERSION="5.0"
+EOF
+
+# Generate MOTD
+. /etc/os-release
+# Detect variant based on the Containerfile metadata. In the absence of
+# rpm-ostree treefile metadata, we use a heuristic: centos-10 builds are SCOS.
+if [ "$ID" = "centos" ] && [ "$VERSION_ID" = "10" ]; then
+    colloquial_name=SCOS
+    project_name=OKD
+else
+    colloquial_name=RHCOS
+    project_name=OpenShift
+fi
+# in the el-only variants, we already have CoreOS in the NAME, so don't
+# re-add it when building the node image
+if [[ $NAME != *CoreOS* ]]; then
+    NAME="$NAME CoreOS"
+fi
+cat > /etc/motd <<EOF
+$NAME $OSTREE_VERSION
+  Part of ${project_name} ${OPENSHIFT_VERSION}, ${colloquial_name} is a Kubernetes-native operating system
+  managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
+
+WARNING: Direct SSH access to machines is not recommended; instead,
+make configuration changes via \`machineconfig\` objects:
+  https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
+
+---
+EOF
+
+# Delete leftover files in the layering path
+if [ -f /run/.containerenv ]; then
+    # lockfiles and backup files
+    rm -f /etc/.pwd.lock /etc/group- /etc/gshadow- /etc/shadow- /etc/passwd-
+    rm -f /etc/selinux/targeted/*.LOCK
+    # cache, logs, etc...
+    rm -rf /var && mkdir /var
+    # All the entries here should instead be part of their respective
+    # packages. But we carry them here for now to maintain compatibility.
+    cat > /usr/lib/tmpfiles.d/openshift.conf << EOF
+L /opt/cni - - - - ../../usr/lib/opt/cni
+d /var/lib/cni 0755 root root - -
+d /var/lib/cni/bin 0755 root root - -
+d /var/lib/containers 0755 root root - -
+d /var/lib/openvswitch 0755 root root - -
+d /var/lib/openvswitch/pki 0755 root root - -
+d /var/log/openvswitch 0750 openvswitch hugetlbfs - -
+d /var/lib/unbound 0755 unbound unbound - -
+EOF
+fi
+
+# --- end postprocess steps ---
 
 # cleanup any repo files we injected
 rm -f /etc/yum.repos.d/{ocp,git,okd}.repo
diff --git a/packages-openshift.yaml b/packages-openshift.yaml
deleted file mode 100644
index 1a1d9ae7..00000000
--- a/packages-openshift.yaml
+++ /dev/null
@@ -1,173 +0,0 @@
-metadata:
-  # This should match the /etc/os-release manipulation we do below when
-  # injecting `OPENSHIFT_VERSION`. It's used by CI to determine the repos to
-  # inject when building the layered image.
-  ocp_version: "5.0"
-
-conditional-include:
-  - if:
-    - osversion != "rhel-9.8"
-    - osversion != "rhel-10.2"
-    - osversion != "centos-10"
-    include:
-      repos: [ENOEXIST] # We want an error in this case
-  - if: osversion == "rhel-9.8"
-    include:
-      repos:
-        - rhel-9-baseos
-        - rhel-9-appstream
-        - rhel-9.8-early-kernel
-        - rhel-9-fast-datapath
-        - rhel-9-server-ose
-  - if: osversion == "rhel-10.2"
-    include:
-      repos:
-        - rhel-10.2-baseos
-        - rhel-10.2-appstream
-        - rhel-10.2-early-kernel
-        - rhel-10.2-fast-datapath
-        - rhel-10.2-server-ose-5.0
-  - if: osversion == "centos-10"
-    include:
-      repos:
-        - c10s-baseos
-        - c10s-appstream
-        - c10s-sig-nfv
-        - c10s-sig-cloud-okd
-        # XXX: this shouldn't be here; see related XXX in build-node-image.sh
-        - rhel-10.2-server-ose-5.0-okd
-
-packages:
-  # The packages below are required by OpenShift/OKD
-  # but are not present in CentOS Stream and RHEL.
-  - cri-o cri-tools conmon-rs
-  - openshift-clients openshift-kubelet
-  - openvswitch3.5
-  # The packages below are present in CentOS Stream/RHEL,
-  # and depend on one or more of the above.
-  - NetworkManager-ovs
-  - ose-aws-ecr-image-credential-provider
-  - ose-azure-acr-image-credential-provider
-  - ose-gcp-gcr-image-credential-provider
-  - ose-crio-credential-provider
-
-postprocess:
-  # This is part of e.g. fedora-repos in Fedora; we now want to include it by default
-  # so that the MCO can use it by default and not trip over SELinux issues trying
-  # to create it.
-  - |
-    #!/usr/bin/bash
-    set -euo pipefail
-    mkdir -p /etc/yum.repos.d
-
-    # If there *are* repos built-in (e.g. c9s), disable them.
-    # We need to work in disconnected environments by default, and default-enabled
-    # repos will be attempted to be fetched by rpm-ostree when doing node-local
-    # kernel overrides today for e.g. kernel-rt.
-    for x in $(find /etc/yum.repos.d/ -name '*.repo'); do
-      # ignore repo files that are mountpoints since they're likely secrets
-      if ! mountpoint "$x"; then
-        sed -i -e 's/enabled\s*=\s*1/enabled=0/g' $x
-      fi
-    done
-
-  # These enable librhsm which enables host subscriptions to work in containers
-  # https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
-  - |
-    #!/usr/bin/bash
-    set -euo pipefail
-    ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
-    ln -sr /run/secrets/rhsm /etc/rhsm-host
-
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    # manually modify SELinux booleans that are needed for OCP use cases
-    semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
-    semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
-
-  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
-  # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
-  - |
-    #!/usr/bin/bash
-    mkdir -p /usr/share/containers/oci/hooks.d
-
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    # crio should stop hardcoding things in their config file!
-    # We are apparently somehow pulling in a conmon override in RHCOS
-    # that contains /usr/libexec/crio/conmon - WHY?
-    # sed -i '/conmon.*=/d' /etc/crio/crio.conf
-    # Oh right but the MCO overrides that too so...
-    mkdir -p /usr/libexec/crio
-    ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
-
-  # Inject OpenShift-specific release fields
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    cat >> /usr/lib/os-release <<EOF
-    OPENSHIFT_VERSION="5.0"
-    EOF
-
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    # Let's have a non-boring motd, just like CL (although theirs is more subdued
-    # nowadays compared to early versions with ASCII art).  One thing we do here
-    # is add --- as a "separator"; the idea is that any "dynamic" information should
-    # be below that.
-    # See: https://projects.engineering.redhat.com/browse/COREOS-1029
-    . /etc/os-release
-    # This works around the fact that we can't currently access manifest
-    # variables from postprocess scripts, though we just use the name, since
-    # it's easier.
-    variant=$(jq -r .metadata.name /usr/share/rpm-ostree/treefile.json)
-    if [ $variant = "scos" ]; then
-      colloquial_name=SCOS
-      project_name=OKD
-    else
-      colloquial_name=RHCOS
-      project_name=OpenShift
-    fi
-    # in the el-only variants, we already have CoreOS in the NAME, so don't
-    # re-add it when building the node image
-    if [[ $NAME != *CoreOS* ]]; then
-      NAME="$NAME CoreOS"
-    fi
-    cat > /etc/motd <<EOF
-    $NAME $OSTREE_VERSION
-      Part of ${project_name} ${OPENSHIFT_VERSION}, ${colloquial_name} is a Kubernetes-native operating system
-      managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
-
-    WARNING: Direct SSH access to machines is not recommended; instead,
-    make configuration changes via \`machineconfig\` objects:
-      https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
-
-    ---
-    EOF
-
-  - |
-    #!/usr/bin/env bash
-    set -xeo pipefail
-    # Delete a bunch of leftover files in the layering path
-    if [ -f /run/.containerenv ]; then
-      # lockfiles and backup files
-      rm -f /etc/.pwd.lock /etc/group- /etc/gshadow- /etc/shadow- /etc/passwd-
-      rm -f /etc/selinux/targeted/*.LOCK
-      # cache, logs, etc...
-      rm -rf /var && mkdir /var
-      # All the entries here should instead be part of their respective
-      # packages. But we carry them here for now to maintain compatibility.
-      cat > /usr/lib/tmpfiles.d/openshift.conf << EOF
-    L /opt/cni - - - - ../../usr/lib/opt/cni
-    d /var/lib/cni 0755 root root - -
-    d /var/lib/cni/bin 0755 root root - -
-    d /var/lib/containers 0755 root root - -
-    d /var/lib/openvswitch 0755 root root - -
-    d /var/lib/openvswitch/pki 0755 root root - -
-    d /var/log/openvswitch 0750 openvswitch hugetlbfs - -
-    d /var/lib/unbound 0755 unbound unbound - -
-    EOF
-    fi