Feature: new steps to create buildkite plugin and add a missing step in existing doc

content/chainguard/administration/assumable-ids/identity-examples/buildkite-identity.md

@@ -97,7 +97,7 @@ resource "chainguard_identity" "buildkite" {
 
   claim_match {
     issuer 		 = "https://agent.buildkite.com"
-    subject_pattern = "organization:<organization-name>:pipeline:<pipeline-name>:ref:refs/heads/main:commit:[0-9a-f]+:step:"
+    subject_pattern = "organization:<organization-name>:pipeline:<pipeline-name>:ref:refs/heads/main:commit:[0-9a-f]+:step:.*"
   }
 }
 ```
@@ -211,13 +211,15 @@ From there, click the **Edit Steps** button to add the following commands to a s
 
 ```
 - command: |
-	curl -o chainctl "https://dl.enforce.dev/chainctl/latest/chainctl_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m)"
-	chmod +x chainctl
-  token=$(buildkite-agent oidc request-token --audience issuer.enforce.dev)
-	./chainctl auth login --identity-token $token --identity <your buildkite identity>
-  ./chainctl auth configure-docker --identity-token $token --identity <your buildkite identity>
-  ./chainctl images repos list
-  docker pull cgr.dev/<organization>/<repo>:<tag>
+    curl -o chainctl "https://dl.enforce.dev/chainctl/latest/chainctl_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m)"
+    chmod +x chainctl
+    mv chainctl /usr/bin
+    buildkite-agent oidc request-token --audience issuer.enforce.dev >.token.txt
+    chainctl auth login --identity-token $(cat .token.txt) --identity <your buildkite identity>
+    chainctl auth configure-docker --identity-token $(cat .token.txt) --identity <your buildkite identity>
+    rm .token.txt
+    chainctl images repos list
+    docker pull cgr.dev/<organization>/<repo>:<tag>
 ```
 
 These commands will cause your Buildkite pipeline to download `chainctl` and make it executable. It will then sign in to Chainguard using the Buildkite identity you generated previously. If this workflow can successfully assume the identity, then it will be able to execute the `chainctl images repos list` command and retrieve the list of repos available to the organization.
@@ -237,18 +239,67 @@ You could add the commands for testing the identity like this.
 ```
 steps:
   - label: "Buildkite test"
-	command: |
-	  buildkite-agent pipeline upload
-    curl -o chainctl "https://dl.enforce.dev/chainctl/latest/chainctl_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m)"
-	  chmod +x chainctl
-    token=$(buildkite-agent oidc request-token --audience issuer.enforce.dev)
-	  ./chainctl auth login --identity-token $token --identity <your buildkite identity>
-    ./chainctl auth configure-docker --identity-token $token --identity <your buildkite identity>
-    chainctl images repos list
+    command: |
+      buildkite-agent pipeline upload
+      curl -o chainctl "https://dl.enforce.dev/chainctl/latest/chainctl_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m)"
+      chmod +x chainctl
+      mv chainctl /usr/bin
+      token=$(buildkite-agent oidc request-token --audience issuer.enforce.dev)
+      chainctl auth login --identity-token $token --identity <your buildkite identity>
+      chainctl auth configure-docker --identity-token $token --identity <your buildkite identity>
+      chainctl images repos list
 ```
 
 Click the **Save and Build** button. Ensure that your Buildkite agent is running, and then wait a few moments for the pipeline to finish building.
 
+Alternatively, you can also create a buildkite plugin, like an example below. This plugin is residing in the same code repository where the pipeline is running.
+
+```
+]$ ls -lrt .buildkite/plugins/cgrauth/
+total 8
+-rw-r--r--  1              staff  226  6 Nov 13:04 plugin.yml
+drwxr-xr-x  3              staff   96  6 Nov 14:45 hooks
+]$ ls -lrt .buildkite/plugins/cgrauth/hooks/    
+total 8
+-rwxr-xr-x  1              staff  589  6 Nov 14:45 pre-command
+]$
+
+]$ cat .buildkite/plugins/cgrauth/plugin.yml 
+name: Auth
+description: Authenticate to pull images
+author: https://github.com/<gitid>
+requirements: [bash]
+configuration:
+  properties:
+    identity: { type: string }
+  required: [identity]
+  additionalProperties: false
+
+]$ cat .buildkite/plugins/cgrauth/hooks/pre-command 
+#!/usr/bin/env bash
+set -euo pipefail
+
+identity="${BUILDKITE_PLUGIN_CGRAUTH_IDENTITY:?missing identity}"
+curl -o chainctl https://dl.enforce.dev/chainctl/latest/chainctl_$(uname -s | tr "[:upper:]" "[:lower:]")_$(uname -m)
+chmod +x chainctl
+mv chainctl /usr/bin
+token=$(buildkite-agent oidc request-token --audience issuer.enforce.dev)
+chainctl auth login --identity-token $token --identity $identity
+chainctl auth configure-docker --identity-token $token --identity $identity
+```
+
+And, use the plugin like below
+
+```
+steps:
+  - label: "Buildkite test"
+    plugins:
+      - "./.buildkite/plugins/cgrauth":
+          identity: "<your buildkite identity>"
+    command:
+      - 'chainctl images repos list'
+```
+
 Assuming everything works as expected, your pipeline will be able to assume the identity and run the `chainctl images repos list` command, returning the images available to the organization. Then it will pull an image from the organization's repository.
 
 ```