diff --git a/.gitignore b/.gitignore
index 9caf0d7..5e7e40a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/osbuild-composer-132.2.tar.gz
+SOURCES/osbuild-composer-149.tar.gz
diff --git a/.osbuild-composer.metadata b/.osbuild-composer.metadata
index c458fe8..0f2e907 100644
--- a/.osbuild-composer.metadata
+++ b/.osbuild-composer.metadata
@@ -1 +1 @@
-7d3fc3e6143f79531868e9d96f27b4afbd61950b SOURCES/osbuild-composer-132.2.tar.gz
+ea59dc56a63899e6efb74dbc8b82ffa25012fbe3 SOURCES/osbuild-composer-149.tar.gz
diff --git a/SOURCES/fix-unclosed-logrus-logging-pipes.patch b/SOURCES/fix-unclosed-logrus-logging-pipes.patch
deleted file mode 100644
index 99ad8fb..0000000
--- a/SOURCES/fix-unclosed-logrus-logging-pipes.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 0f97a1c1668827086dfa335c9fb427cbb28782b2 Mon Sep 17 00:00:00 2001
-From: Lukas Zapletal <lzap+git@redhat.com>
-Date: Thu, 11 Sep 2025 08:03:21 +0200
-Subject: [PATCH] common: fix unclosed logrus logging pipes
-
-This is a backport of 1cde7e3. The original patch was not separated into
-individual commits unfortunately, there fore only the relevant line is
-being brought in. The original analysis:
-
-It looks like both CloudAPI and WeldrAPI consume memory, process can go
-up to several gigabytes pretty quickly just by running a simple script.
-
-while sleep 0.001; do
-    curl --unix-socket /run/weldr/api.socket -XGET http://localhost/api/
-    curl --unix-socket /run/cloudapi/api.socket -XGET http://localhost/api/
-done
-
-There is a logrus logger method called Write and WriteLevel which create
-a new logging entry, create a PIPE and spawn a goroutine that is reading
-from that PIPE. The caller is expected to close the PIPE writer which
-was not done.
----
- internal/common/echo_logrus.go | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/internal/common/echo_logrus.go b/internal/common/echo_logrus.go
-index 198ce17310..600cce2d74 100644
---- a/internal/common/echo_logrus.go
-+++ b/internal/common/echo_logrus.go
-@@ -178,5 +178,9 @@ func (l *EchoLogrusLogger) Panicj(j lslog.JSON) {
- }
-
- func (l *EchoLogrusLogger) Write(p []byte) (n int, err error) {
--	return l.Logger.WithContext(l.Ctx).Writer().Write(p)
-+	// Writer() from logrus returns PIPE that needs to be closed
-+	w := l.Logger.WithContext(l.Ctx).Writer()
-+	defer w.Close()
-+
-+	return w.Write(p)
- }
diff --git a/SOURCES/json-tailoring-conversion.patch b/SOURCES/json-tailoring-conversion.patch
deleted file mode 100644
index e812adc..0000000
--- a/SOURCES/json-tailoring-conversion.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 62822b56ae637ce512be4ace2ee062cabddcfa09 Mon Sep 17 00:00:00 2001
-From: Gianluca Zuccarelli <gianlucazuccarelli@gmail.com>
-Date: Mon, 8 Sep 2025 14:11:50 +0100
-Subject: [PATCH] internal/blueprint: add JSON tailoring to bp conversion
-
-The blueprint convert function was missing the json tailoring case. This meant that
-if the json tailoring customization was provided in the blueprint, the customization
-would get ignored and the tailoring profile would not be applied to the image.
----
- internal/blueprint/blueprint.go              | 4 ++++
- internal/blueprint/blueprint_convert_test.go | 8 ++++++++
- 2 files changed, 12 insertions(+)
-
-diff --git a/internal/blueprint/blueprint.go b/internal/blueprint/blueprint.go
-index 63f8aa5b71..c01a2c6a48 100644
---- a/internal/blueprint/blueprint.go
-+++ b/internal/blueprint/blueprint.go
-@@ -253,6 +253,10 @@ func Convert(bp Blueprint) iblueprint.Blueprint {
- 				itailoring := iblueprint.OpenSCAPTailoringCustomizations(*tailoring)
- 				ioscap.Tailoring = &itailoring
- 			}
-+			if jsonTailoring := oscap.JSONTailoring; jsonTailoring != nil {
-+				ijsonTailoring := iblueprint.OpenSCAPJSONTailoringCustomizations(*jsonTailoring)
-+				ioscap.JSONTailoring = &ijsonTailoring
-+			}
- 			customizations.OpenSCAP = &ioscap
- 		}
- 		if ign := c.Ignition; ign != nil {
-diff --git a/internal/blueprint/blueprint_convert_test.go b/internal/blueprint/blueprint_convert_test.go
-index 520e18271d..2c652f0658 100644
---- a/internal/blueprint/blueprint_convert_test.go
-+++ b/internal/blueprint/blueprint_convert_test.go
-@@ -233,6 +233,10 @@ func TestConvert(t *testing.T) {
- 							Selected:   []string{"cloth"},
- 							Unselected: []string{"leather"},
- 						},
-+						JSONTailoring: &OpenSCAPJSONTailoringCustomizations{
-+							ProfileID: "tailored_profile",
-+							Filepath:  "path-to-json-file",
-+						},
- 					},
- 					Ignition: &IgnitionCustomization{
- 						Embedded: &EmbeddedIgnitionCustomization{
-@@ -532,6 +536,10 @@ func TestConvert(t *testing.T) {
- 							Selected:   []string{"cloth"},
- 							Unselected: []string{"leather"},
- 						},
-+						JSONTailoring: &iblueprint.OpenSCAPJSONTailoringCustomizations{
-+							ProfileID: "tailored_profile",
-+							Filepath:  "path-to-json-file",
-+						},
- 					},
- 					Ignition: &iblueprint.IgnitionCustomization{
- 						Embedded: &iblueprint.EmbeddedIgnitionCustomization{
diff --git a/SOURCES/update-go-jose-dependency.patch b/SOURCES/update-go-jose-dependency.patch
deleted file mode 100644
index 83d69fa..0000000
--- a/SOURCES/update-go-jose-dependency.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From 8e6381e3cfdebe5107949173a0994e7b8557a718 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <ondrej@budai.cz>
-Date: Tue, 26 Aug 2025 13:41:10 +0200
-Subject: [PATCH 1/2] go.mod: update go-jose v4.0.5 to fix CVE-2025-27144
-
----
- go.mod                                               |  2 +-
- go.sum                                               |  4 ++--
- vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md |  6 ------
- vendor/github.com/go-jose/go-jose/v4/README.md       | 10 +---------
- vendor/github.com/go-jose/go-jose/v4/jwe.go          |  5 +++--
- vendor/github.com/go-jose/go-jose/v4/jwk.go          |  4 ++--
- vendor/github.com/go-jose/go-jose/v4/jws.go          |  5 +++--
- vendor/modules.txt                                   |  2 +-
- 8 files changed, 13 insertions(+), 25 deletions(-)
-
-diff --git a/go.mod b/go.mod
-index 43cd13d2ae..b26e5dcbd4 100644
---- a/go.mod
-+++ b/go.mod
-@@ -133,7 +133,7 @@ require (
- 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
- 	github.com/felixge/httpsnoop v1.0.4 // indirect
- 	github.com/ghodss/yaml v1.0.0 // indirect
--	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
-+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
- 	github.com/go-logr/logr v1.4.2 // indirect
- 	github.com/go-logr/stdr v1.2.2 // indirect
- 	github.com/go-openapi/analysis v0.23.0 // indirect
-diff --git a/go.sum b/go.sum
-index 16526b8d12..0445be92d9 100644
---- a/go.sum
-+++ b/go.sum
-@@ -252,8 +252,8 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME
- github.com/go-chi/chi/v5 v5.0.0/go.mod h1:BBug9lr0cqtdAhsu6R4AAdvufI0/XBzAQSsUqJpoZOs=
- github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
- github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
--github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
--github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
-+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
- github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
- github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
- github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-diff --git a/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md b/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
-index b63e1f8fee..4b4805add6 100644
---- a/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
-+++ b/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
-@@ -7,9 +7,3 @@ When submitting code, please make every effort to follow existing conventions
- and style in order to keep the code as readable as possible. Please also make
- sure all tests pass by running `go test`, and format your code with `go fmt`.
- We also recommend using `golint` and `errcheck`.
--
--Before your code can be accepted into the project you must also sign the
--Individual Contributor License Agreement.  We use [cla-assistant.io][1] and you
--will be prompted to sign once a pull request is opened.
--
--[1]: https://cla-assistant.io/
-diff --git a/vendor/github.com/go-jose/go-jose/v4/README.md b/vendor/github.com/go-jose/go-jose/v4/README.md
-index 79a7c5ecc8..02b5749546 100644
---- a/vendor/github.com/go-jose/go-jose/v4/README.md
-+++ b/vendor/github.com/go-jose/go-jose/v4/README.md
-@@ -9,14 +9,6 @@ Package jose aims to provide an implementation of the Javascript Object Signing
- and Encryption set of standards. This includes support for JSON Web Encryption,
- JSON Web Signature, and JSON Web Token standards.
-
--**Disclaimer**: This library contains encryption software that is subject to
--the U.S. Export Administration Regulations. You may not export, re-export,
--transfer or download this code or any part of it in violation of any United
--States law, directive or regulation. In particular this software may not be
--exported or re-exported in any form or on any media to Iran, North Sudan,
--Syria, Cuba, or North Korea, or to denied persons or entities mentioned on any
--US maintained blocked list.
--
- ## Overview
-
- The implementation follows the
-@@ -109,6 +101,6 @@ allows attaching a key id.
-
- Examples can be found in the Godoc
- reference for this package. The
--[`jose-util`](https://github.com/go-jose/go-jose/tree/v4/jose-util)
-+[`jose-util`](https://github.com/go-jose/go-jose/tree/main/jose-util)
- subdirectory also contains a small command-line utility which might be useful
- as an example as well.
-diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
-index 89f03ee3e1..9f1322dccc 100644
---- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
-+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
-@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
- 	keyAlgorithms []KeyAlgorithm,
- 	contentEncryption []ContentEncryption,
- ) (*JSONWebEncryption, error) {
--	parts := strings.Split(input, ".")
--	if len(parts) != 5 {
-+	// Five parts is four separators
-+	if strings.Count(input, ".") != 4 {
- 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
- 	}
-+	parts := strings.SplitN(input, ".", 5)
-
- 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
- 	if err != nil {
-diff --git a/vendor/github.com/go-jose/go-jose/v4/jwk.go b/vendor/github.com/go-jose/go-jose/v4/jwk.go
-index 8a52842106..9e57e93ba2 100644
---- a/vendor/github.com/go-jose/go-jose/v4/jwk.go
-+++ b/vendor/github.com/go-jose/go-jose/v4/jwk.go
-@@ -239,10 +239,10 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
- 				keyPub = key
- 			}
- 		} else {
--			err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
-+			return fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
- 		}
- 	default:
--		err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
-+		return fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
- 	}
-
- 	if err != nil {
-diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
-index 3a912301af..d09d8ba507 100644
---- a/vendor/github.com/go-jose/go-jose/v4/jws.go
-+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
-@@ -327,10 +327,11 @@ func parseSignedCompact(
- 	payload []byte,
- 	signatureAlgorithms []SignatureAlgorithm,
- ) (*JSONWebSignature, error) {
--	parts := strings.Split(input, ".")
--	if len(parts) != 3 {
-+	// Three parts is two separators
-+	if strings.Count(input, ".") != 2 {
- 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
- 	}
-+	parts := strings.SplitN(input, ".", 3)
-
- 	if parts[1] != "" && payload != nil {
- 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
-diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 06781a551d..0b64b482ea 100644
---- a/vendor/modules.txt
-+++ b/vendor/modules.txt
-@@ -690,7 +690,7 @@ github.com/getsentry/sentry-go/logrus
- # github.com/ghodss/yaml v1.0.0
- ## explicit
- github.com/ghodss/yaml
--# github.com/go-jose/go-jose/v4 v4.0.4
-+# github.com/go-jose/go-jose/v4 v4.0.5
- ## explicit; go 1.21
- github.com/go-jose/go-jose/v4
- github.com/go-jose/go-jose/v4/cipher
-
-From 8b1ed9f96f7434ead5683015b0ad78014be76ba2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <ondrej@budai.cz>
-Date: Tue, 26 Aug 2025 13:46:51 +0200
-Subject: [PATCH 2/2] github: ignore unused functions in shellcheck
-
-Seems to be a false positive (shellcheck doesn't understand traps).
----
- .github/workflows/tests.yml | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
-index 54185df0c0..e11d7a39fb 100644
---- a/.github/workflows/tests.yml
-+++ b/.github/workflows/tests.yml
-@@ -212,9 +212,9 @@ jobs:
-       with:
-         ignore: vendor # We don't want to fix the code in vendored dependencies
-       env:
--        # don't check /etc/os-release sourcing, allow useless cats to live inside our codebase, and
--        # allow seemingly unreachable commands
--        SHELLCHECK_OPTS: -e SC1091 -e SC2002 -e SC2317
-+        # don't check /etc/os-release sourcing, allow useless cats to live inside our codebase,
-+        # allow seemingly unreachable commands, and allow unused functions
-+        SHELLCHECK_OPTS: -e SC1091 -e SC2002 -e SC2317 -e SC2329
-
-     - name: Do not doube trap signals inside test scripts
-       run: |
diff --git a/SPECS/osbuild-composer.spec b/SPECS/osbuild-composer.spec
index 15f3d44..98b8267 100644
--- a/SPECS/osbuild-composer.spec
+++ b/SPECS/osbuild-composer.spec
@@ -8,11 +8,11 @@
 %bcond_with relax_requires
 
 # The minimum required osbuild version
-%global min_osbuild_version 139
+%global min_osbuild_version 157
 
 %global goipath         github.com/osbuild/osbuild-composer
 
-Version:        132.2
+Version:        149
 
 %gometa
 
@@ -25,7 +25,7 @@ It is compatible with composer-cli and cockpit-composer clients.
 }
 
 Name:           osbuild-composer
-Release:        3%{?dist}
+Release:        1%{?dist}
 Summary:        An image building service based on osbuild
 
 # osbuild-composer doesn't have support for building i686 and armv7hl images
@@ -36,14 +36,6 @@ License:        Apache-2.0
 URL:            %{gourl}
 Source0:        %{gosource}
 
-# https://github.com/osbuild/osbuild-composer/pull/4856
-Patch0: json-tailoring-conversion.patch
-
-# https://github.com/osbuild/osbuild-composer/pull/4860
-Patch1: fix-unclosed-logrus-logging-pipes.patch
-
-# https://github.com/osbuild/osbuild-composer/pull/4842
-Patch2: update-go-jose-dependency.patch
 
 BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
 BuildRequires:  systemd
@@ -114,8 +106,6 @@ export LDFLAGS="${LDFLAGS} -X 'github.com/osbuild/osbuild-composer/internal/comm
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-composer %{goipath}/cmd/osbuild-composer
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-worker %{goipath}/cmd/osbuild-worker
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-worker-executor %{goipath}/cmd/osbuild-worker-executor
-%gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-jobsite-manager %{goipath}/cmd/osbuild-jobsite-manager
-%gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-jobsite-builder %{goipath}/cmd/osbuild-jobsite-builder
 
 make man
 
@@ -124,13 +114,6 @@ make man
 # Build test binaries with `go test -c`, so that they can take advantage of
 # golang's testing package. The golang rpm macros don't support building them
 # directly. Thus, do it manually, taking care to also include a build id.
-#
-# On Fedora, also turn off go modules and set the path to the one into which
-# the golang-* packages install source code.
-%if 0%{?fedora}
-export GO111MODULE=off
-export GOPATH=%{gobuilddir}:%{gopath}
-%endif
 
 TEST_LDFLAGS="${LDFLAGS:-} -B 0x$(od -N 20 -An -tx1 -w100 /dev/urandom | tr -d ' ')"
 
@@ -141,7 +124,6 @@ GOTAGS="${GOTAGS:+$GOTAGS,}rhel%{rhel}"
 go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-cli-tests %{goipath}/cmd/osbuild-composer-cli-tests
 go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-dnf-json-tests %{goipath}/cmd/osbuild-dnf-json-tests
 go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-weldr-tests %{goipath}/internal/client/
-go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-image-tests %{goipath}/cmd/osbuild-image-tests
 go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-auth-tests %{goipath}/cmd/osbuild-auth-tests
 go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-koji-tests %{goipath}/cmd/osbuild-koji-tests
 go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-dbjobqueue-tests %{goipath}/cmd/osbuild-composer-dbjobqueue-tests
@@ -155,8 +137,6 @@ install -m 0755 -vd                                                %{buildroot}%
 install -m 0755 -vp _bin/osbuild-composer                          %{buildroot}%{_libexecdir}/osbuild-composer/
 install -m 0755 -vp _bin/osbuild-worker                            %{buildroot}%{_libexecdir}/osbuild-composer/
 install -m 0755 -vp _bin/osbuild-worker-executor                   %{buildroot}%{_libexecdir}/osbuild-composer/
-install -m 0755 -vp _bin/osbuild-jobsite-manager                   %{buildroot}%{_libexecdir}/osbuild-composer/
-install -m 0755 -vp _bin/osbuild-jobsite-builder                   %{buildroot}%{_libexecdir}/osbuild-composer/
 
 # Only include repositories for the distribution and release
 install -m 0755 -vd                                                %{buildroot}%{_datadir}/osbuild-composer/repositories
@@ -166,12 +146,13 @@ install -m 0755 -vd                                                %{buildroot}%
 
 # Latest CentOS supports building all CentOS versions
 %if 0%{?centos} >= 10
-install -m 0644 -vp repositories/centos-*                          %{buildroot}%{_datadir}/osbuild-composer/repositories/
+install -m 0644 -vp vendor/github.com/osbuild/images/data/repositories/centos-*                          %{buildroot}%{_datadir}/osbuild-composer/repositories/
 
 %else
 # All other CentOS versions support building for the same version
-install -m 0644 -vp repositories/centos-%{centos}*                 %{buildroot}%{_datadir}/osbuild-composer/repositories/
-install -m 0644 -vp repositories/centos-stream-%{centos}*          %{buildroot}%{_datadir}/osbuild-composer/repositories/
+install -m 0644 -vp vendor/github.com/osbuild/images/data/repositories/centos-%{centos}*                 %{buildroot}%{_datadir}/osbuild-composer/repositories/
+# centos-stream-* are symlinks
+cp -a repositories/centos-stream-%{centos}*          %{buildroot}%{_datadir}/osbuild-composer/repositories/
 %endif
 
 %else
@@ -179,7 +160,7 @@ install -m 0644 -vp repositories/centos-stream-%{centos}*          %{buildroot}%
 %if 0%{?rhel}
 # RHEL 10 supports building all RHEL versions
 %if 0%{?rhel} >= 10
-for REPO_FILE in $(ls repositories/rhel-* | grep -v 'no-aux-key'); do
+for REPO_FILE in $(ls vendor/github.com/osbuild/images/data/repositories/rhel-* ); do
     install -m 0644 -vp ${REPO_FILE}                               %{buildroot}%{_datadir}/osbuild-composer/repositories/$(basename ${REPO_FILE})
 done
 
@@ -190,13 +171,13 @@ done
 
 %else
 # All other RHEL versions support building for the same version
-for REPO_FILE in $(ls repositories/rhel-%{rhel}* | grep -v 'no-aux-key'); do
+for REPO_FILE in $(ls vendor/github.com/osbuild/images/data/repositories/rhel-%{rhel}* ); do
     install -m 0644 -vp ${REPO_FILE}                               %{buildroot}%{_datadir}/osbuild-composer/repositories/$(basename ${REPO_FILE})
 done
 
 # RHEL 9 supports building also for RHEL 8
 %if 0%{?rhel} == 9
-for REPO_FILE in $(ls repositories/rhel-8* | grep -v 'no-aux-key'); do
+for REPO_FILE in $(ls vendor/github.com/osbuild/images/data/repositories/rhel-8* ); do
     install -m 0644 -vp ${REPO_FILE}                               %{buildroot}%{_datadir}/osbuild-composer/repositories/$(basename ${REPO_FILE})
 done
 %endif
@@ -207,7 +188,7 @@ done
 
 # Fedora can build for all included fedora releases
 %if 0%{?fedora}
-install -m 0644 -vp repositories/fedora-*                          %{buildroot}%{_datadir}/osbuild-composer/repositories/
+install -m 0644 -vp vendor/github.com/osbuild/images/data/repositories/fedora-*                          %{buildroot}%{_datadir}/osbuild-composer/repositories/
 %endif
 
 install -m 0755 -vd                                                %{buildroot}%{_unitdir}
@@ -227,7 +208,6 @@ install -m 0755 -vd                                                %{buildroot}%
 install -m 0755 -vp _bin/osbuild-composer-cli-tests                %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp _bin/osbuild-weldr-tests                       %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp _bin/osbuild-dnf-json-tests                    %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp _bin/osbuild-image-tests                       %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp _bin/osbuild-auth-tests                        %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp _bin/osbuild-koji-tests                        %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp _bin/osbuild-composer-dbjobqueue-tests         %{buildroot}%{_libexecdir}/osbuild-composer-test/
@@ -260,9 +240,6 @@ install -m 0644 -vp test/data/ansible/*                            %{buildroot}%
 install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/azure
 install -m 0644 -vp test/data/azure/*                              %{buildroot}%{_datadir}/tests/osbuild-composer/azure/
 
-install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/manifests
-install -m 0644 -vp test/data/manifests/*                          %{buildroot}%{_datadir}/tests/osbuild-composer/manifests/
-
 install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/cloud-init
 install -m 0644 -vp test/data/cloud-init/*                         %{buildroot}%{_datadir}/tests/osbuild-composer/cloud-init/
 
@@ -299,14 +276,12 @@ install -m 0644 -vp test/data/rhel-upgrade/*                       %{buildroot}%
 %check
 export GOFLAGS="-buildmode=pie"
 %if 0%{?rhel}
-export GOFLAGS+=" -mod=vendor -tags=exclude_graphdriver_btrfs"
+export GOFLAGS+=" -tags=exclude_graphdriver_btrfs"
+%endif
+
 export GOPATH=$PWD/_build:%{gopath}
 # cd inside GOPATH, otherwise go with GO111MODULE=off ignores vendor directory
 cd $PWD/_build/src/%{goipath}
-%gotest ./...
-%else
-%gocheck
-%endif
 
 %post
 %systemd_post osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-composer-prometheus.socket osbuild-remote-worker.socket
@@ -363,8 +338,6 @@ The worker for osbuild-composer
 %files worker
 %{_libexecdir}/osbuild-composer/osbuild-worker
 %{_libexecdir}/osbuild-composer/osbuild-worker-executor
-%{_libexecdir}/osbuild-composer/osbuild-jobsite-manager
-%{_libexecdir}/osbuild-composer/osbuild-jobsite-builder
 %{_unitdir}/osbuild-worker@.service
 %{_unitdir}/osbuild-remote-worker@.service
 
@@ -461,22 +434,44 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 %endif
 
 %changelog
-* Wed Oct 15 2025 Gianluca Zuccarelli <gzuccare@redhat.com> - 132.2-3
-- Fix json tailoring blueprint conversion
-  Resolves: RHEL-111314
-- Fix unclosed logrus logging pipes
-  Resolves: RHEL-102832
-- Update go-jose dependency
-  Resolves: RHEL-82968 (CVE-2025-27144)
+* Thu Aug 21 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 149-1
+- New upstream release
 
-* Tue Jun 24 2025 Ondřej Budai <obudai@redhat.com> - 132.2-2
-- Resolves: RHEL-89319 (CVE-2025-22871)
+* Wed Aug 06 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 147-1
+- New upstream release
 
-* Tue Apr 22 2025 Tomáš Hozza <thozza@redhat.com> = 132.2-1
-- Resolve RHEL-84642
+* Wed Jul 23 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 146-1
+- New upstream release
 
-* Thu Apr 03 2025 Tomáš Hozza <thozza@redhat.com> = 132.1-1
-- Resolve RHEL-83781
+* Sat Jul 12 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 145-1
+- New upstream release
+
+* Wed Jun 25 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 144-1
+- New upstream release
+
+* Wed Jun 11 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 143-1
+- New upstream release
+
+* Thu Jun 05 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 142-1
+- New upstream release
+
+* Mon May 19 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 141-1
+- New upstream release
+
+* Wed Apr 23 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 139-1
+- New upstream release
+
+* Wed Apr 16 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 138-1
+- New upstream release
+
+* Thu Apr 03 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 137-1
+- New upstream release
+
+* Mon Mar 31 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 136-1
+- New upstream release
+
+* Wed Mar 05 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 135-1
+- New upstream release
 
 * Thu Feb 13 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 132-1
 - New upstream release